CN206332695U - A kind of adaptive security guard system based on user behavior and data mode - Google Patents

A kind of adaptive security guard system based on user behavior and data mode Download PDF

Info

Publication number
CN206332695U
CN206332695U CN201621468759.3U CN201621468759U CN206332695U CN 206332695 U CN206332695 U CN 206332695U CN 201621468759 U CN201621468759 U CN 201621468759U CN 206332695 U CN206332695 U CN 206332695U
Authority
CN
China
Prior art keywords
user behavior
sensors
server
network
data mode
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201621468759.3U
Other languages
Chinese (zh)
Inventor
徐建忠
张亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Shiping Information & Technology Co Ltd
Original Assignee
Hangzhou Shiping Information & Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Shiping Information & Technology Co Ltd filed Critical Hangzhou Shiping Information & Technology Co Ltd
Priority to CN201621468759.3U priority Critical patent/CN206332695U/en
Application granted granted Critical
Publication of CN206332695U publication Critical patent/CN206332695U/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Alarm Systems (AREA)

Abstract

A kind of adaptive security guard system based on user behavior and data mode, the security protection to data is realized with reference to two aspects of user behavior and data mode, the system can be realized to the prediction of user behavior, defence, monitoring and back track function by the method for dynamic learning, and form adaptive security protectiving scheme.Guard system includes the multiple secure network sensors being connected with security server, secure network sensor is arranged at the network segment that web server and database server are combined, the network segment is provided with the network equipment, and the network equipment is connected with security server through fire wall, fire wall connection client.The utility model combines two aspects of user behavior and data mode, more comprehensively protects the safety of business data assets.

Description

A kind of adaptive security guard system based on user behavior and data mode
Technical field
The utility model is related to information security field, and in particular to a kind of self adaptation based on user behavior and data mode Security protection system, combines the security protection of two aspects of user behavior and data mode.
Background technology
With the fast development of information technology, substantial amounts of data are constantly transferred to network environment, and tissue is increasingly relied on Information technology carrys out supporting business operation.Data gradually form the important information assets for tissue, while also turning into some juridical-persons Member's malicious attack or the key object stolen.Once tissue significant data leak, the tissue may be caused it is great even The economic loss that can not be made up is lost with fame.Therefore, the security for how ensureing tissue data is current weight urgently to be resolved hurrily Want problem.
Traditional data protection mode mainly includes accessing limitation, encryption, authentication etc., exists and is looked for by manual method Go out suspicious actions, and the shortcomings of real-time online detects intrusion behavior can not be realized, and be the safe machine to put prevention first System.
At present, many researchs are directed to intruding detection system, from user behavior angle, by catching and analyzing user The data variation that behavior is closely related judges whether the user behavior is abnormal.But, the system lacks the consideration to data mode, Can not more fully protective tissue data.In addition, some security systems need manually to tactful configuration definition, renewal, maintenance etc. Complete, waste the substantial amounts of time, lack the adaptivity changed to application scenarios.
Utility model content
The purpose of this utility model is to be based on user behavior sum there is provided one kind for above-mentioned the problems of the prior art According to the adaptive security guard system of state, the accuracy that user behavior is detected is improved with reference to abnormality detection and misuse detection.
To achieve these goals, the technical solution adopted in the utility model is:It is many including what is be connected with security server Individual network sensor, described network sensor is arranged at the network segment that web server and database server are combined, the network segment The network equipment is provided with, the described network equipment is connected with security server by fire wall, fire wall connection client.
By Ethernet or with outer network connection between security server and multiple network sensors.
The described network equipment is the one or more in hub, interchanger or tap.
Described network sensor includes http sensors and sql sensors.
Described http sensor collection clients are sent to the http request of web server, and sql sensor collections are accessed The sql requests of database server;Described http request and sql requests are respectively by http sensors and sql sensors Event is sent after reason to security server.
Described security server can form two self adaptation normal behaviour profiles, wherein, first self adaptation is normal Behavior profile represents web server, and is loaded into http sensors, and second self adaptation normal behaviour profile represents database Server, and it is loaded into sql sensors.
Compared with prior art, adaptive security guard system knot of the utility model based on user behavior and data mode Close two aspects of user behavior and data mode and set up self adaptation normal behaviour profile, realize comprehensive protection to data, it is adaptive Answering property is primarily referred to as that the prediction to Future Data behavior can be realized by the method for dynamic learning, when the real-time behavior of user and in advance When surveying inconsistent, then suspicious actions are regarded as, this event is recorded, and automatically generate new preventive means to avoid not Carry out the generation of similar case, the function with Initiative Defense.In addition, network sensor of the present utility model is not attached to client End and web server or between database server, therefore network sensor is not influenceed between client and web server The promptness of communication.
Brief description of the drawings
The flow chart of Fig. 1 the utility model adaptive security means of defences;
The structural representation of Fig. 2 the utility model adaptive security guard systems;
The signal transmission schematic diagram of Fig. 3 the utility model network sensors;
In accompanying drawing:100. adaptive security guard system;110. security server;120. band outer network;130. network is passed Sensor;140. fire wall;150. network equipments;160.web servers;170. database servers;180. clients; 230.http sensors;240.sql sensors.
Embodiment
The utility model is described in further detail below in conjunction with the accompanying drawings.
Referring to Fig. 1, adaptive security means of defence of the utility model based on user behavior and data mode includes following Step:
A. user behavior event is obtained:It is primarily referred to as receiving user behavior thing under normal condition by network sensor 130 Part;
B. user behavior event is handled:It is primarily referred to as the event of reception carrying out lexical analysis and syntactic analysis, will be every Individual event is divided into different recognition units and template(-let);
C. the formation of self adaptation normal behaviour profile, by the way that recognition unit and template(-let) are classified and collected, root According to Similarity Measure, template(-let) is classified, the configuration item of self adaptation normal behaviour profile is formed.The profile is comprising multiple Configuration item (item), each configuration item supports respective description value (property) comprising multiple description performances.Need herein Illustrate, system needs to carry out the adaptive frame profile judgement of stability, only stable adaptive frame profile User's normally performed activity pattern can be met, and judgement of stability is mainly by calculating whether the formation time of adaptive frame surpasses Cross predetermined threshold and obtain percentage, if it is, then it is assumed that the configuration item or attribute are stable.In self adaptation normal behaviour profile Judgement of stability in, it is stable to have one in configuration item and attribute, then it is assumed that adaptive frame profile is stable, and The profile has the forecast function of user behavior, mainly by the historical data and current data of user behavior, is setting up user just Normal behavior model, predicts the changing rule and trend of Future Data, and with following feature of the model tentative data, realization pair The forecast function of user behavior.
The foundation of self adaptation normal behaviour profile considers two aspects of user behavior and data mode, wherein user behavior Including user to the access time of data/file, number of times, to reading and writing, modification, deletion action of data etc., data mode includes Data/file type, size, sensitiveness, creation time, modification time, renewal time, erasing time etc..Pass through user behavior Historical data and current data, set up user's normal behaviour model, the changing rule and trend of analysis prediction Future Data.
The utility model self adaptation normal behaviour profile can accordingly be rung automatically according to the strategy being previously set Should, the defence of abnormal user behavior is realized, so as to protect the security of significant data.
D. the real-time behavior model of user is extracted;
D-1) the real-time behavior of user is contrasted and matched with misuse rule base, misuse detection is carried out to user behavior;
Misuse rule base is analyzed according to known user's abnormal behavior, is formed corresponding rule, is aggregated into One storehouse, and the system misuse rule base can automatically update.
D-2) the real-time behavior of user is contrasted and matched with self adaptation normal behaviour profile, i.e., by the real-time row of user To be contrasted with normal users model or its predictive behavior, abnormality detection is carried out to user behavior;
Misuse judges:Mainly contrasted according to user behavior with misuse rule base with being matched, if it does, then explanation The behavior is abnormal behaviour.It is abnormal to judge:With the misuse unmatched user behavior of rule base, abnormality detection is carried out, will the row To be contrasted with adaptive frame profile, if both deviations exceed the threshold value of setting, then it is assumed that there is abnormal behaviour.
Herein it should be noted that when exception/misuse judges, because user's normal behaviour pattern is not unalterable , operation/access rule of user may change, therefore self adaptation normal behaviour profile need it is in good time be updated, If the results verification detected is normal behaviour, the rule is added in self adaptation normal behaviour profile, to self adaptation Normal behaviour profile is updated and safeguarded;However, when the result of detection is defined as abnormal behaviour, then rule is added into misuse In rule base, the renewal to misuse rule base is realized with this, this is the dynamic learning process of the system.
When the result detected is defined as abnormal behaviour, then self adaptation normal behaviour profile is set in advance automatically according to keeper The strategy set is responded accordingly, realizes the protection to data.In this module, it is necessary to explanation, misuse detection because It is high for accuracy, therefore the behavior detected every time to it in strategy setting all carries out alarm prompt, and system carries out phase The response answered, for undetected behavior, then carries out abnormality detection, it is necessary to be detected to determine whether for abnormal row again For.For being defined as abnormal behavior, system can realize the real-time monitoring to the behavior and backtracking work(to the formulation audit log Energy.
E. self adaptation normal behaviour contoured profile is connected into network sensor with protection equipment, protection equipment can be with It is web server 160 or database server 170, network sensor 130 can be http sensors 230 or sql sensors 240。
Referring to Fig. 2, the utility model adaptive security guard system 100 is by multiple secure network sensor 130-1,130- 2 ... 130-m are connected composition with security server 110, secure network sensor 130-1,130-2 ... 130-m and server 110 it Between can be attached by Ethernet, can also pass through band outer network 120 (out-of-band network, OOB) connection. Band outer network 120 refers to carry out data transmission using autonomous channel, and it allows system manager's Distant supervision and control server With other network equipments, no matter whether these equipment are in open state.Legacy network refers to (common by routine data passage Ethernet) carry out data transmission, its way to manage is implemented by network, when a network fails, no matter data transfer also It is that management control can not be all normally carried out.Band outer network 120 is solved by deployment with the physically-isolated management passage of data channel Certainly limit.
Network sensor 130 is positioned over web server 160-1 ... 160-n and database server 170-1 ... 170-r phases With reference to the network segment.Network sensor 130 is a smell device, can monitor, collect and reproduction comes from client 180 and sent To web server 160, the request of database server 170.The network equipment 150 can be hub, interchanger, tap it is first-class. Network sensor 130 monitors all information that web server 160 and database server 170 are received and sent.Network sensor 130 are not attached to client 180 and web server 160 or between database server 170, therefore network sensor 130 The promptness communicated between client 180 and web server 160 is not influenceed.
Adaptive security guard system 100 is run in two different ways:Mode of learning and protected mode.In mode of learning Under, adaptive security guard system 100 monitors and learnt the normal behaviour of user, and builds one certainly for each protection entity Adapt to normal behaviour profile.In protected mode, adaptive security guard system 100 by real-time operation with misuse rule base and Self adaptation normal behaviour profile is contrasted, matched.Matched with misuse rule base, or with self adaptation normal behaviour profile pair It is defined as anomalous event than discrepant.The utility model proposes adaptive security guard system there is dynamic learning work( Can, tactful configuration definition, renewal, maintenance can be automatically performed according to scene change, adaptive security protectiving scheme is formed.
User behavior event can be collected by analyzing gateway protocol attributes, can also be by inquiring about web server 160 or the relevant information of recent event of database server 170 be collected.Network sensor 130 can reappear multiple nets The event of network agreement, such as Oracle Net8TM,Microsoft SQL ServerTM TDS,Sy base TDS,HTTP, Encrypted HTTP (HTTPS) etc..In addition, network sensor 130 also has the correlation of the databases such as inquiry Oracle, SQL Information is collected the function of event.Each network sensor 130-1 ... 130-m operation is independent.Therefore, it is guarantor The extra web database of shield, enterprise only needs increase additional networks sensor 130 to be monitored new protection entity.
Referring to Fig. 3, the utility model network sensor includes a http sensor 230 and a sql sensor 240, Http sensors 230 have the ability collected and reappear http events, collect the first client 180-1 and are sent to web server 160 http request e1.Sql sensors 240 collect the sql requests e2 for accessing database server 170.Ask e1 and e2 quilts Http sensors 230 and sql sensors 240 are handled respectively, then send event E1 and E2 to security server 110.Then, Security server 110 is analyzed and processed to event, to each protection entity one self adaptation normal behaviour profile of formation.Example Such as, it is that web server 160 and database server 170 form corresponding self adaptation normal behaviour profile respectively.
The utility model adaptive security system generates self adaptation normal behaviour profile using dynamic learning process, by steady After qualitative judgement, stable self adaptation normal behaviour profile is dispersed to security server 110 by synchronous transfer passage Between network sensor 130.Network sensor 130 equally carries out the upgrading of self adaptation normal behaviour profile using this passage With renewal.
In this example, two self adaptation normal behaviour profiles of the formation of security server 110, first normal row of self adaptation Web server 160 is represented for profile, and is loaded into http sensors 230, but second self adaptation normal behaviour profile table Show database server 170, and be loaded into sql sensors 240.Once these self adaptation normal behaviour profiles are loaded into Http sensors 230 and sql sensors 240, security system 110 will by the protected mode of self adaptation normal behaviour profile come Protect web server 160 and database server 170.In protected mode, security server 110 is advised by analysis with misuse The then difference of the unmatched real-time event in storehouse and self adaptation normal behaviour profile, and combine pre-defined security strategy detection Network Intrusion.For example, the http request e3 that the second client 180-2 is sent to web server 160 is caught by http sensors 230 Obtain and classified, request e3 and self adaptation normal behaviour silhouette contrast, if e3 and normal behaviour profile are variant, then Http sensors 130 will be classified as anomalous event, and send anomalous event IE3 to security server 110, safety clothes IE3, which will be further processed, for business device 110 determines if invasion, if it is defined as attack, then by the thing Part is updated into misuse rule base.On the other hand, if request IE3 matches with self adaptation normal behaviour profile, then http Sensor 230 will ignore the event, or the event is sent into security server 110 for self adaptation normal behaviour wheel Exterior feature is modified or updated.Equally, sql request e4 are formed by web server 160, captured by sql sensors 240, if fruit e4 Request and self adaptation normal behaviour profile have deviation, and event is considered as anomalous event IE4, and is sent to security server 110 Further analysis, conversely, sql sensors 240 will ignore the event, or is sent to security server 110 by the event and uses In self adaptation normal behaviour profile is modified or updated.If it should be noted that request e3 and e4 and misuse rule base Match, then system can automatically be alerted to the request, and be responded accordingly.
The utility model system combines the security protection of two aspects of user behavior and data mode, more fully ensures The safety of tissue data.Mainly by the method for dynamic learning formation self adaptation normal behaviour profile, by real-time behavior with Self adaptation normal behaviour profile is matched, and combines abnormality detection and misuse detection two ways to user behavior and data shape State is detected, improves the accuracy and efficiency of detection.In addition, the system can be automatically performed according to the change of application scenarios Tactful configuration definition, renewal, maintenance etc., form adaptive security protectiving scheme.The utility model is based on the adaptive of user behavior Security protection system combination abnormality detection and misuse detection is answered to improve the accuracy of user behavior detection, mainly with dynamic learning User behavior and adaptive security protect two functions.Wherein, dynamic learning refers to that the system being capable of changing according to user behavior Become dynamically study with updating;Adaptive security refers to that the system can predict the row of Future Data by dynamic study method To automatically generate protectiving scheme.

Claims (6)

1. a kind of adaptive security guard system based on user behavior and data mode, it is characterised in that:Including with safety clothes Multiple network sensors (130) of business device (110) connection, described network sensor (130) is arranged at web server (160) The network segment being combined with database server (170), the network segment is provided with the network equipment (150), the described network equipment (150) It is connected with security server (110) by fire wall (140), fire wall (140) connection client (180).
2. the adaptive security guard system based on user behavior and data mode according to claim 1, it is characterised in that: By Ethernet or with outer network (120) connection between security server (110) and multiple network sensors (130).
3. the adaptive security guard system based on user behavior and data mode according to claim 1, it is characterised in that: The described network equipment (150) is the one or more in hub, interchanger or tap.
4. the adaptive security guard system based on user behavior and data mode according to claim 1, it is characterised in that: Described network sensor (130) includes http sensors (230) and sql sensors (240).
5. the adaptive security guard system based on user behavior and data mode according to claim 4, it is characterised in that: Described http sensors (230) collect the http request that client (180) is sent to web server (160), sql sensors (240) the sql requests for accessing database server (170) are collected;Described http request and sql requests are sensed by http respectively Event is sent to security server (110) after device (230) and sql sensors (240) processing.
6. the adaptive security guard system based on user behavior and data mode according to claim 4, it is characterised in that: Described security server (110) can form two self adaptation normal behaviour profiles, wherein, first self adaptation normal behaviour Profile represents web server (160), and is loaded into http sensors (230), and second self adaptation normal behaviour profile is represented Database server (170), and it is loaded into sql sensors (240).
CN201621468759.3U 2016-12-29 2016-12-29 A kind of adaptive security guard system based on user behavior and data mode Active CN206332695U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201621468759.3U CN206332695U (en) 2016-12-29 2016-12-29 A kind of adaptive security guard system based on user behavior and data mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201621468759.3U CN206332695U (en) 2016-12-29 2016-12-29 A kind of adaptive security guard system based on user behavior and data mode

Publications (1)

Publication Number Publication Date
CN206332695U true CN206332695U (en) 2017-07-14

Family

ID=59292750

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201621468759.3U Active CN206332695U (en) 2016-12-29 2016-12-29 A kind of adaptive security guard system based on user behavior and data mode

Country Status (1)

Country Link
CN (1) CN206332695U (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108712427A (en) * 2018-05-23 2018-10-26 北京国信安服信息安全科技有限公司 A kind of network security method and system of dynamic Initiative Defense
CN109936548A (en) * 2017-12-18 2019-06-25 航天信息股份有限公司 Anomaly detection method and device based on PKI platform
CN110868403A (en) * 2019-10-29 2020-03-06 泰康保险集团股份有限公司 Method and equipment for identifying advanced persistent Attack (APT)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936548A (en) * 2017-12-18 2019-06-25 航天信息股份有限公司 Anomaly detection method and device based on PKI platform
CN108712427A (en) * 2018-05-23 2018-10-26 北京国信安服信息安全科技有限公司 A kind of network security method and system of dynamic Initiative Defense
CN110868403A (en) * 2019-10-29 2020-03-06 泰康保险集团股份有限公司 Method and equipment for identifying advanced persistent Attack (APT)

Similar Documents

Publication Publication Date Title
Garg et al. Statistical vertical reduction‐based data abridging technique for big network traffic dataset
CN106534212A (en) Adaptive safety protection method and system based on user behaviors and data states
Kumar et al. A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing
CN102546638B (en) Scene-based hybrid invasion detection method and system
CN112787992B (en) Method, device, equipment and medium for detecting and protecting sensitive data
KR102108960B1 (en) Machine Learning Based Frequency Type Security Rule Generator and Its Method
US10225249B2 (en) Preventing unauthorized access to an application server
CN112769825A (en) Network security guarantee method, system and computer storage medium
CN105681298A (en) Data security abnormity monitoring method and system in public information platform
CN112887268B (en) Network security guarantee method and system based on comprehensive detection and identification
CN112766672A (en) Network security guarantee method and system based on comprehensive evaluation
CN206332695U (en) A kind of adaptive security guard system based on user behavior and data mode
CN103561012A (en) WEB backdoor detection method and system based on relevance tree
CN107483414A (en) A kind of security protection system and its means of defence based on cloud computing virtualized environment
Iturbe et al. Towards Large‐Scale, Heterogeneous Anomaly Detection Systems in Industrial Networks: A Survey of Current Trends
CN112153047A (en) Block chain-based network security operation and maintenance and defense method and system
Wang et al. A centralized HIDS framework for private cloud
CN112291266B (en) Data processing method, device, server and storage medium
US20200311231A1 (en) Anomalous user session detector
CN117614745B (en) Cooperative defense method and system for processor network protection
CN110618977B (en) Login anomaly detection method, device, storage medium and computer equipment
Choksi et al. Intrusion detection system using self organizing map: a survey
Kozik et al. Machine learning techniques for cyber attacks detection
GB2535579A (en) Preventing unauthorized access to an application server
KR102311997B1 (en) Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis

Legal Events

Date Code Title Description
GR01 Patent grant
GR01 Patent grant