CN114662095B - Safety monitoring method, device, equipment and storage medium based on operation data - Google Patents
Safety monitoring method, device, equipment and storage medium based on operation data Download PDFInfo
- Publication number
- CN114662095B CN114662095B CN202210257316.3A CN202210257316A CN114662095B CN 114662095 B CN114662095 B CN 114662095B CN 202210257316 A CN202210257316 A CN 202210257316A CN 114662095 B CN114662095 B CN 114662095B
- Authority
- CN
- China
- Prior art keywords
- sensitive operation
- operation type
- sensitive
- array matrix
- violation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 39
- 238000000034 method Methods 0.000 title claims abstract description 36
- 239000011159 matrix material Substances 0.000 claims abstract description 153
- 238000012545 processing Methods 0.000 claims abstract description 61
- 238000002372 labelling Methods 0.000 claims abstract description 59
- 230000006399 behavior Effects 0.000 claims description 33
- 238000012806 monitoring device Methods 0.000 claims description 9
- 230000009467 reduction Effects 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 12
- 238000013473 artificial intelligence Methods 0.000 abstract description 7
- 230000001960 triggered effect Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 7
- 238000007726 management method Methods 0.000 description 5
- 238000007405 data analysis Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000011157 data evaluation Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Alarm Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to an artificial intelligence technology, and discloses a safety monitoring method based on operation data, which comprises the following steps: performing sensitive operation classification processing on the operation data of each login account to obtain a sensitive operation type data table; for the sensitive operation type data table, carrying out statistics processing on the operation times of the sensitive operation type and carrying out illegal value labeling processing on the sensitive operation type; reassigning values in the sensitive operation type unit array matrix according to a traversing rule of the preset sensitive operation type unit array matrix to obtain a new unit array matrix of the sensitive operation type; and calculating the suspected violation operation score of each login account according to the new unit array matrix and the violation value labeling array matrix. The invention also relates to a blockchain technology, and operation data of each login account is stored in the blockchain. The invention can solve the problems of lower efficiency, lower accuracy, increased monitoring workload and the like in the prior art of evaluating and analyzing operation data.
Description
Technical Field
The present invention relates to the field of artificial intelligence, and in particular, to a security monitoring method, apparatus, device and storage medium based on operation data.
Background
In the big data age, the security of data information is critical, and especially for enterprises, once the confidentiality data inside the enterprise is revealed, huge losses are caused. However, some illegal operations, such as account sharing, are more serious, and privacy disclosure or hacking is easily caused, so that confidential data disclosure is caused, and therefore, when an employee uses enterprise internal data, the employee needs to store the operation data of the employee, and then analyze the operation data.
At present, the security monitoring of the operation data of the data website platform only evaluates through a preset rule for defining illegal operation, and each piece of operation data of the login account needs to be analyzed, and the evaluation and analysis efficiency is low due to the huge amount of operation data; and a large amount of operation data is evaluated only through preset rules, the evaluation accuracy is low, and misevaluated illegal operation data is processed by monitoring personnel, so that the monitoring workload is increased.
Disclosure of Invention
The invention provides a safety monitoring method, device, equipment and storage medium based on operation data, and mainly aims to solve the problems of low efficiency, low accuracy, increased monitoring workload and the like in the prior art of operation data evaluation and analysis.
In order to achieve the above object, a first aspect of the present invention provides a safety monitoring method based on operation data, the method comprising:
Performing sensitive operation classification processing on the operation data of each login account according to a preset sensitive operation type table to obtain a sensitive operation type data table of each login account; the sensitive operation type data table comprises sensitive operation types and operation data corresponding to the sensitive operation types;
For the sensitive operation type data table, respectively carrying out statistics processing on the operation times of the sensitive operation type based on a preset unit time period, and carrying out violation value labeling processing on the sensitive operation type based on a preset sensitive operation type rule to respectively obtain a unit array matrix of the sensitive operation type and a violation value labeling array matrix of the sensitive operation type;
reassigning values in the sensitive operation type unit array matrix according to a traversing rule of a preset sensitive operation type unit array matrix to obtain a new unit array matrix of the sensitive operation type;
Labeling an array matrix according to the new unit array matrix and the violation values, and determining suspected violation operation scores of each login account through a Hadamard product formula;
and taking the login account with the suspected illegal operation score being greater than or equal to a preset illegal operation score threshold as a risk login account with illegal operation.
In a second aspect, to solve the above-mentioned problem, the present invention further provides a safety monitoring device based on operation data, the device comprising:
the operation classifying module is used for performing sensitive operation classifying treatment on the operation data of each login account according to a preset sensitive operation type table to obtain a sensitive operation type data table of each login account; the sensitive operation type data table comprises sensitive operation types and operation data corresponding to the sensitive operation types;
the data processing module is used for carrying out statistics processing on the operation times of the sensitive operation types based on a preset unit time period and carrying out violation value labeling processing on the sensitive operation types based on a preset sensitive operation type rule for the sensitive operation type data table to respectively obtain a unit array matrix of the sensitive operation types and a violation value labeling array matrix of the sensitive operation types;
the matrix traversing module is used for carrying out reassignment on the numerical values in the sensitive operation type unit array matrix according to the traversing rule of the preset sensitive operation type unit array matrix to obtain a new unit array matrix of the sensitive operation type;
the calculation module is used for labeling an array matrix according to the new unit array matrix and the violation values, and determining the suspected violation operation score of each login account through a Hadamard product formula;
and the risk determination module is used for taking the login account with the suspected illegal operation score being larger than or equal to a preset illegal operation score threshold value as a risk login account with illegal operation.
In order to solve the above-mentioned problems, the present invention also provides an electronic device including:
at least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the steps of the operational data based security monitoring method as described above.
In a fourth aspect, in order to solve the above-mentioned problems, the present invention also provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the safety monitoring method based on operation data as described above.
According to the security monitoring method, the security monitoring device, the security monitoring equipment and the security monitoring storage medium based on the operation data, the operation data of each login account is subjected to sensitive operation classification processing through the preset sensitive operation type table, then the operation times of the sensitive operation types are subjected to statistics processing based on a preset unit time period and are subjected to illegal value marking processing based on a preset sensitive operation type rule, and only the sensitive operation items are subjected to statistics processing, so that the analysis dimension is reduced; effectively filtering invalid data in a weighting and labeling mode; in the big data mining, automatic labeling is realized by presetting a sensitive operation type rule, the analyzed data quantity is reduced in dimension, and the data analysis efficiency is higher; the accuracy of monitoring is improved through analysis and evaluation of the effective data, so that the workload of monitoring is reduced.
Drawings
FIG. 1 is a flow chart of a security monitoring method based on operation data according to an embodiment of the present invention;
FIG. 2 is a schematic block diagram of a safety monitoring device according to an embodiment of the present invention;
Fig. 3 is a schematic diagram of an internal structure of an electronic device implementing a security monitoring method based on operation data according to an embodiment of the present invention;
the achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Wherein artificial intelligence (ARTIFICIAL INTELLIGENCE, AI) is the theory, method, technique, and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend, and expand human intelligence, sense the environment, acquire knowledge, and use knowledge to obtain optimal results.
Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
The invention provides a safety monitoring method based on operation data. Referring to fig. 1, a flow chart of a security monitoring method based on operation data according to an embodiment of the invention is shown. The method may be performed by an apparatus, which may be implemented in software and/or hardware.
In this embodiment, the security monitoring method based on operation data includes:
step S110, performing sensitive operation classification processing on the operation data of each login account according to a preset sensitive operation type table to obtain a sensitive operation type data table of each login account; the sensitive operation type data table comprises sensitive operation types and operation data corresponding to the sensitive operation types.
In particular, in the big data age, the security of data is critical, and especially for enterprises, once the internal confidentiality data is revealed, huge losses are caused. Currently, data inside an enterprise is generally stored in a data website platform inside the enterprise, and staff uses the data in the data platform by logging in office software. Each operation of the employee on the platform will be recorded. The employee login platform mode can take the employee number or the ID of the equipment used by the employee as a login account, each employee generally has only one login account through the login account login data platform, and when the operation data corresponding to the login account is abnormal, the corresponding employee can be rapidly positioned through the login account.
In the preset sensitive operation type table, different types of sensitive operations are set, such as outgoing, screenshot, consulting, deriving and other sensitive operation types, and the sensitive operations of the various types are arranged according to a preset sequence. When the operation data of each login account is acquired, the operation data of each login account is classified according to the sensitive operation data type, namely only the sensitive operation data in a preset sensitive operation type table is processed. For example, access to the data belonging to normal operation is not recorded in the sensitive operation type data table.
As an optional embodiment of the present invention, the operation data of each login account is stored in a blockchain, and before the sensitive operation classification processing is performed on the operation data of each login account to obtain the sensitive operation type data table of each login account, the method further includes:
according to the acquired operation behavior safety monitoring instruction, loading original operation data in a preset time interval; the original operation data comprise a login account and operation data corresponding to the login account; the preset time interval is greater than or equal to a preset unit time period;
and performing dimension reduction processing on the original operation data based on the login account numbers to obtain the operation data of each login account number in a preset time interval.
Specifically, the raw data obtained from the operation data repository is total operation data, and a time interval can be preset according to needs, wherein the preset time interval is greater than or equal to a preset unit time period; for example, according to the received operation behavior safety monitoring instruction, a batch of raw data is acquired every 1 month, and each day is taken as a preset unit time period. And then, distributing the original operation data to the corresponding login account according to the account name of the login account, namely performing dimension reduction processing on the original operation data, reducing the data quantity to be analyzed from dimension, enabling the data analysis efficiency to be higher, and obtaining the operation data of each login account in a preset time interval.
And step 120, respectively carrying out statistics processing on the operation times of the sensitive operation types based on a preset unit time period and carrying out violation value labeling processing on the sensitive operation types based on a preset sensitive operation type rule for the sensitive operation type data table to respectively obtain a unit array matrix of the sensitive operation types and a violation value labeling array matrix of the sensitive operation types.
Specifically, according to a preset unit time period, the operation times in the sensitive operation type data table are subjected to statistical processing, for example, if the preset unit time period is a day, the operation times of each sensitive operation type are counted, so that a unit array matrix of the sensitive operation type is obtained. Each sensitive operation type corresponds to a corresponding preset sensitive operation type rule, and according to the preset sensitive operation type rule, illegal value marking processing is carried out on the sensitive operation type in the sensitive operation type data table. The preset sensitive operation type rule comprises a judging rule for judging whether the preset sensitive operation behavior is triggered or not, a violation annotation value for triggering the sensitive operation behavior and a violation annotation value for not triggering the sensitive operation behavior. For example, for the type of the referred sensitive operation, a determination rule for whether the preset sensitive operation behavior is triggered is as follows: the behavior that a plurality of login account numbers are used for logging in and consulting or frequently operating and consulting the enterprise address book in a continuous time range (such as 1 hour) within the non-working time under the same equipment and the number of times exceeds the average maximum number of times of normal staff is the trigger sensitive operation behavior. If the operation triggering the sensitive operation behavior occurs to a certain login account, marking the consulting type of the login account according to the illegal marking value triggering the sensitive operation behavior; if the operation triggering the sensitive operation behavior does not occur in a certain login account, marking the consulting type of the login account according to the illegal marking value of the non-triggering sensitive operation behavior, and obtaining a illegal value marking array matrix of the sensitive operation type.
As an optional embodiment of the present invention, for the sensitive operation type data table, performing statistical processing on the operation times of the sensitive operation type based on a preset unit time period, to obtain a unit array matrix of the sensitive operation type includes:
Carrying out statistical processing on operation times corresponding to each sensitive operation type according to a preset unit time period to obtain a unit array matrix M of the sensitive operation type; wherein,
The unit array matrix M of the sensitive operation type is expressed as follows:
Where M kl represents the total number of operations of the kth sensitive operation type in the ith preset unit time period.
Specifically, for the sensitive operation type data table of each login account, according to a preset unit time period, for example, 1 day, the operation times of the sensitive operation type are counted, so as to obtain a unit array matrix of the sensitive operation type. For example, on the first day, the number of operations of the outgoing sensitive operation type is 10, the number of operations of the screenshot sensitive operation type is 8, the number of operations of the consulted sensitive operation type is 12, the number of operations of the derived sensitive operation type is 11, and the operations are represented in a matrix manner, so as to obtain a unit array matrix M of the sensitive operation type.
As an optional embodiment of the present invention, for the sensitive operation type data table, performing the processing of the violation value labeling on the sensitive operation type, and obtaining the violation value labeling array matrix of the sensitive operation type includes:
Comparing the preset sensitive operation type rule corresponding to each sensitive operation type with operation data according to the sequence of each sensitive operation type in the sensitive operation type data table to obtain a comparison result corresponding to each sensitive operation type;
Determining the violation annotation value of each sensitive operation type according to the comparison result corresponding to the sensitive operation type; wherein, the rule violation labeling value of the sensitive operation type which is used for triggering the rule violation according to the comparison result is 1, and the rule violation labeling value of the sensitive operation type which is used for not triggering the rule violation according to the comparison result is 0;
marking the sensitive operation type according to the violation marking value to obtain a violation value marking array matrix R of the sensitive operation type; the expression mode of the violation numerical labeling array matrix R is as follows:
R= [ R 1,R2,…,Rk ], where R k represents the violation annotation value for the kth sensitive operation type.
Specifically, in the sensitive operation type data table of each login account, sensitive operation types are set in sequence, then comparison is carried out according to preset sensitive operation type rules corresponding to the sensitive operation types, a comparison result corresponding to each sensitive operation type is obtained, and if the comparison result is that the sensitive operation behavior is triggered, marking is carried out according to a preset illegal marking value for triggering the illegal behavior, namely marking is 1; if the comparison result is that the sensitive operation behavior is not triggered, marking according to the preset illegal marking value of the non-triggered illegal behavior, namely marking as 0, and obtaining an illegal value marking array matrix R of the sensitive operation type.
And step 130, reassigning the numerical value in the sensitive operation type unit array matrix according to a traversing rule of the preset sensitive operation type unit array matrix to obtain a new unit array matrix of the sensitive operation type.
Specifically, in order to avoid the presence of an sporadic array in the sensitive operation type unit array matrix, traversing reassignment can be performed on each array according to a traversing rule of a preset sensitive operation type unit array matrix, and a non-serious sporadic condition is screened out to obtain a new unit array matrix of a sensitive operation type.
As an optional embodiment of the present invention, reassigning values in the sensitive operation type unit array matrix according to a traversal rule of a preset sensitive operation type unit array matrix, to obtain a new unit array matrix of the sensitive operation type includes:
Reading each numerical value in the sensitive operation type unit array matrix, and acquiring a sensitive operation frequency threshold value which is matched with the sensitive operation type represented by the numerical value in advance in a preset unit time period as a comparison threshold value of the numerical value;
modifying the value smaller than the comparison threshold value in the sensitive operation type unit array matrix to be 0; and the value larger than or equal to the comparison threshold value is unchanged, so that a new unit array matrix of the sensitive operation type is obtained.
Specifically, each numerical value in the sensitive operation type unit array matrix is read, and each numerical value can represent the sensitive operation type corresponding to the numerical value and the total operation times in the corresponding preset unit time period, so that the corresponding sensitive operation type can be obtained according to the numerical value, then the corresponding pre-matched sensitive operation times threshold in the preset unit time period is obtained according to the corresponding sensitive operation type and is used as a comparison threshold of the numerical value, then the numerical value is compared with the corresponding comparison threshold, and the numerical value smaller than the comparison threshold in the sensitive operation type unit array matrix is modified to be 0; and the value larger than or equal to the comparison threshold value is unchanged, so that a new unit array matrix of the sensitive operation type is obtained. The specific process can be expressed as follows:
And reading the numerical value of the unit array matrix M, comparing each numerical value in the traversal M with a comparison threshold M i, i epsilon [1,2, …, k ], if the numerical value is larger than or equal to M i, recording corresponding M ij, i epsilon [1,2, …, k ], j epsilon [1,2, …, l ], otherwise, generating a new unit array matrix M' matrix after the traversal is finished.
And step 140, labeling the array matrix according to the new unit array matrix and the violation values, and determining the suspected violation operation score of each login account through a Hadamard product formula.
Specifically, calculating the suspected offence operation score of each login account, inputting a new unit array matrix and an offence value labeling array matrix of each login account into a Hadamard product formula, and calculating to obtain the suspected offence operation score of each login account.
As an optional embodiment of the present invention, determining the suspected offending operation score of each login account through the hadamard product formula according to the new unit array matrix and the offending value labeling array matrix includes:
Determining suspected offence operation scores of each login account through a Hadamard product formula according to a new unit array matrix, offence value labeling array matrix and pre-matched weighted scores of each sensitive operation type, which are obtained in advance, of each login account; wherein,
The Hadamard product formula is:
S= Σ [ (RoW) ×m '], where RoW represents the hadamard product between the violation value labeling array matrix R and the weighting score W, and M' represents the new identity array matrix.
Specifically, each sensitive operation type is pre-matched with a corresponding weighted score, and then a new unit array matrix, a violation value labeling array matrix and a pre-obtained weighted score pre-matched with each sensitive operation type of each login account are input into a through Hadamard integration formula to calculate the suspected violation operation score of each login account.
And step S150, taking the login account with the suspected illegal operation score being greater than or equal to a preset illegal operation score threshold as a risk login account with illegal operation.
Specifically, the suspected illegal operation score of each login account is compared with a preset illegal operation score threshold, and risk login accounts with illegal operations are screened out.
As an optional embodiment of the present invention, after taking the login account with the suspected offending score greater than or equal to the preset offending score threshold as the risk login account with the offending, the method further includes:
when determining that the risk login account with illegal operation exists, generating early warning information;
and sending the early warning information to the safety monitoring system in the form of mail.
Specifically, early warning information is generated according to the risk login account number of the illegal operation, wherein the early warning information comprises the risk login account number of the illegal operation and a corresponding risk type, and then the early warning information is sent to a safety monitoring system in a mail mode through calling a mail service so as to perform corresponding processing on the corresponding risk login account number of the illegal operation.
As shown in fig. 2, a functional block diagram of a safety monitoring device based on operational data according to one embodiment of the present invention is shown.
The safety monitoring device 200 based on the operation data according to the present invention may be installed in an electronic apparatus. Depending on the functions implemented, the operational data based safety monitoring device may include an operational categorization module 210, a data processing module 220, a matrix traversal module 230, a calculation module 240, a risk determination module 250. The module of the present invention may also be referred to as a unit, meaning a series of computer program segments capable of being executed by the processor of the electronic device and of performing fixed functions, stored in the memory of the electronic device.
In the present embodiment, the functions concerning the respective modules/units are as follows:
the classifying module 210 is configured to perform sensitive operation classifying processing on the operation data of each login account according to a preset sensitive operation type table, so as to obtain a sensitive operation type data table of each login account; the sensitive operation type data table comprises sensitive operation types and operation data corresponding to the sensitive operation types.
In particular, in the big data age, the security of data is critical, and especially for enterprises, once the internal confidentiality data is revealed, huge losses are caused. Currently, data inside an enterprise is generally stored in a data website platform inside the enterprise, and staff uses the data in the data platform by logging in office software. Each operation of the employee on the platform will be recorded. The employee login platform mode can take the employee number or the ID of the equipment used by the employee as a login account, each employee generally has only one login account through the login account login data platform, and when the operation data corresponding to the login account is abnormal, the corresponding employee can be rapidly positioned through the login account.
In the preset sensitive operation type table, different types of sensitive operations are set, such as outgoing, screenshot, consulting, deriving and other sensitive operation types, and the sensitive operations of the various types are arranged according to a preset sequence. When the operation data of each login account is acquired, the operation data of each login account is classified according to the sensitive operation data type, namely only the sensitive operation data in a preset sensitive operation type table is processed. For example, access to the data belonging to normal operation is not recorded in the sensitive operation type data table.
As an alternative embodiment of the present invention, the safety monitoring device 200 based on operation data further includes a data loading module and a data dimension reduction module (not shown in the figure). Wherein,
The data loading module is used for loading the original operation data in a preset time interval according to the acquired operation behavior safety monitoring instruction; the original operation data comprise a login account and operation data corresponding to the login account; the preset time interval is greater than or equal to a preset unit time period;
The data dimension reduction module is used for carrying out dimension reduction processing on the original operation data based on the login account numbers to obtain the operation data of each login account number in a preset time interval.
Specifically, the original data is total operation data, and a time interval can be preset according to needs, and the original data in the preset time interval is obtained from the operation data repository through the data loading module, wherein the preset time interval is greater than or equal to a preset unit time period; for example, according to the received operation behavior safety monitoring instruction, a batch of raw data is acquired every 1 month, and each day is taken as a preset unit time period. And then, distributing the original operation data to the corresponding login account through a data dimension reduction module according to the account name of the login account, namely performing dimension reduction processing on the original operation data, reducing the data quantity to be analyzed from dimension, enabling the data analysis efficiency to be higher, and obtaining the operation data of each login account in a preset time interval.
The data processing module 220 is configured to perform statistics processing on the operation times of the sensitive operation types based on a preset unit time period, and perform violation numerical labeling processing on the sensitive operation types based on a preset sensitive operation type rule, for the sensitive operation type data table, to obtain a unit array matrix of the sensitive operation types and a violation numerical labeling array matrix of the sensitive operation types, respectively.
Specifically, according to a preset unit time period, the operation times in the sensitive operation type data table are subjected to statistical processing, for example, if the preset unit time period is a day, the operation times of each sensitive operation type are counted, so that a unit array matrix of the sensitive operation type is obtained. Each sensitive operation type corresponds to a corresponding preset sensitive operation type rule, and according to the preset sensitive operation type rule, illegal value marking processing is carried out on the sensitive operation type in the sensitive operation type data table. The preset sensitive operation type rule comprises a judging rule for judging whether the preset sensitive operation behavior is triggered or not, a violation annotation value for triggering the sensitive operation behavior and a violation annotation value for not triggering the sensitive operation behavior. For example, for the type of the referred sensitive operation, a determination rule for whether the preset sensitive operation behavior is triggered is as follows: the behavior that a plurality of login account numbers are used for logging in and consulting or frequently operating and consulting the enterprise address book in a continuous time range (such as 1 hour) within the non-working time under the same equipment and the number of times exceeds the average maximum number of times of normal staff is the trigger sensitive operation behavior. If the operation triggering the sensitive operation behavior occurs to a certain login account, marking the consulting type of the login account according to the illegal marking value triggering the sensitive operation behavior; if the operation triggering the sensitive operation behavior does not occur in a certain login account, marking the consulting type of the login account according to the illegal marking value of the non-triggering sensitive operation behavior, and obtaining a illegal value marking array matrix of the sensitive operation type.
As an alternative embodiment of the present invention, the data processing module 220 further comprises a statistics unit (not shown in the figure). Wherein,
The statistics unit is used for carrying out statistics processing on the operation times corresponding to each sensitive operation type according to a preset unit time period to obtain a unit array matrix M of the sensitive operation type; wherein,
The unit array matrix M of the sensitive operation type is expressed as follows:
Where M kl represents the total number of operations of the kth sensitive operation type in the ith preset unit time period.
Specifically, the statistics unit is used for carrying out statistics processing on the operation times of the sensitive operation types according to a preset unit time period, such as 1 day, on the sensitive operation type data table of each login account, so as to obtain a unit array matrix of the sensitive operation types. For example, on the first day, the number of operations of the outgoing sensitive operation type is 10, the number of operations of the screenshot sensitive operation type is 8, the number of operations of the consulted sensitive operation type is 12, the number of operations of the derived sensitive operation type is 11, and the operations are represented in a matrix manner, so as to obtain a unit array matrix M of the sensitive operation type.
As an alternative embodiment of the present invention, the data processing module 220 further comprises an annotating unit (not shown in the figures). Wherein,
And the marking unit is used for marking the violation values of the sensitive operation types according to the sensitive operation type data table to obtain a violation value marking array matrix of the sensitive operation types.
The labeling unit further comprises a rule comparison subunit, a result determination subunit and a labeling subunit (not shown in the figure). Wherein,
The rule comparison subunit is used for comparing the preset sensitive operation type rule corresponding to each sensitive operation type with the operation data according to the sequence of each sensitive operation type in the sensitive operation type data table to obtain a comparison result corresponding to each sensitive operation type;
The result determining subunit is used for determining the violation annotation value of each sensitive operation type according to the comparison result corresponding to the sensitive operation type; wherein, the rule violation labeling value of the sensitive operation type which is used for triggering the rule violation according to the comparison result is 1, and the rule violation labeling value of the sensitive operation type which is used for not triggering the rule violation according to the comparison result is 0;
the marking subunit is used for marking the sensitive operation type according to the violation marking value to obtain a violation value marking array matrix R of the sensitive operation type; the expression mode of the violation numerical labeling array matrix R is as follows:
R= [ R 1,R2,…,Rk ], where R k represents the violation annotation value for the kth sensitive operation type.
Specifically, in the sensitive operation type data table of each login account, sensitive operation types are set in sequence, then the rule comparison subunit is used for comparing according to preset sensitive operation type rules corresponding to the sensitive operation types to obtain a comparison result corresponding to each sensitive operation type, the result determination subunit is used for determining an illegal marking value of the sensitive operation type according to the comparison result corresponding to each sensitive operation type, and the marking subunit is used for marking the sensitive operation type according to the illegal marking value. If the comparison result is triggering sensitive operation behavior, marking according to a preset rule violation marking value triggering rule violation behavior, namely marking as 1; if the comparison result is that the sensitive operation behavior is not triggered, marking according to the preset illegal marking value of the non-triggered illegal behavior, namely marking as 0, and obtaining an illegal value marking array matrix R of the sensitive operation type.
The matrix traversing module 230 is configured to reassign values in the sensitive operation type unit array matrix according to a traversing rule of a preset sensitive operation type unit array matrix, so as to obtain a new unit array matrix of the sensitive operation type.
Specifically, in order to avoid the presence of an sporadic array in the sensitive operation type unit array matrix, traversing reassignment can be performed on each array according to a traversing rule of a preset sensitive operation type unit array matrix, and a non-serious sporadic condition is screened out to obtain a new unit array matrix of a sensitive operation type.
As an alternative embodiment of the present invention, the matrix traversal module 230 further includes a value reading unit and a value modifying unit (not shown in the figure). Wherein,
The numerical value reading unit is used for reading each numerical value in the sensitive operation type unit array matrix, and acquiring a sensitive operation frequency threshold value which is matched with the sensitive operation type represented by the numerical value in advance in a preset unit time period as a comparison threshold value of the numerical value;
the numerical value modifying unit is used for modifying the numerical value smaller than the comparison threshold value in the sensitive operation type unit array matrix to be 0; and the value larger than or equal to the comparison threshold value is unchanged, so that a new unit array matrix of the sensitive operation type is obtained.
Specifically, each numerical value in the sensitive operation type unit array matrix is read through the numerical value reading unit, and each numerical value can represent the sensitive operation type corresponding to the numerical value and the total operation times in the corresponding preset unit time period, so that the corresponding sensitive operation type can be obtained according to the numerical value, then the corresponding pre-matched sensitive operation time threshold in the preset unit time period is obtained according to the corresponding sensitive operation type, the numerical value is used as a comparison threshold of the numerical value, the numerical value is compared with the corresponding comparison threshold of the numerical value, and then the numerical value smaller than the comparison threshold in the sensitive operation type unit array matrix is modified to be 0 through the numerical value modifying unit; and the value larger than or equal to the comparison threshold value is unchanged, so that a new unit array matrix of the sensitive operation type is obtained. The specific process can be expressed as follows:
And reading the numerical value of the unit array matrix M, comparing each numerical value in the traversal M with a comparison threshold M i, i epsilon [1,2, …, k ], if the numerical value is larger than or equal to M i, recording corresponding M ij, i epsilon [1,2, …, k ], j epsilon [1,2, …, l ], otherwise, generating a new unit array matrix M' matrix after the traversal is finished.
The calculation module 240 is configured to determine a suspected offence operation score of each login account through a hadamard product formula according to the new unit array matrix and the offence value labeling array matrix.
Specifically, calculating the suspected offence operation score of each login account, inputting a new unit array matrix and an offence value labeling array matrix of each login account into a Hadamard product formula, and calculating to obtain the suspected offence operation score of each login account.
As an alternative embodiment of the present invention, the calculation module 240 further includes a calculation unit (not shown in the figure). Wherein,
The computing unit is used for determining the suspected illegal operation score of each login account through a Hadamard product formula according to the new unit array matrix, the illegal value labeling array matrix and the pre-matched weighted score of each sensitive operation type acquired in advance; wherein,
The Hadamard product formula is:
S= Σ [ (RoW) ×m '], where RoW represents the hadamard product between the violation value labeling array matrix R and the weighting score W, and M' represents the new identity array matrix.
Specifically, each sensitive operation type is pre-matched with a corresponding weighted score, and then a new unit array matrix, a violation value labeling array matrix and a pre-obtained weighted score which is pre-matched with each sensitive operation type of each login account are input into a through Hadamard product formula through a computing unit to compute the suspected violation operation score of each login account.
The risk determination module 250 is configured to use the login account with the suspected offending operation score greater than or equal to the preset offending operation score threshold value as a risk login account with the offending operation.
Specifically, the suspected illegal operation score of each login account is compared with a preset illegal operation score threshold, and risk login accounts with illegal operations are screened out.
As an optional embodiment of the present invention, the safety monitoring device 200 based on the operation data further includes an early warning generation module and an information transmission module (not shown in the figure). Wherein,
The early warning generation module is used for generating early warning information when determining that the risk login account with illegal operation exists;
and the information sending module is used for sending the early warning information to the safety monitoring system in the form of mail.
Specifically, early warning information is generated through an early warning generation module according to a risk login account number of illegal operation, wherein the early warning information comprises the risk login account number of illegal operation and a corresponding risk type, and then mail service is called through an information sending module to send the early warning information to a safety monitoring system in a mail mode so as to carry out corresponding processing on the corresponding risk login account number of illegal operation.
Fig. 3 is a schematic structural diagram of an electronic device implementing a security monitoring method based on operation data according to an embodiment of the present invention.
The electronic device 1 may comprise a processor 10, a memory 11 and a bus, and may further comprise a computer program stored in the memory 11 and executable on the processor 10, such as a security monitoring program 12 based on operational data.
The memory 11 includes at least one type of readable storage medium, including flash memory, a mobile hard disk, a multimedia card, a card memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, etc. The memory 11 may in some embodiments be an internal storage unit of the electronic device 1, such as a removable hard disk of the electronic device 1. The memory 11 may also be an external storage device of the electronic device 1 in other embodiments, for example, a plug-in mobile hard disk, a smart memory card (SMART MEDIA CARD, abbreviated as SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD) or the like, which are provided on the electronic device 1. Further, the memory 11 may also include both an internal storage unit and an external storage device of the electronic device 1. The memory 11 may be used not only for storing application software installed in the electronic device 1 and various types of data, such as codes of security monitoring programs based on operation data, but also for temporarily storing data that has been output or is to be output.
The processor 10 may be comprised of integrated circuits in some embodiments, for example, a single packaged integrated circuit, or may be comprised of multiple integrated circuits packaged with the same or different functions, including one or more central processing units (Central Processing unit, CPU), microprocessors, digital processing chips, graphics processors, and various combinations of control chips. The processor 10 is a Control Unit (Control Unit) of the electronic device, connects respective parts of the entire electronic device using various interfaces and lines, executes or executes programs or modules (for example, a security monitoring program based on operation data, etc.) stored in the memory 11, and invokes data stored in the memory 11 to perform various functions of the electronic device 1 and process data.
The bus may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. The bus is arranged to enable a connection communication between the memory 11 and at least one processor 10 etc.
Fig. 3 shows only an electronic device with components, it being understood by a person skilled in the art that the structure shown in fig. 3 does not constitute a limitation of the electronic device 1, and may comprise fewer or more components than shown, or may combine certain components, or may be arranged in different components.
For example, although not shown, the electronic device 1 may further include a power source (such as a battery) for supplying power to each component, and preferably, the power source may be logically connected to the at least one processor 10 through a power management device, so that functions of charge management, discharge management, power consumption management, and the like are implemented through the power management device. The power supply may also include one or more of any of a direct current or alternating current power supply, recharging device, power failure detection circuit, power converter or inverter, power status indicator, etc. The electronic device 1 may further include various sensors, bluetooth modules, wi-Fi modules, etc., which will not be described herein.
Further, the electronic device 1 may also comprise a network interface, optionally the network interface may comprise a wired interface and/or a wireless interface (e.g. WI-FI interface, bluetooth interface, etc.), typically used for establishing a communication connection between the electronic device 1 and other electronic devices.
The electronic device 1 may optionally further comprise a user interface, which may be a Display, an input unit, such as a Keyboard (Keyboard), or a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch, or the like. The display may also be referred to as a display screen or display unit, as appropriate, for displaying information processed in the electronic device 1 and for displaying a visual user interface.
It should be understood that the embodiments described are for illustrative purposes only and are not limited to this configuration in the scope of the patent application.
The operation data based security monitoring program 12 stored in the memory 11 of the electronic device 1 is a combination of instructions which, when run in the processor 10, can implement:
Performing sensitive operation classification processing on the operation data of each login account according to a preset sensitive operation type table to obtain a sensitive operation type data table of each login account; the sensitive operation type data table comprises sensitive operation types and operation data corresponding to the sensitive operation types;
For the sensitive operation type data table, respectively carrying out statistics processing on the operation times of the sensitive operation type based on a preset unit time period, and carrying out violation value labeling processing on the sensitive operation type based on a preset sensitive operation type rule to respectively obtain a unit array matrix of the sensitive operation type and a violation value labeling array matrix of the sensitive operation type;
Reassigning values in the sensitive operation type unit array matrix according to a traversing rule of the preset sensitive operation type unit array matrix to obtain a new unit array matrix of the sensitive operation type;
Labeling the array matrix according to the new unit array matrix and the violation values, and determining suspected violation operation scores of each login account through a Hadamard product formula;
And taking the login account with the suspected illegal operation score being greater than or equal to a preset illegal operation score threshold value as a risk login account with illegal operation.
Specifically, the specific implementation method of the above instructions by the processor 10 may refer to the description of the relevant steps in the corresponding embodiment of fig. 1, which is not repeated herein. It should be emphasized that, to further ensure the privacy and security of the operation data of each login account, the operation data of each login account may also be stored in a node of a blockchain.
Further, the modules/units integrated in the electronic device 1 may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as separate products. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM).
In the several embodiments provided in the present invention, it should be understood that the disclosed apparatus, device and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be other manners of division when actually implemented.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical units, may be located in one place, or may be distributed over multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units can be realized in a form of hardware or a form of hardware and a form of software functional modules.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof.
The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
The blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and the like. The blockchain (Blockchain), essentially a de-centralized database, is a string of data blocks that are generated in association using cryptographic methods, each of which contains information from a batch of network transactions for verifying the validity (anti-counterfeit) of its information and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, an application services layer, and the like.
Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the system claims can also be implemented by means of software or hardware by means of one unit or means. The terms second, etc. are used to denote a name, but not any particular order.
Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.
Claims (6)
1. A security monitoring method based on operation data, applied to an electronic device, the method comprising:
Performing sensitive operation classification processing on the operation data of each login account according to a preset sensitive operation type table to obtain a sensitive operation type data table of each login account; the sensitive operation type data table comprises sensitive operation types and operation data corresponding to the sensitive operation types;
For the sensitive operation type data table, respectively carrying out statistics processing on the operation times of the sensitive operation type based on a preset unit time period, and carrying out violation value labeling processing on the sensitive operation type based on a preset sensitive operation type rule to respectively obtain a unit array matrix of the sensitive operation type and a violation value labeling array matrix of the sensitive operation type; the counting processing is performed on the operation times of the sensitive operation types based on a preset unit time period for the sensitive operation type data table, and obtaining a unit array matrix of the sensitive operation types comprises the following steps:
Performing statistical processing on the operation times corresponding to each sensitive operation type according to the preset unit time period to obtain a unit array matrix M of the sensitive operation type; wherein,
The unit array matrix M of the sensitive operation type is expressed as follows:
Wherein M kl represents the total number of operations of the kth sensitive operation type in the ith preset unit time period;
the processing of the violation value labeling of the sensitive operation type by the sensitive operation type data table to obtain a violation value labeling array matrix of the sensitive operation type comprises the following steps:
comparing a preset sensitive operation type rule corresponding to each sensitive operation type with the operation data according to the sequence of each sensitive operation type in the sensitive operation type data table to obtain a comparison result corresponding to each sensitive operation type;
Determining the violation annotation value of each sensitive operation type according to the comparison result corresponding to each sensitive operation type; wherein, the rule violation labeling value of the sensitive operation type which is used for triggering the rule violation as the comparison result is 1, and the rule violation labeling value of the sensitive operation type which is used for not triggering the rule violation as the comparison result is 0;
Marking the sensitive operation type according to the violation marking value to obtain a violation marking array matrix R of the sensitive operation type; the expression mode of the violation numerical labeling array matrix R is as follows:
R= [ R 1,R2,…,Rk ], where R k represents the violation annotation value of the kth sensitive operation type;
reassigning values in the sensitive operation type unit array matrix according to a traversing rule of a preset sensitive operation type unit array matrix to obtain a new unit array matrix of the sensitive operation type, wherein the reassigning comprises the following steps:
Reading each numerical value in the sensitive operation type unit array matrix, and acquiring a sensitive operation frequency threshold value which is matched with the sensitive operation type represented by the numerical value in advance in the preset unit time period as a comparison threshold value of the numerical values;
Modifying a value smaller than the comparison threshold value in the sensitive operation type unit array matrix to be 0; the numerical value larger than or equal to the comparison threshold value is unchanged, and a new unit array matrix of the sensitive operation type is obtained;
According to the new unit array matrix and the violation value labeling array matrix, determining a suspected violation operation score of each login account through a Hadamard product formula, wherein the method comprises the following steps of:
Determining suspected offence operation scores of each login account through a Hadamard product formula according to a new unit array matrix, offence value labeling array matrix and pre-matched weighted scores of each sensitive operation type, which are obtained in advance, of each login account; wherein,
The Hadamard product formula is:
S= Σ [ (RoW) x M ′ ], wherein RoW represents the hadamard product between the violation value labeling array matrix R and the weighting score W, and M ′ represents the new unit array matrix;
and taking the login account with the suspected illegal operation score being greater than or equal to a preset illegal operation score threshold as a risk login account with illegal operation.
2. The method for security monitoring based on operation data according to claim 1, wherein the operation data of each login account is stored in a blockchain, and before performing sensitive operation classification processing on the operation data of each login account to obtain a sensitive operation type data table of each login account, the method further comprises:
According to the acquired operation behavior safety monitoring instruction, loading original operation data in a preset time interval; the original operation data comprise a login account and operation data corresponding to the login account; the preset time interval is larger than or equal to the preset unit time period;
And performing dimension reduction processing on the original operation data based on the login account to obtain operation data of each login account in the preset time interval.
3. The method of claim 1, further comprising, after said registering the suspected offending operation score greater than or equal to a preset offending operation score threshold as a risk registering account having an offending operation:
when determining that the risk login account for the illegal operation exists, generating early warning information;
And sending the early warning information to a safety monitoring system in the form of mail.
4. A safety monitoring device based on operational data, the device comprising:
the operation classifying module is used for performing sensitive operation classifying treatment on the operation data of each login account according to a preset sensitive operation type table to obtain a sensitive operation type data table of each login account; the sensitive operation type data table comprises sensitive operation types and operation data corresponding to the sensitive operation types;
The data processing module is used for carrying out statistics processing on the operation times of the sensitive operation types based on a preset unit time period and carrying out violation value labeling processing on the sensitive operation types based on a preset sensitive operation type rule for the sensitive operation type data table to respectively obtain a unit array matrix of the sensitive operation types and a violation value labeling array matrix of the sensitive operation types; the data processing module comprises a statistics unit and a labeling unit; wherein,
The statistics unit is used for carrying out statistics processing on the operation times corresponding to each sensitive operation type according to the preset unit time period to obtain a unit array matrix M of the sensitive operation type; wherein,
The unit array matrix M of the sensitive operation type is expressed as follows:
Wherein M kl represents the total number of operations of the kth sensitive operation type in the ith preset unit time period;
the marking unit is used for marking the illegal values of the sensitive operation types according to the sensitive operation type data table to obtain an illegal value marking array matrix of the sensitive operation types; the labeling unit comprises a rule comparison subunit, a result determination subunit and a labeling subunit;
The rule comparison subunit is used for comparing the preset sensitive operation type rule corresponding to each sensitive operation type with the operation data according to the sequence of each sensitive operation type in the sensitive operation type data table to obtain a comparison result corresponding to each sensitive operation type;
The result determining subunit is used for determining the violation annotation value of each sensitive operation type according to the comparison result corresponding to the sensitive operation type; wherein, the rule violation labeling value of the sensitive operation type which is used for triggering the rule violation as the comparison result is 1, and the rule violation labeling value of the sensitive operation type which is used for not triggering the rule violation as the comparison result is 0;
The marking subunit is used for marking the sensitive operation type according to the violation marking value to obtain a violation value marking array matrix R of the sensitive operation type; the expression mode of the violation numerical labeling array matrix R is as follows:
R= [ R 1,R2,…,Rk ], where R k represents the violation annotation value of the kth sensitive operation type;
The matrix traversing module is used for carrying out reassignment on the numerical values in the sensitive operation type unit array matrix according to the traversing rule of the preset sensitive operation type unit array matrix to obtain a new unit array matrix of the sensitive operation type; the matrix traversing module comprises a numerical reading unit and a numerical modifying unit; the numerical value reading unit is used for reading each numerical value in the sensitive operation type unit array matrix, and acquiring a sensitive operation frequency threshold value which is matched with the sensitive operation type represented by the numerical value in advance in the preset unit time period as a comparison threshold value of the numerical value;
The numerical value modifying unit is used for modifying the numerical value smaller than the comparison threshold value in the sensitive operation type unit array matrix to be 0; the numerical value larger than or equal to the comparison threshold value is unchanged, and a new unit array matrix of the sensitive operation type is obtained;
the calculation module is used for labeling an array matrix according to the new unit array matrix and the violation values, and determining the suspected violation operation score of each login account through a Hadamard product formula; the computing module comprises a computing unit;
The computing unit is used for determining suspected offence operation scores of each login account through a Hadamard product formula according to a new unit array matrix, an offence value labeling array matrix and a pre-obtained weighting score which is matched with each sensitive operation type in advance; wherein,
The Hadamard product formula is:
S= Σ [ (RoW) x M '], wherein RoW represents the hadamard product between the violation value labeling array matrix R and the weighting score W, M' represents the new identity array matrix;
and the risk determination module is used for taking the login account with the suspected illegal operation score being larger than or equal to a preset illegal operation score threshold value as a risk login account with illegal operation.
5. An electronic device, the electronic device comprising:
at least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the steps of the operational data based security monitoring method of any one of claims 1 to 3.
6. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the operational data based security monitoring method of any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210257316.3A CN114662095B (en) | 2022-03-16 | 2022-03-16 | Safety monitoring method, device, equipment and storage medium based on operation data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210257316.3A CN114662095B (en) | 2022-03-16 | 2022-03-16 | Safety monitoring method, device, equipment and storage medium based on operation data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114662095A CN114662095A (en) | 2022-06-24 |
| CN114662095B true CN114662095B (en) | 2024-08-13 |
Family
ID=82029417
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210257316.3A Active CN114662095B (en) | 2022-03-16 | 2022-03-16 | Safety monitoring method, device, equipment and storage medium based on operation data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114662095B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115967521A (en) * | 2022-09-08 | 2023-04-14 | 平安银行股份有限公司 | Sensitive information operation monitoring method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111209171A (en) * | 2019-12-23 | 2020-05-29 | 中国平安财产保险股份有限公司 | Closed loop handling method and device for security risk and storage medium |
| CN111738011A (en) * | 2020-05-09 | 2020-10-02 | 完美世界(北京)软件科技发展有限公司 | Illegal text recognition method and device, storage medium and electronic device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111913860B (en) * | 2020-07-15 | 2024-02-27 | 中国民航信息网络股份有限公司 | Operation behavior analysis method and device |
| CN113254649B (en) * | 2021-06-22 | 2023-07-18 | 中国平安人寿保险股份有限公司 | Training method of sensitive content recognition model, text recognition method and related device |
| CN113780804B (en) * | 2021-09-09 | 2024-03-12 | 平安科技(深圳)有限公司 | Employee behavior risk prediction method and device based on data analysis and storage medium |
-
2022
- 2022-03-16 CN CN202210257316.3A patent/CN114662095B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111209171A (en) * | 2019-12-23 | 2020-05-29 | 中国平安财产保险股份有限公司 | Closed loop handling method and device for security risk and storage medium |
| CN111738011A (en) * | 2020-05-09 | 2020-10-02 | 完美世界(北京)软件科技发展有限公司 | Illegal text recognition method and device, storage medium and electronic device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114662095A (en) | 2022-06-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111694844B (en) | Enterprise operation data analysis method and device based on configuration algorithm and electronic equipment | |
| CN111639706A (en) | Personal risk portrait generation method based on image set and related equipment | |
| CN112948275A (en) | Test data generation method, device, equipment and storage medium | |
| CN111651292A (en) | Data verification method, apparatus, electronic device and computer-readable storage medium | |
| CN112085611A (en) | Asynchronous data verification method and device, electronic equipment and storage medium | |
| CN115099339A (en) | Fraudulent behavior identification method, device, electronic device and storage medium | |
| CN112560465B (en) | Batch abnormal event monitoring method and device, electronic equipment and storage medium | |
| CN114662095B (en) | Safety monitoring method, device, equipment and storage medium based on operation data | |
| CN114742412A (en) | Software technology service system and method | |
| CN114547696A (en) | File desensitization method and device, electronic equipment and storage medium | |
| CN117235760B (en) | Encryption storage method and device for enterprise data, computer equipment and storage medium | |
| CN113825138B (en) | Fraud short message monitoring method and device, electronic equipment and storage medium | |
| CN113780804B (en) | Employee behavior risk prediction method and device based on data analysis and storage medium | |
| CN113360945B (en) | Noise adding method, device, equipment and medium based on differential privacy | |
| CN113657546B (en) | Information classification method, device, electronic equipment and readable storage medium | |
| CN115495734A (en) | Enterprise archive information management system and method based on big data | |
| CN114996386A (en) | Business role identification method, device, equipment and storage medium | |
| CN114676859A (en) | Comprehensive safety protection system and method based on Internet of things | |
| CN113312409B (en) | Task monitoring method and device, electronic equipment and computer readable storage medium | |
| CN114331734B (en) | Risk assessment method, apparatus, device and storage medium for product purchase | |
| CN111414398B (en) | Data analysis model determining method, device and storage medium | |
| CN113158657B (en) | Method, device, electronic device and medium for detecting negative proofreading behavior | |
| CN114548825B (en) | Complaint work order distortion detection method, device, equipment and storage medium | |
| CN115225489B (en) | Dynamic control method for queue service flow threshold, electronic equipment and storage medium | |
| CN114969651B (en) | Intelligent wind control system construction method and device based on big data AI technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |