CN110457349B - Information outflow monitoring method and monitoring device - Google Patents

Information outflow monitoring method and monitoring device Download PDF

Info

Publication number
CN110457349B
CN110457349B CN201910590401.XA CN201910590401A CN110457349B CN 110457349 B CN110457349 B CN 110457349B CN 201910590401 A CN201910590401 A CN 201910590401A CN 110457349 B CN110457349 B CN 110457349B
Authority
CN
China
Prior art keywords
information
current
outflow
scoring
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910590401.XA
Other languages
Chinese (zh)
Other versions
CN110457349A (en
Inventor
简军
邹金根
汤奇朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Renrenyuntu Information Technology Co ltd
Original Assignee
Beijing Renrenyuntu Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Renrenyuntu Information Technology Co ltd filed Critical Beijing Renrenyuntu Information Technology Co ltd
Priority to CN201910590401.XA priority Critical patent/CN110457349B/en
Publication of CN110457349A publication Critical patent/CN110457349A/en
Application granted granted Critical
Publication of CN110457349B publication Critical patent/CN110457349B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24568Data stream processing; Continuous queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a monitoring method and a monitoring device for information outflow, wherein the monitoring method comprises the following steps: determining a current frequency integral of information of a currently-outgoing data platform, the current frequency integral being obtained based on a time interval between a time corresponding to a current outgoing of the information and a time corresponding to an nth outgoing of the information, wherein the nth outgoing of the information occurs before the current outgoing of the information; grading the current outflow of the information according to the current frequency integral to obtain a current grading result; and determining whether the current outflow of the information is abnormal according to the current grading result. The technical scheme of the invention can quantize the time data of the information outflow, thereby enabling the monitoring process of the information outflow to be more timely and accurate.

Description

Information outflow monitoring method and monitoring device
Technical Field
The invention relates to the field of information security, in particular to a monitoring method and a monitoring device for information outflow.
Background
The outflow of information in a data platform (e.g., a database, a website, etc.) can be divided into normal outflow and abnormal outflow, where the abnormal outflow may have an adverse effect on the data platform or a user, such as some sensitive information being leaked, etc. Therefore, the outflow of the monitoring information can not only improve the safety of network interaction, but also conveniently bring decision basis for data operation and maintenance personnel. The existing monitoring method is difficult to accurately judge whether the information outflow is normal or not, and further difficult to give early warning in time when the information in the data platform flows abnormally.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and a device for monitoring information outflow, which can make a monitoring process of information outflow more timely and accurate.
In a first aspect, an embodiment of the present invention provides a method for monitoring information outflow, including: determining a current frequency integral of information of a currently-outgoing data platform, the current frequency integral being obtained based on a time interval between a time corresponding to a current outgoing of the information and a time corresponding to an nth outgoing of the information, wherein the nth outgoing of the information occurs before the current outgoing of the information; grading the current outflow of the information according to the current frequency integral to obtain a current grading result; and determining whether the current outflow of the information is abnormal according to the current grading result.
In some embodiments of the present invention, the value range of the current scoring result is greater than 0 and less than or equal to 1.
In some embodiments of the present invention, the current time of information outflow is t, the nth time of information outflow is the last time of information outflow, the last time of information outflow is p, and the current frequency integral is represented by S:
Figure BDA0002115921530000021
wherein e is the base of the natural logarithm.
In some embodiments of the invention, the monitoring method of the first aspect further comprises: determining the sensitivity score of the information according to the sensitivity level of the information, wherein the current outflow of the information is scored according to the current frequency score to obtain a current scoring result, and the method comprises the following steps of: scoring the current outflow of information according to the current frequency integral and the sensitive integral to obtain a current scoring result, wherein the sensitive integral is represented by m, the current scoring result is represented by T, and T is Sm
In some embodiments of the present invention, determining whether the current outflow of information is abnormal according to the current scoring result includes: and determining whether the current outflow of the information is abnormal according to the current grading result and the historical grading record, wherein the current outflow direction position of the information is the same as the flow direction position of the information corresponding to the historical grading record.
In some embodiments of the present invention, determining whether a current outflow of information is abnormal according to a current scoring result and a historical scoring record comprises: determining a current scoring vector according to a current scoring result, wherein the current outflow frequency of information is b, the current scoring vector is a b-a dimensional vector and consists of b-a scores corresponding to the a-th time to the b-th time, and b is greater than a; determining a preposed scoring vector according to a scoring result of the last outflow of the information, wherein the number of times of the last outflow of the information is b-1, the preposed scoring vector is a b-a-dimensional vector and consists of b-a scores corresponding to the (a-1) th time to the (b-1) th time; calculating the similarity between the current scoring vector and the pre-scoring vector; and determining whether the current flow of the information is abnormal according to the similarity.
In some embodiments of the present invention, determining whether the current outflow of information is abnormal according to the current scoring result and the historical scoring record further comprises: determining a mode of scores in a historical score record; when the current scoring result is larger than the mode, determining that the current outflow of the information is abnormal; when the current scoring result is smaller than the mode, performing calculation on the similarity between the current scoring vector and the pre-scoring vector; when the similarity is greater than the threshold, then it is determined that the current outflow of information is abnormal.
In some embodiments of the invention, the monitoring method of the first aspect further comprises: when the mode does not exist, determining the median of the scores in the historical score record; and when the current scoring result is greater than the median, determining that the information flows abnormally, wherein when the historical scoring records have a plurality of modes with different values, the mode with the minimum value is taken as the mode.
In a second aspect, an embodiment of the present invention provides an information outflow monitoring apparatus, including: a first determining module, configured to determine a current frequency integral of information of a currently outgoing data platform, where the current frequency integral is obtained based on a time interval between a time corresponding to the current outgoing of the information and a time corresponding to an nth outgoing of the information, where the nth outgoing of the information occurs before the current outgoing of the information; the scoring module is used for scoring the current outflow of the information according to the current frequency integral to obtain a current scoring result; and the second determining module is used for determining whether the current outflow of the information is abnormal according to the current grading result.
In some embodiments of the present invention, the value range of the current scoring result is greater than 0 and less than or equal to 1.
In some embodiments of the present invention, the current time of information outflow is t, the nth time of information outflow is the last time of information outflow, the last time of information outflow is p, and the current frequency integral is represented by S:
Figure BDA0002115921530000031
wherein e is the base of the natural logarithm.
In some embodiments of the present invention, the first determining module is further configured to determine a sensitivity score of the information according to a sensitivity level of the information, and the scoring module is configured to score a current outflow of the information according to a current frequency score and the sensitivity score to obtain a current scoring result, where the sensitivity score is denoted by m, the current scoring result is denoted by T, and T is Sm
In some embodiments of the present invention, the second determining module is configured to determine whether a current outflow of the information is abnormal according to the current scoring result and the historical scoring record, where a flow direction location of the current outflow of the information is the same as a flow direction location of the information corresponding to the historical scoring record.
In some embodiments of the invention, the second determining module is configured to: determining a current scoring vector according to a current scoring result, wherein the current outflow frequency of information is b, the current scoring vector is a b-a dimensional vector and consists of b-a scores corresponding to the a-th time to the b-th time, and b is greater than a; determining a preposed scoring vector according to a scoring result of the last outflow of the information, wherein the number of times of the last outflow of the information is b-1, the preposed scoring vector is a b-a-dimensional vector and consists of b-a scores corresponding to the (a-1) th time to the (b-1) th time; calculating the similarity between the current scoring vector and the pre-scoring vector; and determining whether the current flow of the information is abnormal according to the similarity.
In some embodiments of the invention, the second determining module is further configured to: determining a mode of scores in a historical score record; when the current scoring result is larger than the mode, determining that the current outflow of the information is abnormal; when the current scoring result is smaller than the mode, performing calculation on the similarity between the current scoring vector and the pre-scoring vector; when the similarity is greater than the threshold, then it is determined that the current outflow of information is abnormal.
In some embodiments of the invention, the second determining module is further configured to: when the mode does not exist, determining the median of the scores in the historical score record; and when the current scoring result is greater than the median, determining that the information flows abnormally, wherein when the historical scoring records have a plurality of modes with different values, the mode with the minimum value is taken as the mode.
In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored, and the computer program is configured to execute the information outflow monitoring method according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides an electronic device, including: a processor; a memory for storing processor executable instructions, wherein the processor is adapted to perform the method for monitoring information outflow according to the first aspect.
The embodiment of the invention provides an information outflow monitoring method and device, which can quantify the time data of information outflow by utilizing the time data of an information outflow data platform and determining the current frequency integral of the information outflow currently based on the time interval of the information outflow, thereby enabling the monitoring process of the information outflow to be more timely and accurate.
Drawings
Fig. 1 is a schematic system architecture diagram of an information outflow monitoring system according to an exemplary embodiment of the present invention.
Fig. 2 is a schematic flow chart of a monitoring method for information outflow according to an embodiment of the present invention.
Fig. 3 is a schematic flow chart of a monitoring method for information outflow according to another embodiment of the present invention.
Fig. 4 is a schematic structural diagram of an information outflow monitoring apparatus according to an embodiment of the present invention.
Fig. 5 is a block diagram illustrating an electronic device for monitoring of information outflow according to an exemplary embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The monitoring and early warning of abnormal information outflow in the data platform is one of the problems which are urgently needed to be solved in the prior art of data operation and maintenance and data protection. At present, the outflow of information in a data platform is mainly monitored through two modes, one is a monitoring mode based on rules, and the other is a monitoring mode based on data visualization. The rule-based monitoring mode is to monitor the information outflow by configuring the access right of the information, and the access right can be inaccessible or limited access times, for example, the same identification number can only be accessed once a day. Such a rule-based monitoring approach is rigid and difficult to flexibly and accurately monitor the outflow of information. The monitoring mode based on data visualization is to monitor the information outflow by manually checking and analyzing the original data of the information outflow, and the monitoring mode has the advantages of low speed, poor real-time performance and high cost.
Fig. 1 is a schematic system architecture diagram of an information outflow monitoring system according to an exemplary embodiment of the present invention, which illustrates an application scenario for monitoring outflow of information on a server 10. As shown in fig. 1, the monitoring system includes a server 10, a server 20, and a terminal 30. The server 10 may be a data platform, for example a Hadoop platform. The terminal 30 may be an electronic device such as a mobile phone or a computer.
In an exemplary scenario, a user may access the server 10 through the terminal 30, and when information flows out from the server 10, the server 20 may monitor an information outflow process in the server 10, and then give an early warning when the information flows out abnormally. In this exemplary scenario, monitoring of information outflow is by-pass monitoring. That is, the outflow of information from the server 10 is monitored by the server 20 other than the server 10, and the server 10 is not affected, so that the security is high.
In another exemplary scenario, the server 10 and the server 20 may be the same server, i.e. the monitoring system of information outflow comprises the server 10 and the terminal 30. The user accesses the server 10 through the terminal 30, and when the information flows out from the server 10, the server 10 can monitor the flowing-out process of the information, and then give an early warning when the information flows out abnormally. In this exemplary scenario, the monitoring of the information outflow is by way of a listening monitoring. That is, by monitoring the information outflow on the server 10 by the server 10 or a device embedded in the server 10, the information outflow direction can be given quickly and in real time.
It should be noted that the above application scenarios are only presented to facilitate understanding of the spirit and principles of the present invention, and the embodiments of the present invention are not limited thereto. Rather, embodiments of the present invention may be applied to any scenario where it may be applicable.
The following describes an embodiment of the present invention specifically by taking an example of a monitoring system for information outflow including a data platform (server 10), a terminal (terminal 30), and a server (server 30).
Fig. 2 is a schematic flow chart of a monitoring method for information outflow according to an embodiment of the present invention. As shown in fig. 2, the method includes the following.
110: a current frequency integral of information of the currently outgoing data platform is determined, the current frequency integral being obtained based on a time interval between a time corresponding to the current outgoing of the information and a time corresponding to an Nth outgoing of the information, wherein the Nth outgoing of the information occurs before the current outgoing of the information.
Specifically, for the same information in the data platform, the outgoing data of the information, which flows out of the data platform each time, may be recorded on the terminal or the data platform, and the outgoing data may include the outgoing time of the information. For example, the Nth time information flows out of the data platform is tNThe time of Q time of information flowing out of the data platform is tQThe Nth outflow of information is at the Qth outflow of informationOccurring before outflow, i.e. tQGreater than tN。tQAnd tNThe unit of (a) may be seconds, milliseconds or other suitable units, which is not limited by the embodiment of the present invention.
The server may be based on the time interval (t) between the Q and N outgoing of informationQ-tN) The frequency integral of the information outflow Q-th time is determined. The frequency integration may be a time interval (t)Q-tN) Obtained after inputting a certain function. The magnitude of the frequency integral can be used to characterize the abnormal condition of the nth flow of information, for example, the larger the frequency integral, the more likely the information flow is abnormal.
In this embodiment, Q and N are integers, and a difference between Q and N may be 1, 2, 3 or another value, which is not limited in this embodiment of the present invention.
When the difference between Q and N is 1, namely the Q-th and N-th information flows are two adjacent information flows, the considered information flow data is compact, and the frequency integration can accurately represent the abnormal condition of the Q-th information flow.
The qth outflow of information may be the current outflow of information.
120: and scoring the current outflow of the information according to the current frequency integral to obtain a current scoring result.
Specifically, the current frequency integral can be directly used as the current scoring result; the current frequency integral may also be processed to obtain a current scoring result, for example, the current frequency integral is processed by a specific function to obtain the current scoring result.
130: and determining whether the current outflow of the information is abnormal according to the current grading result.
Specifically, the current scoring result may be a score, and whether the current outflow of the information is abnormal may be determined according to the size of the score; the current scoring result may also be a grade, for example, the current scoring result may be "normal" or "abnormal", and the server may determine whether the current outflow of information is abnormal directly according to the result.
The embodiment of the invention provides an information outflow monitoring method, which is characterized in that the information outflow time data can be quantized by utilizing the time data of an information outflow data platform and determining the current frequency integral of the current outflow of information based on the information outflow time interval, so that the information outflow monitoring process is more timely and accurate.
According to an embodiment of the present invention, a value range of the current scoring result is greater than 0 and less than or equal to 1.
Specifically, the current scoring result is a score, and each time information flows out of the data platform, a scoring result is corresponding to the information. The scoring results for each outflow of information may be grouped into a sequence or row vector in increasing order of time. In order to facilitate the data processing process and avoid overlarge data fluctuation, the unity of the number sequence or the row vector in content can be maintained, that is, the scoring result is set in a certain value range, for example, the scoring result is greater than 0 and less than or equal to 1.
According to an embodiment of the present invention, the current time of information outflow is t, the nth time of information outflow is the last time of information outflow, the last time of information outflow is p, and the current frequency integral is represented by S:
Figure BDA0002115921530000081
wherein e is the base of the natural logarithm.
In the present embodiment, the current frequency integral is obtained based on the time interval between two adjacent information streams. That is, the current flow of information is the Qth flow of information, and the time of the Qth flow of information is t (t)Q) The time of the Nth outflow of information is p (t)N). The difference value of Q and N is 1, and the value of S is more than 0 and less than 1.
According to an embodiment of the present invention, the method of fig. 2 further includes: determining a sensitivity score of the information according to the sensitivity level of the information, wherein 120 comprises: scoring the current outflow of information according to the current frequency integral and the sensitive integral to obtain a current scoring result, wherein the sensitive integral is represented by m, the current scoring result is represented by T, and T is Sm
Specifically, in the embodiment of the present invention, different information is separately monitored. Because different information has different importance degrees or sensitivity levels, when one kind of information is monitored, the factors reflecting the sensitivity levels of the information are taken into consideration, and the accuracy of the monitoring result can be improved.
For example, in the ticket website, the identification number and name of the customer are important information, and the flight number and flight time are less important than the identification number and name, i.e. the sensitivity level of the identification number and name is higher than that of the flight number and flight time.
In one embodiment, the higher the sensitivity level of the information, the larger the value of m. In the case where the frequency score S is the same, the higher the sensitivity level of the information, the higher the score result T, that is, the more likely the outflow of the information is an abnormal outflow.
For example, information may be divided by the following four sensitivity levels: insensitive, generally sensitive, and very sensitive. The sensitivity integrals corresponding to the four sensitivity levels can be 0, 1, 2 and 3 respectively. When the sensitivity level of the information is not sensitive, namely the sensitivity integral is 0, the scoring result T of the information flowing out of the data platform caused by the user accessing the information is always 1. In other words, the server does not substantially monitor the outflow of information on the data platform for which the sensitive integral is 0. When the sensitive score of the information is not 0, the value of the score result T is greater than 0 and less than 1, and increases with the increase of the time interval (T-p).
The frequency integral S is an increasing function, and the increasing trend is gradually slowed down, so that the situation that the value of the frequency integral S is sharply increased due to a longer time interval, and the current information outflow is wrongly determined to be abnormal outflow can be avoided, and the robustness is good.
Of course, the sensitivity level of the information may be divided in other manners, and the sensitivity integral corresponding to different sensitivity levels may also be set according to the actual situation, which is not limited in the embodiment of the present invention.
According to an embodiment of the present invention, 130 includes: and determining whether the current outflow of the information is abnormal according to the current grading result and the historical grading record, wherein the current outflow direction position of the information is the same as the flow direction position of the information corresponding to the historical grading record.
Specifically, the outgoing data of each time the information flows out of the data platform may include the outgoing time of the information and the flowing place of the information, and the server may separately process the outgoing data flowing to different places. For example, when the flow direction of the information is a, each flow of the information corresponds to a score, and the score may form a column or row vector. The historical scoring record can be the number column or row vector, and can also be a partial scoring result in the number column or row vector.
In this embodiment, the outflow of information is separately monitored according to the difference of the information flow direction and the place, so that the problem caused by unbalanced access amount can be solved, and the reliability of the monitoring result can be improved.
In one embodiment, the current rating result may be compared with the rating result in the historical rating record to determine whether the current outflow of information is abnormal.
According to an embodiment of the present invention, determining whether a current outflow of information is abnormal according to a current scoring result and a historical scoring record includes: determining a current scoring vector according to a current scoring result, wherein the current outflow frequency of information is b, the current scoring vector is a b-a dimensional vector and consists of b-a scores corresponding to the a-th time to the b-th time, and b is greater than a; determining a preposed scoring vector according to a scoring result of the last outflow of the information, wherein the number of times of the last outflow of the information is b-1, the preposed scoring vector is a b-a-dimensional vector and consists of b-a scores corresponding to the (a-1) th time to the (b-1) th time; calculating the similarity between the current scoring vector and the pre-scoring vector; and determining whether the current flow of the information is abnormal according to the similarity.
Specifically, each outflow of information with sensitivity integration m and flow direction place A is scored, and the scoring result is marked as
Figure BDA0002115921530000101
The deposit mark SmIn a row vector of (1), whereinn is the number of information flows. For example, for the 500 th flow of information with flow location A and sensitivity integration of 4, the scoring result is recorded as
Figure BDA0002115921530000102
Line vector SmCan be expressed as:
Figure BDA0002115921530000103
wherein
Figure BDA0002115921530000104
May be the initial value of the setting.
In this embodiment, the value of b-a may be 10, and for the b-th information flow, the current score vector may be represented as
Figure BDA0002115921530000105
The pre-score component may be expressed as
Figure BDA0002115921530000106
Of course, the value of b-a may be other than 10, which is not limited in the embodiment of the present invention.
In this embodiment, the similarity between the current score vector and the pre-score vector may be calculated by euclidean distance, mahalanobis distance, spearman rank correlation coefficient, pearson correlation coefficient, or the like. And if the similarity is greater than a preset threshold value, the current outflow of the information is considered as abnormal outflow.
According to an embodiment of the present invention, the method of fig. 2 further includes: determining whether the current outflow of the information is abnormal according to the current scoring result and the historical scoring record, and further comprising: determining a mode of scores in a historical score record; when the current scoring result is larger than the mode, determining that the current outflow of the information is abnormal; when the current scoring result is smaller than the mode, performing calculation on the similarity between the current scoring vector and the pre-scoring vector; when the similarity is greater than the threshold, then it is determined that the current outflow of information is abnormal.
Specifically, the current scoring result may be compared with a mode of the scoring result in the historical scoring record, and when the current scoring result is greater than the mode, the current outflow abnormality of the information is determined without acquiring the current scoring vector, and the similarity between the current scoring vector and the pre-scoring vector is calculated, so that the operation speed of the server may be improved.
Further, the method of fig. 2 further includes: when the mode does not exist, determining the median of the scores in the historical score record; and when the current scoring result is greater than the median, determining that the information flows abnormally, wherein when the historical scoring records have a plurality of modes with different values, the mode with the minimum value is taken as the mode.
Fig. 3 is a schematic flow chart of a monitoring method for information outflow according to another embodiment of the present invention. The embodiment shown in fig. 3 is a specific example of the embodiment shown in fig. 2, and in order to avoid redundancy, the same is not specifically explained. As shown in fig. 3, the method includes the following.
210: a current frequency integral of information currently flowing out of the data platform is determined.
220: and determining the sensitivity integral of the information according to the sensitivity level of the information.
Specifically, 220 may be performed before or after 210, or may be performed simultaneously with 210.
230: and scoring the current outflow of the information according to the current frequency integral and the sensitive integral to obtain a current scoring result.
The calculation of the current frequency integral and the current scoring result may be referred to the description in fig. 2, and is not described herein again to avoid repetition.
240: and determining the current grading vector according to the current grading result.
The dimension of the current scoring vector can be set according to actual needs.
250: and determining a preposed scoring vector according to a scoring result of the last time of information outflow.
The dimension of the pre-scoring vector is consistent with the dimension of the current scoring vector.
Number of times of information flowGradually increase of (S)mThe scoring results recorded in the row vectors will also increase. The dimensions of the current scoring vector for different outflow times may be the same or different.
In an embodiment, the dimensions of the current scoring vectors for different outflow times are the same, and then 250 may be performed before 210, for example, the pre-scoring vector may be the current scoring vector corresponding to the last time the information was outflowed.
In another embodiment, the dimensions of the current scoring vector for different outflow times may be different. For example, the dimension of the current scoring vector with 10 information outflow times is 10, and the dimension of the pre-scoring vector is also 10; the dimension of the current scoring vector with 100 information flows out is 20, and the dimension of the preposed scoring vector is also 20. When the scoring results recorded in the historical scoring records are more, the dimensionality of the current scoring vector and the dimensionality of the preposed scoring vector can be properly improved, the previous outflow data is utilized as much as possible, and the accuracy of the monitoring results is improved.
260: and calculating the similarity between the current scoring vector and the pre-scoring vector.
The similarity may be calculated by the method mentioned above with reference to fig. 2, or by a method similar thereto.
270: and determining whether the current flow of the information is abnormal according to the similarity.
Fig. 4 is a schematic structural diagram of an information outflow monitoring apparatus 400 according to an embodiment of the present invention. As shown in fig. 4, the apparatus 400 includes: a first determination module 410, a scoring module 420, and a second determination module 430.
The first determining module 410 is configured to determine a current frequency integral of information of a currently outgoing data platform, where the current frequency integral is obtained based on a time interval between a time corresponding to the current outgoing of the information and a time corresponding to an nth outgoing of the information, where the nth outgoing of the information occurs before the current outgoing of the information; the scoring module 420 is configured to score the current outflow of the information according to the current frequency integral to obtain a current scoring result; the second determining module 430 is configured to determine whether the current outflow of information is abnormal according to the current scoring result.
The embodiment of the invention provides an information outflow monitoring device, which can quantify the time data of information outflow by utilizing the time data of an information outflow data platform and determining the current frequency integral of the information outflow currently based on the time interval of the information outflow, thereby enabling the monitoring process of the information outflow to be more timely and accurate.
According to an embodiment of the present invention, a value range of the current scoring result is greater than 0 and less than or equal to 1.
According to an embodiment of the present invention, the current time of information outflow is t, the nth time of information outflow is the last time of information outflow, the last time of information outflow is p, and the current frequency integral is represented by S:
Figure BDA0002115921530000121
wherein e is the base of the natural logarithm.
According to an embodiment of the present invention, the first determining module 410 is further configured to determine a sensitivity score of the information according to the sensitivity level of the information, and the scoring module 420 is configured to score the current outflow of the information according to the current frequency score and the sensitivity score to obtain a current scoring result, where the sensitivity score is represented by m, the current scoring result is represented by T, and T ═ S ism
According to an embodiment of the present invention, the second determining module 430 is configured to determine whether a current outflow of the information is abnormal according to the current scoring result and the historical scoring record, where a flow direction location of the current outflow of the information is the same as a flow direction location of the information corresponding to the historical scoring record.
According to an embodiment of the present invention, the second determining module 430 is configured to: determining a current scoring vector according to a current scoring result, wherein the current outflow frequency of information is b, the current scoring vector is a b-a dimensional vector and consists of b-a scores corresponding to the a-th time to the b-th time, and b is greater than a; determining a preposed scoring vector according to a scoring result of the last outflow of the information, wherein the number of times of the last outflow of the information is b-1, the preposed scoring vector is a b-a-dimensional vector and consists of b-a scores corresponding to the (a-1) th time to the (b-1) th time; calculating the similarity between the current scoring vector and the pre-scoring vector; and determining whether the current flow of the information is abnormal according to the similarity.
According to an embodiment of the present invention, the second determining module 430 is further configured to: determining a mode of scores in a historical score record; when the current scoring result is larger than the mode, determining that the current outflow of the information is abnormal; when the current scoring result is smaller than the mode, performing calculation on the similarity between the current scoring vector and the pre-scoring vector; when the similarity is greater than the threshold, then it is determined that the current outflow of information is abnormal.
According to an embodiment of the present invention, the second determining module 430 is further configured to: when the mode does not exist, determining the median of the scores in the historical score record; and when the current scoring result is greater than the median, determining that the information flows abnormally, wherein when the historical scoring records have a plurality of modes with different values, the mode with the minimum value is taken as the mode.
It should be understood that, in the above embodiment, the operations and functions of the first determining module 410, the scoring module 420, and the second determining module 430 may refer to the description of the information outflow monitoring method provided in fig. 2 and fig. 3, and are not described herein again to avoid repetition.
Fig. 5 is a block diagram illustrating an electronic device 500 for monitoring of information outflow according to an exemplary embodiment of the present invention.
Referring to fig. 5, electronic device 500 includes a processing component 510 that further includes one or more processors and memory resources, represented by memory 520, for storing instructions, such as application programs, that are executable by processing component 510. The application programs stored in memory 520 may include one or more modules that each correspond to a set of instructions. Further, the processing component 510 is configured to execute instructions to perform the above-described monitoring method of information outflow.
The electronic device 500 may also include a power supply component configured to perform power management of the electronic device 500, a wired or wireless network interface configured to connect the electronic device 500 to a network, and an input/output (I/O) interface. Can be based on storage inOperating System for the memory 520 operating the electronic device 500, e.g., Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTMOr the like.
A non-transitory computer readable storage medium having instructions stored thereon, which when executed by a processor of the electronic device 500, enable the electronic device 500 to perform a method for monitoring information outflow, comprising: determining a current frequency integral of information of a currently-outgoing data platform, the current frequency integral being obtained based on a time interval between a time corresponding to a current outgoing of the information and a time corresponding to an nth outgoing of the information, wherein the nth outgoing of the information occurs before the current outgoing of the information; grading the current outflow of the information according to the current frequency integral to obtain a current grading result; and determining whether the current outflow of the information is abnormal according to the current grading result.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program check codes, such as a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
It should be noted that the terms "first," "second," "third," and the like in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In addition, in the description of the present invention, "a plurality" means two or more unless otherwise specified.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and the like that are within the spirit and principle of the present invention are included in the present invention.

Claims (14)

1. A method for monitoring information outflow, comprising:
determining a current frequency integral of information of a current outflow data platform, wherein the current frequency integral is obtained based on a time interval between a time corresponding to the current outflow of the information and a time corresponding to an Nth outflow of the information, wherein the Nth outflow of the information occurs before the current outflow of the information, the magnitude of the current frequency integral is used for representing an abnormal condition of the current outflow of the information, and the larger the current frequency integral is, the more likely the information outflow is abnormal;
scoring the current outflow of the information according to the current frequency integral to obtain a current scoring result, wherein the current outflow time of the information is t, the Nth outflow of the information is the last outflow of the information, the last outflow time of the information is p, and the current frequency integral is represented by S:
Figure FDA0003511322660000011
wherein e is the base number of the natural logarithm;
determining whether the current outflow of the information is abnormal according to the current grading result,
the method further comprises the following steps:
determining a sensitivity score for the information based on the sensitivity level of the information,
wherein, the scoring the current outflow of the information according to the current frequency integral to obtain a current scoring result includes:
scoring the current outflow of the information according to the current frequency integral and the sensitive integral to obtain the current scoring result, wherein the sensitive integral is represented by mThe current scoring result is represented by T, and T is Sm
2. The monitoring method according to claim 1, wherein a value range of the current scoring result is greater than 0 and less than or equal to 1.
3. The monitoring method according to claim 1 or 2, wherein the determining whether the current outflow of the information is abnormal according to the current scoring result comprises:
and determining whether the current outflow of the information is abnormal according to the current grading result and a historical grading record, wherein the current outflow direction location of the information is the same as the current outflow direction location of the information corresponding to the historical grading record.
4. The method of monitoring of claim 3, wherein said determining whether the current outflow of information is abnormal based on the current scoring result and a historical scoring record comprises:
determining a current scoring vector according to the current scoring result, wherein the current outflow frequency of the information is b, the current scoring vector is a b-a dimensional vector and consists of b-a scores corresponding to the a-th time to the b-th time, and b is greater than a;
determining a preposed scoring vector according to a scoring result of the last outflow of the information, wherein the number of times of the last outflow of the information is b-1, the preposed scoring vector is a b-a-dimensional vector and consists of b-a scores corresponding to the (a-1) th time to the (b-1) th time;
calculating the similarity between the current scoring vector and the pre-scoring vector;
and determining whether the current outflow of the information is abnormal according to the similarity.
5. The method of monitoring of claim 4, wherein said determining whether a current outflow of said information is abnormal based on said current scoring result and a historical scoring record further comprises:
determining a mode of scores in the historical score record;
when the current scoring result is greater than the mode, determining that the current outflow of the information is abnormal;
when the current scoring result is smaller than the mode, performing the calculation of the similarity between the current scoring vector and the pre-scoring vector;
and when the similarity is larger than a threshold value, determining that the current outflow of the information is abnormal.
6. The monitoring method of claim 5, further comprising:
when the mode does not exist, determining a median of scores in the historical score record;
and when the current scoring result is larger than the median, determining that the information is abnormal in outflow, wherein when the historical scoring records have a plurality of modes with different numerical values, taking the mode with the minimum numerical value as the mode.
7. An information outflow monitoring device, comprising:
a first determining module, configured to determine a current frequency integral of information currently flowing out of a data platform, where the current frequency integral is obtained based on a time interval between a time corresponding to the current flowing out of the information and a time corresponding to an nth flowing out of the information, where the nth flowing out of the information occurs before the current flowing out of the information, a size of the current frequency integral is used to represent an abnormal situation of the current flowing out of the information, and a larger current frequency integral is, a greater possibility of an abnormal flowing out of the information is;
a scoring module, configured to score the current outflow of the information according to the current frequency integral to obtain a current scoring result, where time of the current outflow of the information is t, the nth outflow of the information is the last outflow of the information, time of the last outflow of the information is p, and the current frequency integral is represented by S:
Figure FDA0003511322660000031
wherein e is the base number of the natural logarithm;
the second determining module is used for determining whether the current outflow of the information is abnormal according to the current grading result;
the first determining module is further configured to determine a sensitivity score of the information according to the sensitivity level of the information, and the scoring module is configured to score a current outflow of the information according to the current frequency score and the sensitivity score to obtain the current scoring result, where the sensitivity score is represented by m, the current scoring result is represented by T, and T is Sm
8. The monitoring device according to claim 7, wherein a value range of the current scoring result is greater than 0 and less than or equal to 1.
9. The monitoring device according to claim 7 or 8, wherein the second determining module is configured to determine whether a current outflow of the information is abnormal according to the current scoring result and a historical scoring record, wherein a flow direction location of the current outflow of the information is the same as a flow direction location of the information corresponding to the historical scoring record.
10. The monitoring device of claim 9, wherein the second determining module is configured to:
determining a current scoring vector according to the current scoring result, wherein the current outflow frequency of the information is b, the current scoring vector is a b-a dimensional vector and consists of b-a scores corresponding to the a-th time to the b-th time, and b is greater than a;
determining a preposed scoring vector according to a scoring result of the last outflow of the information, wherein the number of times of the last outflow of the information is b-1, the preposed scoring vector is a b-a-dimensional vector and consists of b-a scores corresponding to the (a-1) th time to the (b-1) th time;
calculating the similarity between the current scoring vector and the pre-scoring vector;
and determining whether the current outflow of the information is abnormal according to the similarity.
11. The monitoring device of claim 10, wherein the second determining module is further configured to:
determining a mode of scores in the historical score record;
when the current scoring result is greater than the mode, determining that the current outflow of the information is abnormal;
when the current scoring result is smaller than the mode, performing the calculation of the similarity between the current scoring vector and the pre-scoring vector;
and when the similarity is larger than a threshold value, determining that the current outflow of the information is abnormal.
12. The monitoring device of claim 11, wherein the second determining module is further configured to:
when the mode does not exist, determining a median of scores in the historical score record;
and when the current scoring result is larger than the median, determining that the information is abnormal in outflow, wherein when the historical scoring records have a plurality of modes with different numerical values, taking the mode with the minimum numerical value as the mode.
13. A computer-readable storage medium, which stores a computer program for executing the method for monitoring information outflow according to any one of the above claims 1 to 6.
14. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions,
wherein the processor is configured to perform the method for monitoring information outflow according to any one of the preceding claims 1 to 6.
CN201910590401.XA 2019-07-02 2019-07-02 Information outflow monitoring method and monitoring device Active CN110457349B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910590401.XA CN110457349B (en) 2019-07-02 2019-07-02 Information outflow monitoring method and monitoring device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910590401.XA CN110457349B (en) 2019-07-02 2019-07-02 Information outflow monitoring method and monitoring device

Publications (2)

Publication Number Publication Date
CN110457349A CN110457349A (en) 2019-11-15
CN110457349B true CN110457349B (en) 2022-04-05

Family

ID=68482055

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910590401.XA Active CN110457349B (en) 2019-07-02 2019-07-02 Information outflow monitoring method and monitoring device

Country Status (1)

Country Link
CN (1) CN110457349B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111143829B (en) * 2019-12-25 2022-04-26 北京天融信网络安全技术有限公司 Method and device for determining task risk degree, electronic equipment and storage medium
CN112291506B (en) * 2020-12-25 2021-03-26 北京电信易通信息技术股份有限公司 Method and system for tracing security vulnerability of streaming data in video conference scene

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101976061A (en) * 2010-08-06 2011-02-16 中国环境科学研究院 Method for constructing large environmental risk source monitoring system
CN102567340A (en) * 2010-12-09 2012-07-11 腾讯科技(深圳)有限公司 Method and device for filtering Microblog information
CN105588978A (en) * 2015-12-14 2016-05-18 安徽立卓智能电网科技有限公司 Beidou satellite communication technology-based method for intelligently detecting and processing acquired electric energy data
CN106326278A (en) * 2015-06-30 2017-01-11 阿里巴巴集团控股有限公司 Data exception judgment method and device
CN106790212A (en) * 2017-01-07 2017-05-31 北京坤腾畅联科技有限公司 The method and terminal device of the analysis detection man-in-the-middle attack based on temporal characteristics
CN106934291A (en) * 2015-12-29 2017-07-07 刘晓建 A kind of method of unidirectional information carrying means and intercomputer one-way transmission information
CN109308242A (en) * 2018-09-06 2019-02-05 上海达梦数据库有限公司 A kind of dynamic monitoring and controlling method, device, equipment and storage medium
CN109815094A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 Monitoring method, device, equipment and the computer readable storage medium of tables of data
CN109840543A (en) * 2018-12-15 2019-06-04 中国大唐集团科学技术研究院有限公司 A kind of data monitoring and method for early warning based on neural network and sensitive information stream

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007100916A2 (en) * 2006-02-28 2007-09-07 The Trustees Of Columbia University In The City Of New York Systems, methods, and media for outputting a dataset based upon anomaly detection
US10735456B2 (en) * 2015-10-28 2020-08-04 Qomplx, Inc. Advanced cybersecurity threat mitigation using behavioral and deep analytics

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101976061A (en) * 2010-08-06 2011-02-16 中国环境科学研究院 Method for constructing large environmental risk source monitoring system
CN102567340A (en) * 2010-12-09 2012-07-11 腾讯科技(深圳)有限公司 Method and device for filtering Microblog information
CN106326278A (en) * 2015-06-30 2017-01-11 阿里巴巴集团控股有限公司 Data exception judgment method and device
CN105588978A (en) * 2015-12-14 2016-05-18 安徽立卓智能电网科技有限公司 Beidou satellite communication technology-based method for intelligently detecting and processing acquired electric energy data
CN106934291A (en) * 2015-12-29 2017-07-07 刘晓建 A kind of method of unidirectional information carrying means and intercomputer one-way transmission information
CN106790212A (en) * 2017-01-07 2017-05-31 北京坤腾畅联科技有限公司 The method and terminal device of the analysis detection man-in-the-middle attack based on temporal characteristics
CN109308242A (en) * 2018-09-06 2019-02-05 上海达梦数据库有限公司 A kind of dynamic monitoring and controlling method, device, equipment and storage medium
CN109840543A (en) * 2018-12-15 2019-06-04 中国大唐集团科学技术研究院有限公司 A kind of data monitoring and method for early warning based on neural network and sensitive information stream
CN109815094A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 Monitoring method, device, equipment and the computer readable storage medium of tables of data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《监控信息误报的分析判断及处理》;张春望;《中国电力企业管理》;20181125;全文 *

Also Published As

Publication number Publication date
CN110457349A (en) 2019-11-15

Similar Documents

Publication Publication Date Title
Shang et al. Automated detection of performance regressions using regression models on clustered performance counters
CN109992473B (en) Application system monitoring method, device, equipment and storage medium
CN112258303B (en) Surrounding string mark early warning analysis method and device, electronic equipment and storage medium
CN110008096B (en) Data monitoring method, device, electronic equipment and computer readable storage medium
CN110457349B (en) Information outflow monitoring method and monitoring device
CN113592019A (en) Fault detection method, device, equipment and medium based on multi-model fusion
CN114708717B (en) Correlation alarm method and device for system monitoring
CN110222513B (en) Abnormality monitoring method and device for online activities and storage medium
CN113837596A (en) Fault determination method and device, electronic equipment and storage medium
CN112395179B (en) Model training method, disk prediction method, device and electronic equipment
CN114595765A (en) Data processing method and device, electronic equipment and storage medium
CN110737650A (en) Data quality detection method and device
CN109308660B (en) Credit assessment scoring model evaluation method, apparatus, device and storage medium
CN107480703B (en) Transaction fault detection method and device
CN111506455B (en) Checking method and device for service release result
CN117149569A (en) Board running state early warning method and device and electronic equipment
CN115563288B (en) Text detection method and device, electronic equipment and storage medium
CN116932324A (en) Memory bank fault prediction method and device and electronic equipment
CN112686762B (en) Policy data violation detection method and device, computer equipment and storage medium
CN115509853A (en) Cluster data anomaly detection method and electronic equipment
CN113791860A (en) Information conversion method, device and storage medium
CN110827144A (en) Application risk evaluation method and application risk evaluation device for user and electronic equipment
CN114820409A (en) Image anomaly detection method and device, electronic device and storage medium
CN111176931A (en) Operation monitoring method, operation monitoring device, server and storage medium
JP7425918B1 (en) Information processing device, information processing method and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant