CN110798472A - Data leakage detection method and device - Google Patents
Data leakage detection method and device Download PDFInfo
- Publication number
- CN110798472A CN110798472A CN201911059550.XA CN201911059550A CN110798472A CN 110798472 A CN110798472 A CN 110798472A CN 201911059550 A CN201911059550 A CN 201911059550A CN 110798472 A CN110798472 A CN 110798472A
- Authority
- CN
- China
- Prior art keywords
- data
- sensitive data
- baseline
- target user
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a data leakage detection method and device, senses data leakage in time and prevents the data leakage. The method comprises the following steps: establishing an operation behavior baseline of each user according to historical operation behavior data; any user is a target user; the historical operation behavior data comprises historical network flow and a historical log; sensitive data detection is carried out on the messages in the historical network flow, and a sensitive data operation base line is established according to the detection result; collecting current operation behavior data; analyzing the current operation behavior data according to the sensitive data operation baseline to determine whether the sensitive data leakage risk exists; if yes, executing a corresponding sensitive data leakage prevention control strategy; and analyzing the current operation behavior data according to the operation behavior baseline of the target user to determine whether the target user has a data leakage risk, and if so, executing a corresponding data access risk control strategy on the target user.
Description
Technical Field
The present invention relates to the field of network technologies, and in particular, to a data leakage detection method and apparatus.
Background
With the advent of the internet and the DT era, data has become a core asset, and how to prevent data leakage has become increasingly important. Every year, a large amount of data leakage events are reported. Therefore, how to prevent data leakage and how to sense data leakage in time are the hot of current research.
Disclosure of Invention
In view of this, embodiments of the present invention provide a data leakage detection method and apparatus, and sense data leakage and prevent data leakage.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
a data leak detection method, comprising:
establishing an operation behavior baseline of each user according to historical operation behavior data; any user is a target user; the historical operation behavior data comprises historical network flow and a historical log;
sensitive data detection is carried out on the messages in the historical network flow, and a sensitive data operation base line is established according to the detection result;
collecting current operation behavior data; the current operation behavior data comprises current network flow and a current log;
analyzing the current operation behavior data according to the sensitive data operation baseline to determine whether sensitive data leakage risks exist; if yes, executing a corresponding sensitive data leakage prevention control strategy;
analyzing the current operation behavior data according to the operation behavior baseline of the target user, determining whether the target user has a data leakage risk, and if so, executing a corresponding data access risk control strategy for the target user.
Optionally, the network traffic includes north-south traffic and east-west traffic; the above detecting sensitive data for the packet in the historical network traffic, and establishing a sensitive data operation baseline according to the detection result includes: analyzing the message in the history north-south flow to obtain the message content, detecting the sensitive data of the message content, and establishing a sensitive data access behavior baseline of each user according to the detection result; analyzing the message in the historical east-west flow to obtain the message content, detecting the sensitive data of the message content, and establishing a transverse flow baseline of the sensitive data between any two intranet entities according to the detection result; the sensitive data operation baseline comprises: the user's sensitive data access behavior baseline, and the sensitive data cross-flow baseline between any two intranet entities.
Optionally, the analyzing the current operation behavior data according to the sensitive data operation baseline, and determining whether there is a sensitive data leakage risk includes: analyzing a message related to a target user and a log related to the target user in current north-south traffic according to a sensitive data access behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding sensitive data access behavior baseline; and analyzing the current east-west flow and logs according to the sensitive data lateral flow baseline to determine whether the sensitive data lateral flow between any two intranet entities deviates from the corresponding sensitive data lateral flow baseline.
Optionally, the establishing an operation behavior baseline of each user according to the historical operation behavior data includes: and establishing an operation behavior baseline of each user according to the historical north-south flow and the historical log.
Optionally, the analyzing the current operation behavior data according to the operation behavior baseline of the target user, and determining whether the target user has a risk of data leakage includes: and analyzing the message related to the target user and the log related to the target user in the current north-south network flow according to the operation behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding operation behavior baseline.
Optionally, the executing the corresponding sensitive data anti-leakage control policy includes: if the current operation behavior of the target user deviates from the corresponding sensitive data access behavior baseline, early warning notification is carried out, and the target user is forbidden; and if the transverse flow of the sensitive data between any two intranet entities is determined to deviate from the corresponding transverse flow baseline of the sensitive data, early warning notification is carried out.
Optionally, the operation behavior baseline includes: a source IP, a login device fingerprint, a login time, and at least one dimension of a data access behavior; the data access behavior comprises the following steps: at least one of access time, access content, access data volume, access frequency, data download rate, and access path; the sensitive data access behavior baseline comprises: at least one dimension of sensitive data access time, sensitive data access data volume, sensitive data access frequency, sensitive data download rate and sensitive data access path; the baseline for lateral flow of sensitive data between any two intranet entities includes: and the basic data are used for representing whether sensitive data interaction exists between any two entities, and at least one dimension in the sensitive data interaction quantity between any two entities.
A data leak detection apparatus comprising:
a baseline maintenance unit to:
establishing an operation behavior baseline of each user according to historical operation behavior data; any user is a target user; the historical operation behavior data comprises historical network flow and a historical log;
sensitive data detection is carried out on the messages in the historical network flow, and a sensitive data operation base line is established according to the detection result;
a collection unit for: collecting current operation behavior data; the current operation behavior data comprises current network flow and a current log;
a risk control unit to:
analyzing the current operation behavior data according to the sensitive data operation baseline to determine whether sensitive data leakage risks exist; if yes, executing a corresponding sensitive data leakage prevention control strategy;
analyzing the current operation behavior data according to the operation behavior baseline of the target user, determining whether the target user has a data leakage risk, and if so, executing a corresponding data access risk control strategy for the target user.
Optionally, the network traffic includes north-south traffic and east-west traffic; in the aspect of performing sensitive data detection on the packet in the historical network traffic and establishing a sensitive data operation baseline according to a detection result, the baseline maintenance unit is specifically configured to: analyzing the message in the history north-south flow to obtain the message content, detecting the sensitive data of the message content, and establishing a sensitive data access behavior baseline of each user according to the detection result; analyzing the message in the historical east-west flow to obtain the message content, detecting the sensitive data of the message content, and establishing a transverse flow baseline of the sensitive data between any two intranet entities according to the detection result; the sensitive data operation baseline comprises: the user's sensitive data access behavior baseline, and the sensitive data cross-flow baseline between any two intranet entities.
Optionally, in the aspect of analyzing the current operation behavior data according to the sensitive data operation baseline and determining whether there is a risk of sensitive data leakage, the risk control unit is specifically configured to:
analyzing a message related to a target user and a log related to the target user in current north-south traffic according to a sensitive data access behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding sensitive data access behavior baseline;
and analyzing the current east-west flow and logs according to the sensitive data lateral flow baseline to determine whether the sensitive data lateral flow between any two intranet entities deviates from the corresponding sensitive data lateral flow baseline.
Optionally, in the aspect of analyzing the current operation behavior data according to the operation behavior baseline of the target user and determining whether the target user has a risk of data leakage, the risk control unit is specifically configured to: and analyzing the message related to the target user and the log related to the target user in the current north-south network flow according to the operation behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding operation behavior baseline.
A data leakage detection device at least comprises a processor and a memory; the processor executes the program stored in the memory and calls other devices to perform any of the methods described above.
Therefore, in the embodiment of the invention, the baseline is generated based on the historical network flow and the log comprehensive analysis, and is used for determining whether the sensitive data leakage risk exists or not and whether the target user has the data leakage risk or not, so that the target user can sense the data leakage in time. Once the risk is found, a corresponding risk control strategy is adopted to prevent data leakage. Therefore, the purposes of timely sensing data leakage and preventing data leakage are achieved.
Drawings
Fig. 1 is an exemplary structure of a data leak detection apparatus provided in an embodiment of the present invention;
fig. 2 is an exemplary application scenario of the data leakage detecting apparatus according to the embodiment of the present invention;
FIG. 3 is an exemplary flowchart of a data leakage detection method according to an embodiment of the present invention;
FIG. 4 is another exemplary flow chart of a data leakage detection method according to an embodiment of the present invention;
fig. 5 is another exemplary structure of a data leakage detecting apparatus according to an embodiment of the present invention.
Detailed Description
For reference and clarity, the terms, abbreviations or abbreviations used hereinafter are summarized as follows:
MAC: media Access Control Address, Media Access Control Address;
URL: a Uniform Resource Locator, which refers to a network address;
logging in the device fingerprint: a finger may be used to identify a device characteristic or a unique device identification of a logged-in device. The device fingerprint factor generally comprises the operating system type of a computer, various installed plug-ins, language setting and time zone of a browser, hardware ID of the device, IMEI of a mobile phone, network card Mac address of a computer, font setting and the like, and a characteristic character string is produced through a certain Hash algorithm to be used as the device fingerprint.
The embodiment of the invention provides a data leakage detection method and device, which sense data leakage in time and prevent data leakage.
Referring to fig. 1, the data leakage detecting apparatus includes: a base line maintenance unit 1, an acquisition unit 2 and a risk control unit 3.
In another embodiment of the present invention, referring to fig. 1, the data leakage detecting device may further include: a database 4.
The functions of the above units will be further described later in connection with a data leakage detection method.
Each module in the data leakage detecting apparatus may be deployed on the same server (e.g., a data leakage detecting server) in the form of software or a component, or each module included in the data leakage detecting apparatus may be an independent server.
Fig. 2 shows an exemplary application scenario of the data leakage detection apparatus: in an application scenario in which an intranet (e.g., a private cloud or a government service network) is interconnected with the internet through an application system, the acquisition unit 2 (the data acquisition server in fig. 2) may acquire network traffic (e.g., eastern and western traffic of the intranet, northwestern traffic between the application system and the internet), an application log, and the like, and the baseline maintenance unit 1 (the baseline maintenance server in fig. 2) may establish an operation behavior baseline and a sensitive data operation baseline of each user according to historical operation behavior data; the risk control unit 3 (risk control server in fig. 2) may perform data leakage detection on the baseline and the current operation behavior data to obtain a data leakage detection result, and adopt a corresponding policy.
The embodiments of the present invention will be described in further detail below based on the above general description.
Fig. 3 shows an exemplary flow of a data leak detection method executed by the data leak detection apparatus, including:
s1: and establishing an operation behavior baseline of each user according to the historical operation behavior data.
Step S1 may be performed by the baseline maintenance unit 1 described above.
Wherein, the user can be characterized by an intranet account, an IP address, or even a MAC address. For ease of subsequent reference, any user may be referred to as a target user.
The historical operating behavior data may be stored in the aforementioned database 4.
The historical operational behavior data includes historical network traffic and historical logs. If the data size is large, the database 4 may further include a network traffic database and a log database.
The log may include, but is not limited to: application logs, audit logs, and the like.
The network flow comprises: data packets (or messages) sent out through the network.
Network traffic may be further subdivided into north-south traffic and east-west traffic. Taking the application scenario shown in fig. 2 as an example, a traffic probe may be deployed at a mirror image port of an intranet data collection point (e.g., a switch or a splitter) to acquire east-west traffic, and a traffic probe may be deployed at an internet outlet of an application system to acquire north-south traffic. The traffic probe will provide the acquired network traffic to the acquisition unit 2.
Whether the south-north direction or the east-west direction is adopted, the integrity of the content of the collected message needs to be ensured so as to be used for content detection.
The log collection can be provided to the collection unit 2 after being collected by using a syslog protocol or a log collection client. The data source of log collection may be an application or a database.
Taking the application log as an example, if the log is stored in a database, the log collection client can directly collect the log from the database; if the log is in a file mode, a log collection client needs to be installed on a server deployed by the application to collect the log file.
The specific use of network traffic and logs will be described in more detail in the examples that follow.
S2: and carrying out sensitive data detection on the messages in the historical network flow, and establishing a sensitive data operation baseline according to the detection result.
Step S2 may be performed by the baseline maintenance unit 1 described above.
When sensitive data detection is performed, the baseline maintenance unit 1 may perform content detection on a packet in the historical network traffic to identify sensitive data.
The sensitive data can be specifically identified by means of regular expressions, keywords, semantic identification and the like.
In one example, the sensitive data type can include at least one of personal sensitive data and enterprise sensitive data.
Personal sensitive data is exemplified including, but not limited to, one or more of the following sub-types: personal identification number, bank card number, password information, address, etc.
The content of the enterprise sensitive data is exemplary including, but not limited to, one or more of the following sub-types: financial data, product parameters, bid data, product quotes, and the like.
Specifically, the detection result may include: whether sensitive data exist, the detected sensitive data types, the specific contents corresponding to the sensitive data types and the like.
Taking the detection of the identification number as an example, the detection result may include:
sensitive data was present, type was identification number, specific content was 130 × (specific identification number).
It should be noted that steps S1 and S2 are the basis of the subsequent steps, and step S3 and the subsequent steps can be directly performed after establishing the baseline.
S3: and collecting current operation behavior data.
Step S3 may be performed by the aforementioned acquisition unit 2.
The current operational behavior data may further include current network traffic and a current log.
For the introduction of the network traffic and the log, please refer to the description of step S1, which is not described herein.
S4: and analyzing the current operation behavior data according to the sensitive data operation baseline to determine whether the sensitive data leakage risk exists. If yes, the process proceeds to step S5.
In one example, sensitive data operation behavior characteristics may be analyzed from current operation behavior data. Then, whether the sensitive data operation baseline is deviated or not is determined according to the sensitive data operation behavior characteristics. The details of the behavior characteristics of the sensitive data operations will be described later.
In one example, the sensitive data manipulation baseline may further include: the user's sensitive data access behavior baseline, and the sensitive data cross-flow baseline between any two intranet entities. This will be described later.
S5: and executing a corresponding sensitive data anti-leakage control strategy.
Steps S4 and S5 may be performed by the risk control unit 3 described above.
S6: and analyzing the current operation behavior data according to the operation behavior baseline of the target user to determine whether the target user has a data leakage risk. If yes, the process proceeds to step S7.
In one example, the current message related to the target user and the current message related to the target user in the north-south traffic may be analyzed according to the operation behavior baseline of the target user to determine whether the target user has a risk of data leakage.
It should be noted that the sensitive data operation baseline emphasizes sensitive data, while the operation behavior baseline emphasizes all data operated by the user, and the emphasis of the two is different. Further reference will be made to the two baselines.
S7: and executing a corresponding data access risk control strategy for the target user.
Steps S6 and S7 may be performed by the risk control unit 3 described above.
The data leakage detection device can periodically and automatically execute the data leakage detection method. Specifically, after establishing each baseline, the data leakage detecting apparatus may automatically perform steps S3-S7 in the data leakage detecting method periodically, and a person skilled in the art may flexibly set the length of the period as needed, for example, one day, one week, etc.
It should be noted that, when preventing data leakage, most of the technologies are constructed from the aspects of network protection and authority management enhancement, but once a hacker breaks through the defense line to obtain the data authority, the hacker cannot do nothing, or the data stealing behavior of the internal high-authority personnel cannot be effectively detected.
In the embodiment of the invention, the base line is generated based on the historical network flow and the log comprehensive analysis, and the base line is used for determining whether the sensitive data leakage risk exists or not and whether the target user has the data leakage risk or not, so that the target user can sense the data leakage in time. Once the risk is found, a corresponding risk control strategy is adopted to prevent data leakage. Therefore, the purposes of timely sensing data leakage and preventing data leakage are achieved.
The data leakage detection method will be described in more detail below, and referring to fig. 4, it exemplarily includes the following steps:
s41: and establishing or updating an operation behavior baseline of the user by using the historical north-south traffic and the historical log.
The operational behavior baseline may further include: source IP, login device fingerprint, login time, and, data access behavior.
In one example, the data access behavior may further include: at least one of access time, access content, access data volume, access frequency, data download rate, access path.
In this embodiment, the dimension value of each dimension is obtained by the baseline maintenance unit 1 according to the analysis of the historical north-south traffic and the historical log. For example, operational behavior baselines may be established from the dimensions described above based on historical north-south traffic and historical logs of the past month.
In one example, an operational behavior baseline may be established for each user.
In another example, a group of users with similar operational behaviors may also be made to share the same operational behavior baseline.
After establishing the operation behavior baseline, the dimension value of each dimension in the baseline can be updated by using the current north-south traffic and the current log.
S42: analyzing the message in the history north-south flow to obtain the message content, detecting the sensitive data (called sensitive data detection for short) of the message content, and establishing or updating the sensitive data access behavior base line of each user according to the detection result.
Sensitive data detection is one type of content detection.
In one example, a user's sensitive data access behavior baseline includes: sensitive data access time, sensitive data access data volume, sensitive data access frequency, sensitive data download rate, and sensitive data access path.
It should be noted that:
"amount of sensitive data access data" refers to the number of pieces of sensitive data accessed by a user; "sensitive data access path" refers to a call path for a user to access sensitive data. For example, under normal conditions, a user needs to call the interface B through the interface a, and then the interface B calls the interface C to access sensitive data, so that the access path (call path) is a-B-C.
And if a hacker directly calls the interface C from the interface A to access the sensitive data through a certain technology, the access path of the sensitive data is deviated.
After the sensitive data access behavior baseline is established, the dimension value of each dimension in the sensitive data access behavior baseline can be updated by using the current north-south traffic.
S43: analyzing the message in the historical east-west flow to obtain the message content, detecting the sensitive data (called sensitive data detection for short) of the message content, and establishing or updating the sensitive data transverse flow base line between any two intranet entities according to the detection result.
The intranet entities may include servers, applications, data centers, and the like. The "intranet entity space" can include server space and application space, and different intranet entities can be identified through IP.
It should be noted here that, in the message of the eastern and western traffic, the IP address, the account, and the like are not necessarily detected, so in this embodiment, based on the content detection (the sensitive data detection belongs to the content detection) performed on the message of the historical eastern and western traffic, a sensitive data lateral flow baseline between any two intranet entities is established.
In one example, the baseline for lateral flow of sensitive data between any two intranet entities may further include: and at least one of basic data for representing whether sensitive data interaction exists between any two entities and sensitive data interaction quantity between any two entities.
The interaction volume herein refers to the number of pieces of sensitive data that are interacted between any two entities.
For details of the sensitive data and the identification method, please refer to the above description of step S2, which is not repeated herein.
S41-S43 may be performed by the baseline maintenance unit 1 described above.
S44: and collecting current operation behavior data.
The current operational behavior data may include current network traffic and a current log, and the network traffic may further include current north-south traffic and current east-west traffic.
Step S44 is similar to step S4, and will not be described herein.
S45: and analyzing the current operation behavior data of the target user according to the operation behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding operation behavior baseline. If yes, the process proceeds to step S46.
In one example, in the process of analyzing the current operation behavior data, the data operation behavior characteristics of the target user may be obtained through analysis according to the current operation behavior data of the target user (the current packet and the current log related to the target user).
More specifically, the current packet related to the target user may further include: the current north-south network traffic is related to the message of the target user.
The foregoing states that the operational behavior baseline may further include: the source IP, the login device fingerprint, the login time, and, at least one dimension of the data access behavior, the data access behavior may further include: at least one of access time, access content, access data amount, access frequency, data download rate, and access path. Further, in some embodiments, a data upload rate baseline may also be included.
Accordingly, the data operation behavior characteristics of the target user may include: at least one of a source IP, a login device fingerprint, a login time, and a data access behavior.
The data access behavior further comprises: at least one of access time, access content, access data volume, access frequency, data download rate, access path. Further, in some embodiments, a data upload rate may also be included.
The source IP, the fingerprint of the login device, the access content, and the access path in the data operation behavior characteristics may be considered to deviate from the corresponding dimension as long as the dimension value is different from the dimension value of the corresponding dimension.
As to other data manipulation behavior characteristics of the target user, in one example, whether or not there is a deviation from the corresponding dimension can be determined according to how far the data manipulation behavior characteristics of the target user deviate from the corresponding data manipulation baselines.
More specifically, the degree of deviation may be expressed as a difference, and the calculation of the degree of deviation is described below by way of example:
1, calculation of deviation degree of registration time:
a: respectively calculating the difference value of the new (current) login time and each login time (namely, a dimension value) in the login time dimension;
taking the example that the dimension values of the login time dimension include {8:00,8:30,9:30,16:00,17:00}, and the new login time is 10:00, the difference between the new login time and each login time in the login time dimension is:
(120 minutes, 90 minutes, 30 minutes, 360 minutes, 420 minutes).
B: and determining whether the minimum difference value in the difference values is smaller than a preset difference value threshold value, if so, determining that the new login time is not an abnormal point, and if not, determining that the new login time is the abnormal point and deviates from the login time dimension.
Still continuing with the previous example, the minimum difference in the above (120 min, 90 min, 30 min, 360 min, 420 min) is 30 min, and assuming a difference threshold of 60 min, because 30<60, it can be determined that the new login time is not an outlier and does not deviate from the baseline.
The determination of whether the access time deviates from the access time dimension is similar to whether the login time deviates from the login time dimension, which is not described herein again.
2, calculating the deviation degree of the data downloading rate dimension:
a: calculating a difference value between the dimension values of the new data downloading rate and the data downloading rate dimension;
assuming that the new data download rate is 20kb/s and the dimension of the data download rate is 10kb/s, the difference between the two is 10 kb/s.
B: and determining whether the difference is smaller than a preset speed difference threshold value, if so, determining that the new data downloading rate is not an abnormal point, and if not, determining that the new data downloading rate is an abnormal point and deviates from the data downloading rate dimension.
Still following the previous example, assuming that the difference between the new data download rate and the corresponding dimension value is 10kb/s and the speed difference threshold is 5kb/s, it can be determined that the new data download rate is an outlier, deviating from the dimension.
The calculation of the deviation degree of the data uploading speed dimension is similar to that of the data uploading speed dimension, and is not described in detail herein.
3, calculating the deviation degree of the dimension of the access data volume:
a: calculating the difference value of the dimension values of the new access data volume and the access data volume;
assuming that the amount of newly accessed data is 20 and the corresponding dimension value is 10, the difference between the two values is 10.
B: and determining whether the difference is smaller than a preset access data volume threshold, if so, determining that the new access data volume is not an abnormal point, and if not, determining that the new access data volume is an abnormal point and deviates from the access data volume dimension.
Still using the previous example, assuming that the difference between the new access data size and the corresponding dimension value is 10, and the threshold of the access data size is 5, it can be determined that the new access data size is an outlier, which deviates from the dimension of the access data size.
The calculation of the degree of deviation of the access frequency dimension is similar and will not be described in detail here.
In addition, it should be noted that a similar method is also adopted in establishing or updating the operation behavior baseline of the user, the historical data operation behavior characteristics of the target user can be obtained according to the historical operation behavior data analysis of the target user, and then the operation behavior baseline is established or updated according to the historical data operation behavior characteristics. This will be described later.
S46: and carrying out early warning notification.
In one example, step S46 may be performed by the risk control unit 3.
The object of the early warning announcement and the announcement mode can be preset, such as mail alarm, instant messaging tool alarm, short message alarm and the like.
Furthermore, the risk control unit 3 may also generate a security event or a security log, the content of which may include: time of occurrence, dimensions deviated, user involved (IP address, account number or MAC address), details, etc.
Of course, in practice different dimensions may be characterized by different numbers, characters, etc.
In other embodiments of the invention, the risk size may be determined according to the number of dimensions from which the data manipulation behavior characteristics deviate. For example, the risk of deviation from one dimension is less than the risk of deviation from two dimensions.
More specifically, a sum of risk values may be calculated, the sum of risk values characterizing the risk size.
The sum of the risk values can be calculated in various ways, for example, each dimension can be assigned the same risk value (assuming it is a), and each deviation from one dimension increases the sum of the risk values by a.
Of course, different risk values may be assigned for the importance of the dimensions, for example, dimension 1 corresponds to risk value a, and dimension 2 corresponds to risk value b, and if the deviation is determined by which dimension, the corresponding risk value is added to the sum of the risk values.
S47: analyzing the current operation behavior data of the target user according to the sensitive data access behavior baseline of the target user, determining whether the current operation behavior of the target user deviates from the corresponding sensitive data access behavior baseline, and if so, going to step S49;
in one example, the sensitive data access behavior characteristics of the current target user can be obtained according to the current operation behavior data analysis of the target user.
In this step, the current operation behavior data of the target user may further include: the current north-south traffic contains the message related to the target user and the current log related to the target user.
The foregoing states that the sensitive data access behavior baseline of the user includes: sensitive data access time, sensitive data access data volume, sensitive data access frequency, sensitive data download rate, and sensitive data access path.
The sensitive data access behavior characteristics of the user may accordingly include: at least one of sensitive data access time, sensitive data access data volume, sensitive data access frequency, sensitive data download rate, and sensitive data access path.
In one example, whether to deviate from a corresponding dimension may be determined according to how far the sensitive data access behavior characteristics of the current target user deviate from the dimension.
The calculation of the degree of deviation is similar to that described in the aforementioned S45, and will not be described in detail here.
In addition, it should be noted that a similar method is also adopted in establishing or updating the sensitive data access behavior baseline of the user, and the sensitive data access behavior baseline can be established or updated according to the historical sensitive data access behavior characteristics of the target user.
S48: analyzing the current east-west flow and logs according to the sensitive data lateral flow baseline, and determining whether the intranet entities deviate from the corresponding sensitive data lateral flow baseline; if yes, go to step S410.
In one example, sensitive data lateral flow characteristics between intranet entities may be derived from current north-south traffic and current log analysis.
The foregoing states that the sensitive data lateral flow baseline may further comprise: the method comprises the following steps of representing whether sensitive data interaction exists between any two entities or not, and representing at least one dimension in the sensitive data interaction quantity between any two entities.
Accordingly, the lateral flow characteristics of sensitive data between intranet entities may include: the method comprises the following steps of characterizing whether sensitive data interaction exists between any two entities or not, and characterizing at least one of sensitive data interaction quantity (interaction quantity for short).
Wherein if the underlying features are different from the underlying data, the deviation from the dimension can be considered.
As for the interaction volume, whether to deviate or not may be determined according to the degree of deviation between the interaction volume and the interaction volume dimension.
In one example, the degree of deviation may be represented by a difference:
a: calculating the difference value between the dimension values of the current interactive quantity and the interactive quantity dimension;
assuming that the current interaction amount is 20 and the corresponding dimension value is 10, the difference value between the two is 10.
B: and determining whether the difference is smaller than a preset interaction amount threshold value, if so, determining that the current interaction amount is not an abnormal point, and if not, determining that the current interaction amount is an abnormal point and deviates from the interaction amount dimension.
Still continuing the previous example, assuming that the difference between the current interaction volume and the corresponding dimension value is 10, and the threshold of the interaction volume is 5, it can be determined that the current interaction volume is an outlier, deviating from the dimension of the interaction volume.
In other embodiments of the invention, the risk size may be determined according to the number of dimensions from which the data manipulation behavior characteristics deviate. Details of the above-mentioned step S46 can be included, and are not described herein.
S49: carrying out early warning announcement and banning the target user;
the target user can be prohibited by issuing a blocking policy to the network protection device, and the early warning notification may refer to the above record, which is not described herein any further.
Step S49 may be performed by the risk control unit 3.
Furthermore, the risk control unit 3 may also generate a security event or a security log, the contents of which may include: time of occurrence, dimensions deviated, target users involved (IP address, account number or MAC address), details, etc.
Of course, in practice different dimensions may be characterized by different numbers, characters, etc.
In addition, considering that some illegal data stealing behaviors (such as data stealing behaviors by hackers) may access sensitive data through any interface, which interface or interfaces should be monitored with emphasis cannot be predicted in advance, after the sensitive data is detected through the content, if it is determined that the sensitive data access behavior deviates from the sensitive data access behavior baseline, the interface through which the sensitive data is accessed may not be safe. The risk control unit 3 may record the interface that has access to the sensitive data and subsequently may perform a focus monitoring of the interface.
S410: and carrying out early warning notification.
The warning notification can be referred to the above record, and is not described herein.
Step S410 may be performed by the risk control unit 3.
Furthermore, the risk control unit 3 may also record security events or security logs, the contents of which may include: time of occurrence, dimensions of deviation, entities involved in the intranet, details, etc.
Of course, different numbers, characters, etc. may be used to characterize different dimensions in practice.
It should be noted that after various analyses are performed, the current operation behavior data may be stored in the database to provide data support for updating the baseline. Or storing the data operation behavior characteristics, the sensitive data access behavior characteristics and the sensitive data transverse flow characteristics (abnormal points can be eliminated) obtained by analysis into a database.
In the following, the role of the network traffic and logs (application log, audit log) in data analysis is described:
first, application log/audit log:
the application log/audit log may record the source address of the access data, the access time, the access content, etc.
Certainly, taking the sensitive data as an example, if a user is assumed to query dozens of pieces of sensitive data, the application log/audit log does not record the specific contents of the dozens of pieces of sensitive data queried by the user, but records which type of data the queried contents are; and the network traffic contains the specific contents of dozens of pieces of sensitive data inquired by the user.
Therefore, the log and the content detection of the network flow can be combined and analyzed, and whether sensitive data exists or not, the type of the detected sensitive data, specific content corresponding to each type, operation on the specific content and the like can be obtained.
In addition, the application log can comprise log in and log out, and the log in and log out can be used for analyzing the log in time of the user, so that the log in and log out can be used for establishing a baseline in the log in time dimension.
Secondly, network flow:
the network flow comprises: a message sent out through the network. The source address, the destination address, the access time and the like can be obtained through the message.
In addition, if the content detection is carried out on the message, the access content can also be detected, and further whether the message is sensitive data can be detected.
And combining the content detection results of a plurality of messages of a certain user, the access data volume, the data downloading rate and the like of the user can be counted.
In addition, the sequence of the user access interface can be analyzed through the message, and then the access path of the sensitive data is determined.
Similarly, the content detection results of multiple messages between any two intranet entities can be combined to determine whether sensitive data interaction exists between any two intranet entities, and the number of the interacted sensitive data (namely the interaction amount) is determined when the sensitive data interaction exists.
In addition, when logging in, the user sends a login request packet and receives the identifier of successful login, so that the login time can be estimated through network traffic under the condition that a log of login and logout is not acquired.
The data leak detection apparatus is described below.
Fig. 1 shows an exemplary structure of the data leak detection apparatus described above, including:
a baseline maintenance unit 1 for:
establishing an operation behavior baseline of each user according to historical operation behavior data;
wherein any user is a target user;
the historical operation behavior data comprises historical network flow and a historical log;
sensitive data detection is carried out on the messages in the historical network flow, and a sensitive data operation base line is established according to the detection result;
an acquisition unit 2 for: collecting current operation behavior data;
the current operation behavior data comprises current network flow and a current log;
a risk control unit 3 for:
analyzing the current operation behavior data according to the sensitive data operation baseline to determine whether sensitive data leakage risks exist; if yes, executing a corresponding sensitive data leakage prevention control strategy;
and analyzing the current operation behavior data according to the operation behavior baseline of the target user, determining whether the target user has a data leakage risk, and if so, executing a corresponding data access risk control strategy for the target user.
For details, please refer to the above description, which is not repeated herein.
In another embodiment of the present invention, referring to fig. 1, the data leakage detecting device may further include: a database 4.
The above-mentioned historical operating behavior data may be stored in the aforementioned database 4.
The historical operational behavior data includes historical network traffic and historical logs. If the data size is large, the database 4 may further include a network traffic database and a log database.
In addition, after various analyses have been performed, current operational behavior data may be saved to the database 4, providing data support for updating the baseline. Or storing the analyzed data operation behavior characteristics, sensitive data access behavior characteristics and sensitive data transverse flow characteristics (abnormal points can be eliminated) in the database 4.
In other embodiments of the present invention, the network traffic specifically includes north-south traffic and east-west traffic;
in the aspect of performing sensitive data detection on the packet in the historical network traffic and establishing a sensitive data operation baseline according to the detection result, the baseline maintenance units 1 in all the implementation columns may be specifically configured to:
analyzing the message in the history north-south flow to obtain the message content, detecting the sensitive data of the message content, and establishing a sensitive data access behavior baseline of each user according to the detection result;
analyzing the message in the historical east-west flow to obtain the message content, detecting the sensitive data of the message content, and establishing a transverse flow baseline of the sensitive data between any two intranet entities according to the detection result;
the sensitive data operation baseline comprises: the user's sensitive data access behavior baseline, and the sensitive data cross-flow baseline between any two intranet entities.
For details, please refer to the above description, which is not repeated herein.
In other embodiments of the present invention, in terms of establishing an operation behavior baseline of each user according to historical operation behavior data, the baseline maintenance unit 1 in all the above embodiments may be specifically configured to:
and establishing an operation behavior baseline of each user according to the historical north-south flow and the historical log.
For details, please refer to the above description, which is not repeated herein.
In other embodiments of the present invention, in the aspect of analyzing the current operation behavior data according to the sensitive data operation baseline to determine whether there is a risk of sensitive data leakage, the risk control unit 3 in all the embodiments may specifically be configured to:
analyzing a message related to a target user and a log related to the target user in current north-south traffic according to a sensitive data access behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding sensitive data access behavior baseline;
and analyzing the current east-west flow and logs according to the sensitive data lateral flow baseline to determine whether the sensitive data lateral flow between any two intranet entities deviates from the corresponding sensitive data lateral flow baseline.
For details, please refer to the above description, which is not repeated herein.
In another embodiment of the present invention, in the aspect that current operation behavior data is analyzed according to the operation behavior baseline of the target user to determine whether the target user has a risk of data leakage, the risk control unit 3 in all the embodiments is specifically configured to:
and analyzing the message related to the target user and the log related to the target user in the current north-south network flow according to the operation behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding operation behavior baseline.
In other embodiments of the present invention, in terms of executing a corresponding sensitive data leakage prevention control policy, the risk control unit 3 in all the embodiments is specifically configured to:
if the current operation behavior of the target user deviates from the corresponding sensitive data access behavior baseline, early warning notification is carried out, and the target user is forbidden;
and if the transverse flow of the sensitive data between any two intranet entities is determined to deviate from the corresponding transverse flow baseline of the sensitive data, early warning notification is carried out.
For details, please refer to the above description, which is not repeated herein.
Specifically, the operation behavior baseline includes: a source IP, a login device fingerprint, a login time, and at least one dimension of a data access behavior;
the data access behavior comprises the following steps: at least one of access time, access content, access data volume, access frequency, data download rate, and access path;
the sensitive data access behavior baseline comprises: at least one dimension of sensitive data access time, sensitive data access data volume, sensitive data access frequency, sensitive data download rate and sensitive data access path;
the baseline for lateral flow of sensitive data between any two intranet entities includes: and the basic data are used for representing whether sensitive data interaction exists between any two entities, and at least one dimension in the sensitive data interaction quantity between any two entities.
For details, please refer to the above description, which is not repeated herein.
Fig. 5 is a schematic diagram showing a possible hardware structure of the data leakage detecting apparatus in the above embodiment, including: a bus, a processor 501, a memory 502, a communication interface 503, an input device 504, and an output device 505. The processor 501, the memory 502, the communication interface 503, the input device 504, and the output device 505 are connected to each other by a bus. Wherein:
a bus may include a path that transfers information between components of a computer system.
The processor 501 may be a general-purpose processor 50, such as a general-purpose central processing unit 50(CPU), a network processor 50 (NP), a microprocessor 50, etc., or may be an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program according to the present invention. But may also be a digital signal processor 50(DSP), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components.
The memory 502 stores programs or scripts for executing the technical solution of the present invention, and may also store an operating system and other key services. In particular, the program may include program code including computer operating instructions. Scripts are typically saved as text (e.g., ASCII) and are interpreted or compiled only when called.
Input devices 504 may include devices that receive data and information input by a user, such as a keyboard, mouse, camera, voice input device, touch screen, etc.
The output device 505 may include means, such as a display screen, speakers, etc., that allow information to be output to a user.
Communication interface 503 may include any means for using any transceiver or the like to communicate with other devices or communication networks, such as ethernet, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), etc.
The processor 501 may implement the data leak detection method provided by the above-described embodiment by executing the program stored in the memory 502 and calling other devices.
The functions of the units of the data leakage detecting apparatus shown in fig. 5 can be realized by the processor 501 executing the program stored in the memory 502 and calling other devices.
Those of skill would further appreciate that the various illustrative components and model steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or model described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, WD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (12)
1. A method for detecting data leakage, comprising:
establishing an operation behavior baseline of each user according to historical operation behavior data; any user is a target user; the historical operation behavior data comprises historical network flow and a historical log;
sensitive data detection is carried out on the messages in the historical network flow, and a sensitive data operation base line is established according to the detection result;
collecting current operation behavior data; the current operation behavior data comprises current network flow and a current log;
analyzing the current operation behavior data according to the sensitive data operation baseline to determine whether sensitive data leakage risks exist; if yes, executing a corresponding sensitive data leakage prevention control strategy;
analyzing the current operation behavior data according to the operation behavior baseline of the target user, determining whether the target user has a data leakage risk, and if so, executing a corresponding data access risk control strategy for the target user.
2. The method of claim 1,
the network traffic comprises north-south traffic and east-west traffic;
the above detecting sensitive data for the packet in the historical network traffic, and establishing a sensitive data operation baseline according to the detection result includes:
analyzing the message in the history north-south flow to obtain the message content, detecting the sensitive data of the message content, and establishing a sensitive data access behavior baseline of each user according to the detection result;
analyzing the message in the historical east-west flow to obtain the message content, detecting the sensitive data of the message content, and establishing a transverse flow baseline of the sensitive data between any two intranet entities according to the detection result;
the sensitive data operation baseline comprises: the user's sensitive data access behavior baseline, and the sensitive data cross-flow baseline between any two intranet entities.
3. The method of claim 2, wherein analyzing current operational behavior data based on the sensitive data operational baseline to determine whether a risk of sensitive data leakage exists comprises:
analyzing a message related to a target user and a log related to the target user in current north-south traffic according to a sensitive data access behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding sensitive data access behavior baseline;
and analyzing the current east-west flow and logs according to the sensitive data lateral flow baseline to determine whether the sensitive data lateral flow between any two intranet entities deviates from the corresponding sensitive data lateral flow baseline.
4. The method of claim 1, wherein establishing an operational behavior baseline for each user based on historical operational behavior data comprises:
and establishing an operation behavior baseline of each user according to the historical north-south flow and the historical log.
5. The method of claim 1, wherein analyzing current operational behavior data based on a baseline operational behavior of a target user to determine whether the target user is at risk of data leakage comprises:
and analyzing the message related to the target user and the log related to the target user in the current north-south network flow according to the operation behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding operation behavior baseline.
6. The method according to any of claims 3 to 5,
the executing the corresponding sensitive data anti-leakage control strategy comprises the following steps:
if the current operation behavior of the target user deviates from the corresponding sensitive data access behavior baseline, early warning notification is carried out, and the target user is forbidden;
and if the transverse flow of the sensitive data between any two intranet entities is determined to deviate from the corresponding transverse flow baseline of the sensitive data, early warning notification is carried out.
7. The method of claim 3,
the operational behavior baseline includes: a source IP, a login device fingerprint, a login time, and at least one dimension of a data access behavior;
the data access behavior comprises the following steps: at least one of access time, access content, access data volume, access frequency, data download rate, and access path;
the sensitive data access behavior baseline comprises: at least one dimension of sensitive data access time, sensitive data access data volume, sensitive data access frequency, sensitive data download rate and sensitive data access path;
the baseline for lateral flow of sensitive data between any two intranet entities includes: and the basic data are used for representing whether sensitive data interaction exists between any two entities, and at least one dimension in the sensitive data interaction quantity between any two entities.
8. A data leak detection apparatus, characterized by comprising:
a baseline maintenance unit to:
establishing an operation behavior baseline of each user according to historical operation behavior data; any user is a target user; the historical operation behavior data comprises historical network flow and a historical log;
sensitive data detection is carried out on the messages in the historical network flow, and a sensitive data operation base line is established according to the detection result;
a collection unit for: collecting current operation behavior data; the current operation behavior data comprises current network flow and a current log;
a risk control unit to:
analyzing the current operation behavior data according to the sensitive data operation baseline to determine whether sensitive data leakage risks exist; if yes, executing a corresponding sensitive data leakage prevention control strategy;
analyzing the current operation behavior data according to the operation behavior baseline of the target user, determining whether the target user has a data leakage risk, and if so, executing a corresponding data access risk control strategy for the target user.
9. The apparatus of claim 8,
the network traffic comprises north-south traffic and east-west traffic;
in the aspect of performing sensitive data detection on the packet in the historical network traffic and establishing a sensitive data operation baseline according to a detection result, the baseline maintenance unit is specifically configured to:
analyzing the message in the history north-south flow to obtain the message content, detecting the sensitive data of the message content, and establishing a sensitive data access behavior baseline of each user according to the detection result;
analyzing the message in the historical east-west flow to obtain the message content, detecting the sensitive data of the message content, and establishing a transverse flow baseline of the sensitive data between any two intranet entities according to the detection result;
the sensitive data operation baseline comprises: the user's sensitive data access behavior baseline, and the sensitive data cross-flow baseline between any two intranet entities.
10. The apparatus of claim 9, wherein in the aspect of analyzing the current operational behavior data to determine whether there is a risk of sensitive data leakage according to the sensitive data operational baseline, the risk control unit is specifically configured to:
analyzing a message related to a target user and a log related to the target user in current north-south traffic according to a sensitive data access behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding sensitive data access behavior baseline;
and analyzing the current east-west flow and logs according to the sensitive data lateral flow baseline to determine whether the sensitive data lateral flow between any two intranet entities deviates from the corresponding sensitive data lateral flow baseline.
11. The apparatus of claim 8, wherein in the analyzing the current operational behavior data according to the operational behavior baseline of the target user to determine whether the target user is at risk of data leakage, the risk control unit is specifically configured to:
and analyzing the message related to the target user and the log related to the target user in the current north-south network flow according to the operation behavior baseline of the target user, and determining whether the current operation behavior of the target user deviates from the corresponding operation behavior baseline.
12. A data leak detection apparatus, characterized by comprising at least a processor and a memory; the processor performs the method of any one of claims 1-7 by executing a program stored in the memory and invoking other devices.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911059550.XA CN110798472B (en) | 2019-11-01 | 2019-11-01 | Data leakage detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911059550.XA CN110798472B (en) | 2019-11-01 | 2019-11-01 | Data leakage detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110798472A true CN110798472A (en) | 2020-02-14 |
| CN110798472B CN110798472B (en) | 2022-01-07 |
Family
ID=69440686
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911059550.XA Active CN110798472B (en) | 2019-11-01 | 2019-11-01 | Data leakage detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110798472B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111639365A (en) * | 2020-06-09 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Data leakage warning method and related device |
| CN111753328A (en) * | 2020-06-03 | 2020-10-09 | 支付宝(杭州)信息技术有限公司 | Private data leakage risk detection method and system |
| CN111917718A (en) * | 2020-06-24 | 2020-11-10 | 武汉绿色网络信息服务有限责任公司 | Personal information leakage monitoring method and device |
| CN112380556A (en) * | 2020-11-30 | 2021-02-19 | 南京云悦欣自动化工程有限公司 | Account authority management distribution method |
| CN112565266A (en) * | 2020-12-07 | 2021-03-26 | 深信服科技股份有限公司 | Information leakage attack detection method and device, electronic equipment and storage medium |
| CN112597532A (en) * | 2020-12-04 | 2021-04-02 | 光大科技有限公司 | Monitoring method and device for sensitive data access |
| CN113141274A (en) * | 2021-04-26 | 2021-07-20 | 合肥全息网御科技有限公司 | Method, system and storage medium for detecting sensitive data leakage in real time based on network hologram |
| CN113704752A (en) * | 2021-08-31 | 2021-11-26 | 上海观安信息技术股份有限公司 | Data leakage behavior detection method and device, computer equipment and storage medium |
| CN114135794A (en) * | 2021-11-22 | 2022-03-04 | 杭州数梦工场科技有限公司 | Method and device for detecting leakage of water network |
| CN114640530A (en) * | 2022-03-24 | 2022-06-17 | 深信服科技股份有限公司 | Data leakage detection method and device, electronic equipment and readable storage medium |
| CN115577369A (en) * | 2022-12-09 | 2023-01-06 | 北京仁科互动网络技术有限公司 | Source code leakage behavior detection method and device, electronic equipment and storage medium |
| CN116644484A (en) * | 2023-07-20 | 2023-08-25 | 江苏华存电子科技有限公司 | Computer storage security assessment method and system |
| CN116776390A (en) * | 2023-08-15 | 2023-09-19 | 上海观安信息技术股份有限公司 | Method, device, storage medium and equipment for monitoring data leakage behavior |
| CN117609992A (en) * | 2023-11-27 | 2024-02-27 | 南方电网数字电网集团信息通信科技有限公司 | Data disclosure detection method, device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108052833A (en) * | 2017-12-11 | 2018-05-18 | 北京明朝万达科技股份有限公司 | A kind of executable file anti-data-leakage scan method, system and gateway |
| CN108133143A (en) * | 2017-12-12 | 2018-06-08 | 北京明朝万达科技股份有限公司 | A kind of data leakage prevention method and system of facing cloud desktop application environment |
| CN109525558A (en) * | 2018-10-22 | 2019-03-26 | 深信服科技股份有限公司 | Leaking data detection method, system, device and storage medium |
| CN110222525A (en) * | 2019-05-14 | 2019-09-10 | 新华三大数据技术有限公司 | Database manipulation auditing method, device, electronic equipment and storage medium |
-
2019
- 2019-11-01 CN CN201911059550.XA patent/CN110798472B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108052833A (en) * | 2017-12-11 | 2018-05-18 | 北京明朝万达科技股份有限公司 | A kind of executable file anti-data-leakage scan method, system and gateway |
| CN108133143A (en) * | 2017-12-12 | 2018-06-08 | 北京明朝万达科技股份有限公司 | A kind of data leakage prevention method and system of facing cloud desktop application environment |
| CN109525558A (en) * | 2018-10-22 | 2019-03-26 | 深信服科技股份有限公司 | Leaking data detection method, system, device and storage medium |
| CN110222525A (en) * | 2019-05-14 | 2019-09-10 | 新华三大数据技术有限公司 | Database manipulation auditing method, device, electronic equipment and storage medium |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111753328A (en) * | 2020-06-03 | 2020-10-09 | 支付宝(杭州)信息技术有限公司 | Private data leakage risk detection method and system |
| CN111639365A (en) * | 2020-06-09 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Data leakage warning method and related device |
| CN111917718B (en) * | 2020-06-24 | 2023-04-07 | 武汉绿色网络信息服务有限责任公司 | Personal information leakage monitoring method and device |
| CN111917718A (en) * | 2020-06-24 | 2020-11-10 | 武汉绿色网络信息服务有限责任公司 | Personal information leakage monitoring method and device |
| CN112380556A (en) * | 2020-11-30 | 2021-02-19 | 南京云悦欣自动化工程有限公司 | Account authority management distribution method |
| CN112597532A (en) * | 2020-12-04 | 2021-04-02 | 光大科技有限公司 | Monitoring method and device for sensitive data access |
| CN112565266A (en) * | 2020-12-07 | 2021-03-26 | 深信服科技股份有限公司 | Information leakage attack detection method and device, electronic equipment and storage medium |
| CN113141274A (en) * | 2021-04-26 | 2021-07-20 | 合肥全息网御科技有限公司 | Method, system and storage medium for detecting sensitive data leakage in real time based on network hologram |
| CN113704752A (en) * | 2021-08-31 | 2021-11-26 | 上海观安信息技术股份有限公司 | Data leakage behavior detection method and device, computer equipment and storage medium |
| CN113704752B (en) * | 2021-08-31 | 2024-01-26 | 上海观安信息技术股份有限公司 | Method and device for detecting data leakage behavior, computer equipment and storage medium |
| CN114135794A (en) * | 2021-11-22 | 2022-03-04 | 杭州数梦工场科技有限公司 | Method and device for detecting leakage of water network |
| CN114135794B (en) * | 2021-11-22 | 2023-11-24 | 杭州数梦工场科技有限公司 | Method and device for detecting leakage of water network |
| CN114640530B (en) * | 2022-03-24 | 2023-12-29 | 深信服科技股份有限公司 | Data leakage detection method and device, electronic equipment and readable storage medium |
| CN114640530A (en) * | 2022-03-24 | 2022-06-17 | 深信服科技股份有限公司 | Data leakage detection method and device, electronic equipment and readable storage medium |
| CN115577369A (en) * | 2022-12-09 | 2023-01-06 | 北京仁科互动网络技术有限公司 | Source code leakage behavior detection method and device, electronic equipment and storage medium |
| CN116644484A (en) * | 2023-07-20 | 2023-08-25 | 江苏华存电子科技有限公司 | Computer storage security assessment method and system |
| CN116644484B (en) * | 2023-07-20 | 2023-12-22 | 江苏华存电子科技有限公司 | Computer storage security assessment method and system |
| CN116776390A (en) * | 2023-08-15 | 2023-09-19 | 上海观安信息技术股份有限公司 | Method, device, storage medium and equipment for monitoring data leakage behavior |
| CN117609992A (en) * | 2023-11-27 | 2024-02-27 | 南方电网数字电网集团信息通信科技有限公司 | Data disclosure detection method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110798472B (en) | 2022-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110798472B (en) | Data leakage detection method and device | |
| US11750631B2 (en) | System and method for comprehensive data loss prevention and compliance management | |
| US11647039B2 (en) | User and entity behavioral analysis with network topology enhancement | |
| US11582207B2 (en) | Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform | |
| US10594714B2 (en) | User and entity behavioral analysis using an advanced cyber decision platform | |
| US11799900B2 (en) | Detecting and mitigating golden ticket attacks within a domain | |
| US11818169B2 (en) | Detecting and mitigating attacks using forged authentication objects within a domain | |
| US10609079B2 (en) | Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management | |
| US20220377093A1 (en) | System and method for data compliance and prevention with threat detection and response | |
| US20200220900A1 (en) | Networking flow logs for multi-tenant environments | |
| US9516041B2 (en) | Cyber security analytics architecture | |
| US11818150B2 (en) | System and methods for detecting and mitigating golden SAML attacks against federated services | |
| US11757849B2 (en) | Detecting and mitigating forged authentication object attacks in multi-cloud environments | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| US20230308459A1 (en) | Authentication attack detection and mitigation with embedded authentication and delegation | |
| US20230319019A1 (en) | Detecting and mitigating forged authentication attacks using an advanced cyber decision platform | |
| CN114208114A (en) | Multi-view security context per participant | |
| EP3721364A1 (en) | Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform | |
| US12003534B2 (en) | Detecting and mitigating forged authentication attacks within a domain | |
| US11792209B2 (en) | Robust learning of web traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |