CN110933064A - Method and system for determining user behavior track - Google Patents

Method and system for determining user behavior track Download PDF

Info

Publication number
CN110933064A
CN110933064A CN201911171378.7A CN201911171378A CN110933064A CN 110933064 A CN110933064 A CN 110933064A CN 201911171378 A CN201911171378 A CN 201911171378A CN 110933064 A CN110933064 A CN 110933064A
Authority
CN
China
Prior art keywords
user
data
information
monitored system
basic information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911171378.7A
Other languages
Chinese (zh)
Other versions
CN110933064B (en
Inventor
胡健
苏永东
黄文载
刘玉婷
杨本富
肖鹏
王海林
张玉雪
董文君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Center of Yunnan Power Grid Co Ltd
Original Assignee
Information Center of Yunnan Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Center of Yunnan Power Grid Co Ltd filed Critical Information Center of Yunnan Power Grid Co Ltd
Priority to CN201911171378.7A priority Critical patent/CN110933064B/en
Publication of CN110933064A publication Critical patent/CN110933064A/en
Application granted granted Critical
Publication of CN110933064B publication Critical patent/CN110933064B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for determining a user behavior track, belongs to the technical field of system monitoring, and solves the technical problem that a system in the prior art cannot acquire an attack source path. The system comprises an associated data source and an island data source which are obtained from a monitored system, wherein the associated data source and the island data source are marked after normalization processing, and the associated data source comprises basic information of a user and system service information; acquiring marked data and storing the marked data in a cluster; the monitoring system acquires the input basic information of the user or the monitored system, judges whether the basic information is in associated matching with the data stored in the cluster, if the basic information is in associated matching, acquires the basic information of the user and/or the associated data of the system service information, if the basic information is not in associated matching, and eliminates the input basic information of the user and/or the monitored system. The invention is used for perfecting the use function of the system and meeting the requirement that people can search the path of the attack source.

Description

Method and system for determining user behavior track
Technical Field
The invention belongs to the technical field of system monitoring, and particularly relates to a method and a system for determining a user behavior track.
Background
At present, with the development of diversification and diversification in the network field, people work and live in a more convenient way, but the form of network threats is also diversified and complicated, and a new generation of threats is developed, not only the transmission speed of the new generation of threats is faster, but also the attack surface utilized by the new generation of threats is wider and wider, the NIDS equipment and the manual work are only relied on the traditional network intrusion monitoring system for analysis and protection, the NIDS equipment is not maintained timely, the address of a terminal is dynamically distributed, data is dispersed in various equipment, so that the tracing of security events is difficult, more personnel are needed for checking, time and labor are consumed, the effect is poor, an attack source cannot be found at the first time, and irretrievable consequences are generated.
In view of the above, the present invention is particularly proposed.
Disclosure of Invention
The application provides a method for determining a user behavior track, which solves the technical problem that a system in the prior art cannot acquire an attack source path. The technical scheme of the scheme has a plurality of technical effects, which are shown below.
A method of determining a user behavior trajectory, the method comprising:
acquiring a related data source and an island data source in a monitored system, marking the related data source after the normalized processing, wherein the related data source comprises basic information of a user and system service information;
acquiring marked data and storing the marked data in a cluster;
the monitoring system acquires the input basic information of the user and/or the monitored system, judges whether the basic information is in associated matching with the data stored in the cluster, if so, acquires the basic information of the user and/or the associated data of the system service information, if not, deletes the input basic information of the user and/or the monitored system.
In a preferred or alternative embodiment, the method of obtaining associated data sources in a monitored system includes:
acquiring user login information of a monitored system, judging whether the user is a terminal user, if so, marking basic information of the login user, if not, judging whether the user information is matched with asset library data of the monitored system, if so, marking the basic information of the login user and the state of the asset of the monitored system, if not, associating the IP network segment area of the login user, and marking the current IP address.
In a preferred or alternative embodiment, the method of obtaining user login information for a monitored system comprises:
acquiring a user login path of a monitored system, judging whether virtual private network login information exists or not, if so, admitting the monitoring system, if not, judging whether the user information is matched with asset library data of the monitored system or not, if so, logging in the monitored system normally, and if not, judging that the monitored system logs in abnormally.
In a preferred or alternative embodiment, the method of obtaining user login information for a monitored system comprises:
judging whether a login user uses a public key to log in, if so, normally logging in the monitored system, and if not, judging that the login user is abnormal;
judging whether a login user logs in the monitored system and has illegal operation or triggered safety alarm information, if yes, judging the login user to be non-safe operation, and if not, judging the login user to be safe operation;
marking the data source and the island data source which are accessed by the monitored system through the unsafe operation or the abnormal login, or acquiring data of a domain name or a blacklist threatened by accessing the monitored system,
or, a path for accessing an extranet of the monitored system;
and marking whether the data of the non-safe operation or the abnormal login access to the monitored system is infected with virus or not, and whether the data is displayed by a threat intelligence system included in the monitored system or not.
In a preferred or alternative embodiment, the method for obtaining marked data and storing the marked data in a cluster includes:
collecting the associated data source and the island data source through a data collection engine, and caching the data source and the island data source to a distributed message system;
and acquiring data in the distributed message system and storing the data in the searchable server.
In a preferred or optional embodiment, the method for determining whether the basic information matches the data association stored in the cluster includes:
judging whether the basic information of the user input by the monitoring system is matched with the basic information of the user, if so, acquiring the basic information of all the users stored in the monitored system, acquiring the basic information of the users, including a mail sending address, a mail transmitted by a secure virtual network in the monitored system, a mail address and a mail address encrypted by a public key, judging whether the mail sending address is matched with the mail address transmitted by the secure virtual network and the mail address encrypted by the public key, and if so, acquiring the information of the conditions that the users log in and access the secure virtual network; if not, deleting the basic information input to the monitoring system, and continuously associating and matching the IP address of the user inputting data to the monitoring system with the IP address of the basic information of the user, and if so, acquiring the basic information of all the user, the associated data source and the access condition information of the island data source.
In a preferred or optional implementation manner, the method for determining whether the system service information matches with the data association stored in the cluster includes:
acquiring domain name or service system data input to the monitoring system;
and judging whether the domain name or the service system data is matched with the system service information data in the monitored system, and if so, acquiring the basic information of a login user in the monitored system and accessing an associated data source and an island data source of the monitored system.
Another aspect provides a system for determining a user behavior trajectory, the system comprising:
the system comprises an acquisition module, a monitoring module and a monitoring module, wherein the acquisition module is used for acquiring a related data source and an island data source in a monitored system, marking the related data source and the island data source after normalization processing, and the related data source comprises basic information of a user and system service information;
the storage module is used for acquiring the marked data and storing the marked data in a cluster manner;
and the judging module is used for acquiring the input basic information of the user and/or the monitored system by the monitoring system, judging whether the basic information is in associated matching with the data stored in the cluster, if so, acquiring the basic information of the user and/or the associated data of the system service information, if not, deleting the input basic information of the user and/or the monitored system.
In a preferred or optional implementation manner, the obtaining module is further configured to obtain user login information of the monitored system, and determine whether the user is an end user, if so, mark basic information of the login user, if not, determine whether the user information matches with the asset library data of the monitored system, if so, mark the basic information of the login user, and the status of the asset of the monitored system, if not, associate the IP network segment area of the login user, and mark the current IP address.
In a preferred or optional embodiment, the obtaining module is further configured to obtain a path where a user of the monitored system logs in, determine whether there is virtual private network login information, if so, allow the monitoring system to be admitted, if not, determine whether the user information matches asset library data of the monitored system, if so, normally log in the monitored system, and if not, determine that the user information is abnormally logged in.
The beneficial effect that this application was sent is as follows:
acquiring a related data source and an island data source in a monitored system, further linking the related data source and the island data source, simultaneously monitoring the related data source and the island data source, carrying out marking after the related data source and the island data source are subjected to normalized processing, standardizing the data relation mode for improving the data relation mode, and eliminating improper data dependence by decomposing the relation mode so as to solve the problems of insertion abnormity, deletion abnormity, updating abnormity and data redundancy, wherein the marking is used for displaying and extracting paths when each data is invaded;
and acquiring the marked data and performing cluster storage, wherein the cluster storage gives full play to the performance of the storage equipment and the utilization rate of a disk. Data is stored and read from a plurality of storage devices according to a certain rule, so that higher concurrent access performance is obtained;
inputting query information to a monitoring system, judging whether the information is associated and matched with the data stored in the cluster, if so, acquiring the basic information of the user used by the monitored system and/or the associated data of the system service information, generating an access path of the user used because the data is processed in a standardized way, if not, indicating that the data of the data is not matched with the data in the monitored system, deleting the input basic information of the user and/or the monitored system, and inputting the information again for querying again. The application of the scheme is used for carrying out association analysis on data, intelligent association mining analysis can be carried out on the data by utilizing safe big data and a visualization technology, an attack source is rapidly positioned and analyzed, a user behavior trace diagram is automatically generated, threat behaviors and a dynamic attack process caused by a current tracing event to a network are visually shown, and attack tracing is carried out on problems found in a system used by an enterprise.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram illustrating steps of a method for determining a user behavior trace according to the present invention;
FIG. 2 is a schematic diagram illustrating the steps of a method for obtaining associated data sources in a monitored system according to the method for determining a user behavior trajectory of the present invention;
FIG. 3 is a schematic diagram illustrating steps of a method for obtaining user login information of a monitored system according to the method for determining a user behavior trajectory of the present invention;
FIG. 4 is a schematic diagram illustrating a step of a method for determining whether basic information matches data stored in a cluster in association with the user behavior trace according to the present invention;
FIG. 5 is a schematic diagram of a system for determining a user behavior trace according to the present invention;
FIG. 6 is a general technical schematic diagram of a system for determining a user behavior trajectory according to the present invention;
FIG. 7 is a block diagram of a user behavior trace determination system of the present invention.
Detailed Description
Reference will now be made in detail to embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following examples do not represent all embodiments consistent with the present application. But merely as exemplifications of systems and methods consistent with certain aspects of the application, as recited in the claims.
Referring to fig. 1, a method of determining a user behavior trajectory, the method comprising:
s101, acquiring a related data source and an island data source in a monitored system, wherein the island data source refers to a module for storing data which cannot be connected and interacted with other data like an island; relational data refers to a relational database, which is created on the basis of a relational model, and data in the database is processed by means of mathematical concepts and methods such as set algebra and the like.
Marking the acquired associated data source and the obtained island data source after normal processing, standardizing and transforming a relation mode of the associated data and the island data, and eliminating improper data dependence by decomposing the relation mode so as to solve the problems of insertion abnormity, deletion abnormity, update abnormity and data redundancy.
The associated data source comprises basic information and system service information of a user, wherein the basic information comprises information such as organization, name, IP/MAC and the like of the user;
the system service information of the monitored system comprises a domain name, a system name, an IP, a responsible person, a telephone, a belonging unit, a purpose, a WEB access log, an operating system, a database, middleware, network equipment, safety equipment, 4A, admission, online behavior audit, virus prevention, terminal flow and the like. Performing canonicalization processing on the data and marking;
s102, acquiring marked data and performing cluster storage, wherein the cluster storage is a storage pool which can provide a uniform access interface and a management interface for an application server by aggregating storage spaces in storage equipment of associated data and island data, and the application can transparently access and utilize disks on all the storage equipment through the access interface, so that the performance of the storage equipment and the utilization rate of the disks can be fully exerted, and higher concurrent access performance can be obtained. For example, the Elasticissearch cluster storage solves the problems of data query and correlation analysis through a search engine;
s103, the monitoring system acquires the input basic information of the user and/or the monitored system, namely, the data to be searched for the data of the monitoring system, such as IP address, user name or domain name, is matched with the data stored in the cluster, for example, a big data analysis platform inputs query keywords, keywords: IP, MAC, user name, EMAIL, domain name, service system and the like. And judging whether the basic information is in associated matching with the data stored in the cluster, such as associated matching, acquiring associated data of the basic information of the user and/or the system service information, such as unassociated matching, deleting or clearing the input basic information of the user and/or the monitored system, and re-inputting the information for re-inquiring.
The application of the scheme is used for carrying out association analysis on data, intelligent association mining analysis can be carried out on the data by utilizing safe big data and a visualization technology, an attack source is rapidly positioned and analyzed, a user behavior trace diagram is automatically generated, threat behaviors and a dynamic attack process caused by a current tracing event to a network are visually shown, and attack tracing is carried out on problems found in a system used by an enterprise.
As an alternative embodiment, a method for obtaining associated data sources in a monitored system includes:
the purpose is to know who the attack source is aiming at the attack source to be investigated. As shown in fig. 2, the login information acquisition method of the end user is performed by the monitored system to perform allocation and storage of allocation information by acquiring the login information of the user of the monitored system and determining whether the user is the end user. If yes, marking the basic information of the login user (the login user information is matched with the distribution information), if not, judging whether the user information is matched with the asset library data of the monitored system, if so, marking the basic information of the login user and the state of the asset of the monitored system, if not, associating the IP network segment area of the login user, and marking the current IP address.
As an optional implementation, the method for acquiring the user login information of the monitored system includes:
as shown in fig. 3, a path of user login of the monitored system is obtained, whether virtual private network login information exists or not is determined, if the login information exists, the monitored system is allowed to enter, if the login information does not exist, whether the user information is matched with asset library data of the monitored system (historical login information stored in the VPN) is determined, if the user information is matched with the asset library data of the monitored system, the monitored system is normally logged in, and if the user information is not matched with the asset library data of the monitored system, the monitored system is. For example, judging the network access mode of an attack source, firstly checking VPN access information, if login information exists, accessing login from an external network through a VPN, if not, checking an access system, and if the login information exists, normally accessing the network through the access system; and checking whether the assets are dynamic assets, if so, accessing the network normally, otherwise, accessing the network abnormally, and marking an access path and access information of the network abnormally.
As an optional implementation, the method for acquiring the user login information of the monitored system includes:
judging whether a login user uses a public key to log in, if so, normally logging in the monitored system, and if not, judging that the login user is abnormal; for example, whether an "attack source" is logged in through a PKI (the PKI is Public Key Infrastructure, which is a technology and specification that follows a standard and provides a set of secure basic platform for the development of electronic commerce by using a Public Key encryption technology) is checked, and the PKI login information is checked, if yes, the PKI login is logged in through a Key, and if not, the PKI login is abnormally logged in;
and judging whether the login user logs in the monitored system and has illegal operation or triggered safety alarm information, if so, judging the login user to be non-safe operation, and if not, judging the login user to be safe operation. Using an attack source as a condition to investigate whether illegal operation or triggered safety alarm information exists in a monitored system;
marking a data source and an island data source which are accessed to the monitored system by non-safe operation or abnormal login, or acquiring data which are accessed to the monitored system and threaten a domain name or a blacklist, for example, checking the access condition of an external network of an 'attack source', and firstly checking whether the 'attack source' has accessed the threatened domain name; secondly, whether the blacklist is accessed is checked; and finally, checking the external network condition normally accessed by the attack source.
Or, accessing the path of the external network of the monitored system; if the 'attack source' external network access condition is checked, firstly checking whether the 'attack source' accesses the threat domain name; secondly, whether the blacklist is accessed is checked; finally, the external network condition of normal access of the attack source is checked
The data that is not securely operated or normally logged into the monitored system is marked as to whether it is infected with a virus or not, as indicated by a threat intelligence system included with the monitored system. If so, checking whether an attack source is infected with a virus Trojan horse or not and whether the attack source is controlled by a threat host with disclosed threat information or not;
the behavior trace of the attack source in the network can be visually and visually mastered in a global way through the behavior trace diagram, and if further investigation is needed, the deep investigation is carried out through log tracing. The path of the intrusion login and the content of the access are displayed from the monitoring system at the fastest speed, so that a maintainer of the monitored system can take further precaution.
As an optional implementation, the method of acquiring marked data and storing the marked data in a cluster includes:
and collecting the associated data source and the island data source through a data collection engine, and caching the data to the distributed message system. The acquired data of the monitored system comprises data information such as WEB access logs, a host (an operating system, a database and middleware), network equipment, safety equipment, PKI, VPN, 4A, admission, online behavior audit, virus prevention, terminal flow, threat information and the like;
the collection engine, for example, the flash, logstash, beat, Rsyslog, Scripts, API interface call, etc., improves the data collection speed, uniformly sends data to the distributed message system (for example, Kafka message system cluster (Apache Kafka cluster)), and the message system cluster has the advantages of providing a uniform, high throughput, low latency, easy expansion of the distributed system, etc., ensuring comprehensive, complete and high-quality data storage, and solving the problem of data loss caused by large data volume;
the data in the distributed message system is obtained and stored in the searchable server, for example, logstack is used for normalizing and labeling the data in the message system cluster according to the data model requirement, the processed data is uniformly transmitted into a storage cluster through an interface, and the storage cluster, for example, an Elasticise cluster, can provide a full-text search engine, and the efficiency of data query and correlation analysis is improved.
Further, the method for judging whether the basic information is associated and matched with the data stored in the cluster comprises the following steps:
as shown in fig. 4, determining whether the basic information of the user input by the monitoring system matches with the basic information of the user, if so, obtaining the basic information of all users stored in the monitored system, and obtaining the basic information of the users including the mail sending address, the mail transmitted by the secure virtual network in the monitored system, the mail address and the mail address encrypted by the public key, and determining whether the mail sending address matches with both the mail address transmitted by the secure virtual network and the mail address encrypted by the public key, if so, obtaining the information of the user logging in and accessing the secure virtual network; and if not, deleting the basic information input to the monitoring system, and continuously associating and matching the IP address of the user inputting data to the monitoring system with the IP address of the basic information of the user, and if so, acquiring the basic information of all the users, the access condition information of the associated data source and the access condition information of the island data source.
As an optional implementation manner, the method for determining whether the system service information is associated and matched with the data stored in the cluster includes:
acquiring domain name or service system data input to a monitoring system;
and judging whether the domain name or the service system data is matched with the system service information data in the monitored system, and if so, acquiring the basic information of a login user in the monitored system and an associated data source and an island data source for accessing the monitored system. For example, a keyword is matched if the input keyword is: the domain name and service system, which will be used as the query condition to match with the data stored in the cluster, if matching, will take out the corresponding service system information, including: using basic information of the user, such as system name, IP, person responsible, phone, affiliate, usage, etc.;
the system service information, for example, WEB access log, operating system, database, middleware, network device, security device, 4A, admission, online behavior audit, anti-virus, terminal traffic, etc., respectively extracts corresponding information for the matched data.
As shown in fig. 5, another aspect provides a system for determining a behavior trace of a user, the system comprising:
the acquisition module is used for acquiring a related data source and an island data source in the monitored system, for example, data information is collected through collection agents such as flash, logstack, beat, Rsyslog or Scripts, the time for data collection is shortened, and the data information is transmitted to a data cache Kafka message system cluster to avoid data loss;
carrying out normalization processing on data in the Kafka message system cluster, and carrying out normalization and labeling processing according to the requirements of a data model;
and the storage module is used for acquiring the marked data and storing the marked data in a cluster. The data after the canonicalization processing is transferred into a storage cluster (Elasticissearch cluster) through interface calling, a full-text search engine is provided, and the efficiency of data query and correlation analysis is improved;
the judging module acquires information input by the monitoring system, for example, a query keyword is input on a big data analysis platform, such as: the information such as IP, MAC, user name, EMAIL, domain name or service system, etc., judges whether the basic information is associated and matched with the data stored in the cluster, if the basic information is associated and matched, obtains the associated data of the basic information of the user and/or the service information of the system, if the basic information is not associated and matched, deletes the input basic information of the user and/or the monitored system.
Further, the obtaining module is further configured to obtain user login information of the monitored system, and determine whether the user is an end user, if so, mark basic information of the login user, and if not, determine whether the user information matches with asset library data of the monitored system, if so, mark the basic information of the login user and the status of the asset of the monitored system, if not, associate an IP network segment area of the login user, and mark a current IP address.
Further, the obtaining module is further configured to obtain a path of user login of the monitored system, determine whether there is virtual private network login information, allow the monitored system to be accessed if there is login information, determine whether the user information matches asset library data of the monitored system if there is no login information, normally log in the monitored system if there is no match, and determine that the user normally logs in the monitored system if there is no match.
Overall representation of the monitoring system: as shown in fig. 6:
1) collecting data information through a collection agent, wherein the data information is as follows: all user login information, WEB access logs, a host (an operating system, a database and middleware), network equipment, safety equipment, PKI, VPN, 4A, admission, online behavior audit, virus prevention, terminal flow, threat information and other data information of the monitored system;
2) sending the data to a data cache Kafka message system cluster to avoid data loss;
3) performing canonicalization and labeling processing (such as logstack processing) on the data model according to the requirements by using logstack, and performing cluster storage (such as an elastic search cluster);
4) the query keywords are input on the big data analysis platform to be matched with the data in the cluster storage,
as shown in fig. 7, the determination is performed during matching, for example, the domain name or the service system information is used as a query condition to perform association matching with the dynamic asset, and the corresponding service system information, the user information of the monitored system, the associated data source, and the like are obtained through matching.
If the user information such as the IP, the MAC, the user name, the EMAIL and the like is obtained, the information is taken as the query condition to be associated and matched with the monitoring system, if the information is matched, the information of the user used by the monitored system is obtained, the information comprises the EMAIL address, the VPN and the PKI, the EMAIL address is associated and matched with the VPN and the PKI again, and if the information is matched, the login and access condition of the VPN and the current state and access record information of the PKI are obtained; if the matching is not successful, discarding the MAC, the user name and the EMAIL, not performing the matching, and continuously performing the association matching on the IP address and the dynamic asset library, if the matching is successful, acquiring: business system, IP, system responsible person, telephone, affiliated unit, etc.; then continue to use the IP address with: the method comprises the following steps of carrying out matching analysis on WEB access logs, an operating system, a database, middleware, network equipment, safety equipment, 4A, admission, online behavior audit, virus prevention, terminal flow and the like, and respectively taking out corresponding information from matched data.
According to the content shown in fig. 7, the attack path of the attack source can be rapidly acquired, which is convenient for further key defense of a system maintainer and repair of a system bug.
The embodiments provided in the present application are only a few examples of the general concept of the present application, and do not limit the scope of the present application. Any other embodiments extended according to the scheme of the present application without inventive efforts will be within the scope of protection of the present application for a person skilled in the art.

Claims (10)

1. A method of determining a trajectory of user behavior, the method comprising:
acquiring a related data source and an island data source in a monitored system, marking the related data source after the normalized processing, wherein the related data source comprises basic information of a user and system service information;
acquiring marked data and storing the marked data in a cluster;
the monitoring system acquires the input basic information of the user or the monitored system, judges whether the basic information is in associated matching with the data stored in the cluster, if the basic information is in associated matching, acquires the basic information of the user and/or the associated data of the system service information, if the basic information is not in associated matching, and eliminates the input basic information of the user and/or the monitored system.
2. The method of claim 1, wherein the method of obtaining associated data sources in a monitored system comprises:
acquiring user login information of a monitored system, judging whether the user is a terminal user, if so, marking basic information of the login user, if not, judging whether the user information is matched with asset library data of the monitored system, if so, marking the basic information of the login user and the state of the asset of the monitored system, if not, associating the IP network segment area of the login user, and marking the current IP address.
3. The method of claim 2, wherein the method of obtaining user login information for the monitored system comprises:
acquiring a user login path of a monitored system, judging whether virtual private network login information exists or not, if so, admitting the monitoring system, if not, judging whether the user information is matched with asset library data of the monitored system or not, if so, logging in the monitored system normally, and if not, judging that the monitored system logs in abnormally.
4. The method of claim 2, wherein the method of obtaining user login information for the monitored system comprises:
judging whether a login user uses a public key to log in, if so, normally logging in the monitored system, and if not, judging that the login user is abnormal;
judging whether a login user logs in the monitored system and has illegal operation or triggered safety alarm information, if yes, judging the login user to be non-safe operation, and if not, judging the login user to be safe operation;
marking the data source and the island data source which are accessed by the monitored system through the non-safe operation or the abnormal login, or acquiring data for accessing the domain name or the blacklist threatened by the monitored system, or accessing a path of an external network of the monitored system;
and marking whether the data of the non-safe operation or the abnormal login access to the monitored system is infected with virus or not, and whether the data is displayed by a threat intelligence system included in the monitored system or not.
5. The method of claim 1, wherein the marked data is obtained and stored in a cluster, and the method comprises:
collecting the associated data source and the island data source through a data collection engine, and caching the data source and the island data source to a distributed message system;
and acquiring data in the distributed message system and storing the data in the searchable server.
6. The method of claim 1 or 5, wherein determining whether the base information matches the data association stored by the cluster comprises:
judging whether the basic information of the user input by the monitoring system is matched with the basic information of the user, if so, acquiring the basic information of all the users stored in the monitored system, acquiring the basic information of the users, including a mail sending address, a mail transmitted by a secure virtual network in the monitored system, a mail address and a mail address encrypted by a public key, judging whether the mail sending address is matched with the mail address transmitted by the secure virtual network and the mail address encrypted by the public key, and if so, acquiring the information of the conditions that the users log in and access the secure virtual network; if not, deleting the basic information input to the monitoring system, and continuously associating and matching the IP address of the user inputting data to the monitoring system with the IP address of the basic information of the user, and if so, acquiring the basic information of all the user, the associated data source and the access condition information of the island data source.
7. The method of claim 1 or 5, wherein the step of determining whether the system traffic information matches the data association stored by the cluster comprises:
acquiring domain name or service system data input to the monitoring system;
and judging whether the domain name or the service system data is matched with the system service information data in the monitored system, and if so, acquiring the basic information of a login user in the monitored system and accessing an associated data source and an island data source of the monitored system.
8. A system for determining a trajectory of user behavior, the system comprising:
the system comprises an acquisition module, a monitoring module and a monitoring module, wherein the acquisition module is used for acquiring a related data source and an island data source in a monitored system, marking the related data source and the island data source after normalization processing, and the related data source comprises basic information of a user and system service information;
the storage module is used for acquiring the marked data and storing the marked data in a cluster manner;
and the judging module is used for acquiring the input basic information of the user and/or the monitored system by the monitoring system, judging whether the basic information is in associated matching with the data stored in the cluster, if so, acquiring the basic information of the user and/or the associated data of the system service information, if not, deleting the input basic information of the user and/or the monitored system.
9. The system of claim 8, wherein the obtaining module is further configured to obtain login information of the monitored system, and determine whether the user is an end user, if yes, mark the basic information of the logged-in user, if not, determine whether the user information matches the asset library data of the monitored system, if so, mark the basic information of the logged-in user, the status of the assets of the monitored system, if not, associate the IP network segment area of the logged-in user, and mark the current IP address.
10. The system of claim 9, wherein the obtaining module is further configured to obtain a path of a user login of the monitored system, determine whether there is a virtual private network login message, if so, allow the monitoring system to access, if not, determine whether the user message matches the asset library data of the monitored system, if so, normally log in the monitored system, and if not, determine that the user message is abnormally logged in.
CN201911171378.7A 2019-11-26 2019-11-26 Method and system for determining user behavior track Active CN110933064B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911171378.7A CN110933064B (en) 2019-11-26 2019-11-26 Method and system for determining user behavior track

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911171378.7A CN110933064B (en) 2019-11-26 2019-11-26 Method and system for determining user behavior track

Publications (2)

Publication Number Publication Date
CN110933064A true CN110933064A (en) 2020-03-27
CN110933064B CN110933064B (en) 2023-10-03

Family

ID=69851980

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911171378.7A Active CN110933064B (en) 2019-11-26 2019-11-26 Method and system for determining user behavior track

Country Status (1)

Country Link
CN (1) CN110933064B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117130862A (en) * 2023-08-29 2023-11-28 北京景安云信科技有限公司 Audit recording system for user access operation

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140181968A1 (en) * 2012-12-20 2014-06-26 At&T Intellectual Property I, L.P. Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses
US20150058393A1 (en) * 2013-08-20 2015-02-26 Adobe Systems Incorporated Cross device visitor correlation
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
US9185095B1 (en) * 2012-03-20 2015-11-10 United Services Automobile Association (Usaa) Behavioral profiling method and system to authenticate a user
CN107046550A (en) * 2017-06-14 2017-08-15 微梦创科网络科技(中国)有限公司 A kind of detection method and device of abnormal login behavior
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN109587124A (en) * 2018-11-21 2019-04-05 国家电网有限公司 Processing method, the device and system of electric power networks
CN109981587A (en) * 2019-02-27 2019-07-05 南京众智维信息科技有限公司 A kind of network security monitoring traceability system based on APT attack
CN110113350A (en) * 2019-05-15 2019-08-09 四川长虹电器股份有限公司 A kind of monitoring of Internet of things system security threat and system of defense and method
CN110138770A (en) * 2019-05-13 2019-08-16 四川长虹电器股份有限公司 One kind threatening information generation and shared system and method based on Internet of Things

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9185095B1 (en) * 2012-03-20 2015-11-10 United Services Automobile Association (Usaa) Behavioral profiling method and system to authenticate a user
US20140181968A1 (en) * 2012-12-20 2014-06-26 At&T Intellectual Property I, L.P. Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses
US20150058393A1 (en) * 2013-08-20 2015-02-26 Adobe Systems Incorporated Cross device visitor correlation
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107046550A (en) * 2017-06-14 2017-08-15 微梦创科网络科技(中国)有限公司 A kind of detection method and device of abnormal login behavior
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN109587124A (en) * 2018-11-21 2019-04-05 国家电网有限公司 Processing method, the device and system of electric power networks
CN109981587A (en) * 2019-02-27 2019-07-05 南京众智维信息科技有限公司 A kind of network security monitoring traceability system based on APT attack
CN110138770A (en) * 2019-05-13 2019-08-16 四川长虹电器股份有限公司 One kind threatening information generation and shared system and method based on Internet of Things
CN110113350A (en) * 2019-05-15 2019-08-09 四川长虹电器股份有限公司 A kind of monitoring of Internet of things system security threat and system of defense and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117130862A (en) * 2023-08-29 2023-11-28 北京景安云信科技有限公司 Audit recording system for user access operation
CN117130862B (en) * 2023-08-29 2024-05-03 北京景安云信科技有限公司 Audit recording system for user access operation

Also Published As

Publication number Publication date
CN110933064B (en) 2023-10-03

Similar Documents

Publication Publication Date Title
US11012472B2 (en) Security rule generation based on cognitive and industry analysis
CN110324310B (en) Network asset fingerprint identification method, system and equipment
CN111600856B (en) Safety system of operation and maintenance of data center
CN108780485B (en) Pattern matching based data set extraction
JP6736657B2 (en) A computerized system that securely delivers and exchanges cyber threat information in a standardized format
CN104283889B (en) APT attack detectings and early warning system inside electric system based on the network architecture
CN103685575B (en) A kind of web portal security monitoring method based on cloud framework
CN110855676B (en) Network attack processing method and device and storage medium
US20160164893A1 (en) Event management systems
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
CN105009138A (en) Session attribute propagation through secure database server tiers
Sibiya et al. Digital forensic framework for a cloud environment
CN111756702B (en) Data security protection method, device, equipment and storage medium
US9871826B1 (en) Sensor based rules for responding to malicious activity
CN111510463B (en) Abnormal behavior recognition system
CN111767573A (en) Database security management method and device, electronic equipment and readable storage medium
CN117527412A (en) Data security monitoring method and device
CN115174205A (en) Network space safety real-time monitoring method, system and computer storage medium
Chen et al. Detection, traceability, and propagation of mobile malware threats
CN114760083B (en) Method, device and storage medium for issuing attack detection file
CN110933064B (en) Method and system for determining user behavior track
CN107332820A (en) Digital evidence obtaining system based on Linux environment
CN111740973A (en) Intelligent defense system and method for block chain service and application
CN114969450B (en) User behavior analysis method, device, equipment and storage medium
CN115587357A (en) Threat scene analysis method and system based on big data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant