CN111159719B - Determination method and device of conflict authority, computer equipment and storage medium - Google Patents
Determination method and device of conflict authority, computer equipment and storage medium Download PDFInfo
- Publication number
- CN111159719B CN111159719B CN201911421731.2A CN201911421731A CN111159719B CN 111159719 B CN111159719 B CN 111159719B CN 201911421731 A CN201911421731 A CN 201911421731A CN 111159719 B CN111159719 B CN 111159719B
- Authority
- CN
- China
- Prior art keywords
- access
- page
- preset
- access record
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000006399 behavior Effects 0.000 claims description 100
- 238000004590 computer program Methods 0.000 claims description 8
- 230000014759 maintenance of location Effects 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 3
- 230000002829 reductive effect Effects 0.000 abstract description 5
- 230000002159 abnormal effect Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 12
- 230000008901 benefit Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000000670 limiting effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method and a device for determining conflict authority, computer equipment and a storage medium. The method for determining the conflict authority comprises the following steps: acquiring historical access information of a target subject; analyzing historical access information to obtain a plurality of access targets, wherein the access targets comprise access addresses and page operations performed when the access addresses are accessed; dividing a plurality of access targets adjacent in access time into a behavior track; judging whether the behavior track is a dangerous behavior track or not through a threat model; and when the behavior track is a dangerous behavior track, determining the authority corresponding to the dangerous behavior track as a conflict authority in the authority set of the target subject. By the method and the device, the conflict authority in the authority set can be determined, and the probability of safety risk of the authority set is reduced.
Description
Technical Field
The present invention relates to the field of rights processing technologies, and in particular, to a method and an apparatus for determining a conflict right, a computer device, and a storage medium.
Background
To embody differentiated security management, rights management is set for users accessing the system. In the prior art, corresponding authority sets are set for different access agents, and when access control is performed, access belonging to the scope of the authority sets is released, and access not belonging to the scope of the authority sets is intercepted.
The inventor finds that when the rights in the rights set are more, there may be a security vulnerability after the behaviors allowed by the plurality of rights are combined, for example, the rights set includes the rights to access the confidential content and the rights to access the application program downloaded from the outside by the program download center, and when the external application program carries a file to steal a virus, the security of the confidential content may be threatened.
Therefore, it is an urgent technical problem in the art to provide a method, an apparatus, a computer device and a storage medium for determining conflicting permissions, which identify a combination of the permissions to determine conflicting permissions in a permission set and reduce the probability of security risk in the permission set.
Disclosure of Invention
The present invention is directed to a method, an apparatus, a computer device, and a storage medium for determining a conflict permission, which are used to solve the above technical problems in the prior art.
In one aspect, the present invention provides a method for determining a conflict permission.
The method for determining the conflict authority comprises the following steps: acquiring historical access information of a target subject; analyzing historical access information to obtain a plurality of access targets, wherein the access targets comprise access addresses and page operations performed when the access addresses are accessed; dividing a plurality of access targets adjacent in access time into a behavior track; judging whether the behavior track is a dangerous behavior track or not through a threat model; and when the behavior track is a dangerous behavior track, determining the authority corresponding to the dangerous behavior track as a conflict authority in the authority set of the target subject.
Further, the step of parsing the historical access information to obtain a plurality of access targets includes: analyzing historical access information to obtain a plurality of access records, wherein the access records comprise access addresses and page operations performed when the access addresses are accessed; determining a session according to the access records, wherein the session comprises a plurality of access records with adjacent access time; and determining the access record with the latest access time in the session as an access target.
Further, the step of determining a session from the access record comprises: and taking a plurality of access records with the similarity larger than a preset similarity threshold and adjacent access time as a session.
Further, the step of parsing the historical access information to obtain a plurality of access records comprises: acquiring an access address in historical access information; acquiring page operation performed on a page when an access address is accessed; calculating the residence time of the page on the page when the access address is accessed; generating access records according to the access addresses, the page operations corresponding to the access addresses and the page dwell time, wherein the step of taking a plurality of adjacent access records with the similarity greater than a preset similarity threshold as a session comprises the following steps: and taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold value and the page dwell time within a preset dwell time range as a session.
Further, the step of using the similarity greater than the preset similarity threshold, the page dwell time within the preset dwell time range, and the adjacent access records as a session includes: step S1: acquiring an access record as a first access record according to the access time sequence; step S2: judging whether the dwell time of the page in the first access record is within a preset dwell time range or not, and judging whether the access record set comprises the access record or not, wherein when the dwell time of the page is within the preset dwell time range and the access record set comprises the access record, the step S3 is executed, when the dwell time of the page is within the preset dwell time range and the access record set does not comprise the access record, the step S5 is executed, when the dwell time of the page is not within the preset dwell time range and the access record set comprises the access record, the step S7 is executed, and when the dwell time of the page is not within the preset dwell time range and the access record set does not comprise the access record, the step S1 is returned; step S3: calculating the similarity between the first access record and the latest access record in the access record set; step S4: judging whether the similarity is greater than or equal to a preset similarity threshold, wherein when the similarity is greater than or equal to the preset similarity threshold, executing step S5, and when the similarity is less than the preset similarity threshold, executing step S6; step S5: writing the first access record into the access record set, and returning to step S1; step S6: outputting the access record set to obtain a session, emptying the access record set, adding the first access record into the access record set, and returning to the step S1; step S7: the access record set is output to get a session, the access record set is emptied, and the process returns to step S1.
Further, the preset stay time ranges corresponding to the page stay times corresponding to different access addresses are different, and the preset stay time ranges are calculated by adopting the following steps: obtaining an access record comprising an access address corresponding to the retention time of the page to obtain a similar access record; and calculating a preset stay time range according to the stay time of the pages of the similar access records.
Further, the step of calculating the preset stay time range according to the page stay time of the similar access record comprises the following steps: drawing a box line graph according to the page staying time of the similar access records; calculating a first quartile Q1, a third quartile Q3 and a quartile distance QR of the box plot; the preset residence time range (. delta.) was calculated using the following formulatimemin,δtimemax):δtimemin=Q1-a*QR,δtimemaxQ3+ a QR, where a is a dimensionless coefficient.
In another aspect, to achieve the above object, the present invention provides an apparatus for determining conflicting rights.
The device for determining the conflict authority includes: the acquisition module is used for acquiring historical access information of the target subject; the analysis module is used for analyzing the historical access information to obtain a plurality of access targets, wherein the access targets comprise access addresses and page operations performed when the access addresses are accessed; the first determining module is used for determining a behavior track according to the access targets, wherein the behavior track comprises a plurality of access targets with adjacent access time; the judging module is used for judging whether the behavior track is a dangerous behavior track or not through the threat model; and the second determining module is used for determining the authority corresponding to the dangerous behavior track as the conflict authority in the authority set of the target subject when the behavior track is the dangerous behavior track.
To achieve the above object, the present invention also provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the above method when executing the computer program.
To achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the above method.
The method, the device, the computer equipment and the storage medium for determining the conflict authority provided by the invention are used for analyzing historical access information of a target subject to obtain a historical access target of the target subject, wherein the access target comprises an access address and page operation carried out when the access address is accessed, then a plurality of access targets adjacent in access time are divided into a behavior track, whether the behavior track is a dangerous behavior track or not is judged through a threat model, and when the dangerous behavior track exists, in a permission set of the target subject, the authority corresponding to the access target included in the dangerous behavior track is determined as the conflict authority. According to the method and the device, the threat model is used for judging the historical behavior track of the target subject, when the dangerous behavior track exists, the conflict authority in the authority set can be determined through the dangerous behavior track, and then the conflict authority in the authority set can be processed, so that the probability of potential safety hazard existing in the authority set is reduced.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart of a method for determining conflict permissions according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for determining conflict permissions according to a second embodiment of the present invention;
fig. 3 is a flowchart of a method for determining conflict permission according to a third embodiment of the present invention;
fig. 4 is a block diagram of a device for determining conflicting rights according to a fourth embodiment of the present invention; and
fig. 5 is a hardware configuration diagram of a computer device according to a fifth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to determine conflict authority in an authority set so as to improve the security of the authority set, the invention provides a method, a device, a computer device and a storage medium for determining the conflict authority, in the method for determining the conflict authority, historical access information of a target subject is firstly obtained, a plurality of access targets are obtained by analyzing the historical access information, the access targets comprise access addresses and page operations carried out when the access addresses are accessed, behavior tracks are then determined according to the access targets, one behavior track comprises a plurality of access targets adjacent in access time, for example, three access targets are used as one behavior track continuously, or five access targets are used as one behavior track continuously, whether the behavior tracks are dangerous behavior tracks or not is judged, and the contradictions exist among availability targets included in the dangerous behavior tracks, namely confidentiality, integrity and integrity, that is, there is a threat risk, if there is a behavior track of this type, that is, a dangerous behavior track, that is, for a target subject, each access target that can form a dangerous behavior track is combined, and there is an influence on the security of the target subject, at this time, in an authority set of the target subject, a conflict authority is determined according to the behavior track of this type, and then the conflict authority in the authority set can be processed, including deleting part or all of the conflict authorities in the authority set, or by setting an authority combination limiting rule, avoiding simultaneous permission and the like of part of authorities in the authority set within a certain period of time, thereby reducing the security risk brought by the authority set.
The detailed description of the embodiments of the method, the apparatus, the computer device and the storage medium for determining conflicting rights provided by the present invention will be described in detail below.
Example one
An embodiment of the present invention provides a method for determining a conflict permission, so as to determine a conflict permission in a permission set for a certain target subject, and further, can process the conflict permission to reduce an influence of the conflict permission on security, specifically, fig. 1 is a flowchart of the method for determining a conflict permission provided in the embodiment of the present invention, and as shown in fig. 1, the method for determining a conflict permission provided in the embodiment includes the following steps S101 to S105.
Step S101: and acquiring historical access information of the target subject.
The target subject may be an access subject calibrated by a user name or identification information of the terminal device, and an authority set is set for the access subject, for example, for a user calibrated by the user name, only a range corresponding to the authority set can be accessed when accessing the target system; for another example, for a terminal specified by the identification information, when the user accesses the target system through the terminal, only the range corresponding to the set of permissions can be accessed. Alternatively, historical access information generated by the target subject accessing the target system over a period of time may be collected from logs or the like of the terminal device, an intermediate control device (e.g., firewall, proxy device), or a server device.
Step S102: and analyzing the historical access information to obtain a plurality of access targets.
The access target comprises an access address and a page operation performed when the access address is accessed.
Alternatively, the access characteristics can be matched and extracted in the historical access information by using the characteristic information of the access address according to a characteristic matching methodFor example, the feature information may be a specific character http, ftp, or the like, or may be a character string satisfying a specific format, for example, a character string satisfying a "xxx. After each access address url is obtained, page operations on a page corresponding to the access address url may be further obtained, and a plurality of page operations form a page operation set Ω op ═ (op)1,op2,op3....) one access target Ri=(urli,Ωopi)。
In a session, that is, in a process of one communication between a target subject and an interactive system, multiple interactions between the target subject and the interactive system may be included, for example, a tcp connection is established, and multiple HTTP requests may be sent, where one request includes an access to one access address, that is, one session includes accesses to multiple access addresses, and each HTTP request corresponds to one access address, in which case, a last access address in one session and a page operation corresponding to the last access address are used as access targets.
Optionally, in an embodiment, when the last access address in one session and the page operation corresponding to the last access address are used as the access target, the step S102 specifically includes: analyzing historical access information to obtain a plurality of access records, wherein the access records comprise access addresses and page operations performed when the access addresses are accessed; determining a session according to the access records, wherein the session comprises a plurality of access records with adjacent access time; and determining the access record with the latest access time in the session as an access target.
When determining the session according to the access record, the session may be determined according to the time interval of the access record, for example, determining the access record with the time interval within a certain time range as one session; or, a plurality of access records with similarity greater than a preset similarity threshold and with adjacent access time may be used as a session, where the similarity is a hamming distance or an editing distance of access addresses of two adjacent access records, and a specific calculation manner of the hamming distance and the editing distance may be a calculation manner in the prior art, which is not described herein again.
Step S103: and dividing a plurality of access targets adjacent to the access time into a behavior track.
Optionally, for a plurality of access targets obtained by analyzing the historical access information in the first time range, the access target in the second time range is taken as one behavior track, for example, for a plurality of access targets obtained by analyzing the historical access information in one month, the access target in each day is taken as one behavior track, and 30 behavior tracks corresponding to one month can be obtained.
Step S104: and judging whether the behavior track is a dangerous behavior track or not through the threat model.
The dangerous behavior track means that safety threats exist among all access targets included in the behavior track. For example, based on the string threat model developed by microsoft, behavior trajectories are analyzed for risk assessment, and from the perspective of an attacker, the following 6 categories of threats can be identified: spooning, Tampering, Repudiation, information disclosure, Dos, and Elevation of privilege, which belong to dangerous behavior trajectories when any of the above threats exists after a behavior trajectory is evaluated.
Alternatively, in step S103, a plurality of behavior tracks may be obtained, and before determining whether a behavior track is a dangerous behavior track in step S104, the obtained plurality of behavior tracks may be clustered to obtain a plurality of categories, and one behavior track in each category is determined to represent whether a behavior track of one category is a dangerous behavior track, so as to reduce the number of times of determination.
Step S105: and when the behavior track is a dangerous behavior track, determining the authority corresponding to the dangerous behavior track as a conflict authority in the authority set of the target subject.
When one behavior track is a dangerous behavior track, it indicates that security threats exist by combining the permissions corresponding to each access target included in the behavior track, and therefore, the part of permissions belongs to conflict permissions.
In the method for determining a conflict permission provided in this embodiment, a historical access target of a target subject is obtained through parsing from historical access information of the target subject, where the access target includes an access address and a page operation performed when the access address is accessed, then a plurality of access targets adjacent to an access time are divided into a behavior track, whether the behavior track is a dangerous behavior track is determined through a threat model, and when a dangerous behavior track exists, a permission corresponding to the access target included in the dangerous behavior track is determined as the conflict permission in a permission set of the target subject. By adopting the method for determining the conflict permission provided by the embodiment, the historical behavior track of the target subject is judged by using the threat model, and when the dangerous behavior track exists, the conflict permission in the permission set can be determined through the dangerous behavior track, so that the conflict permission in the permission set can be processed, and the probability of potential safety hazard in the permission set is reduced.
Example two
A second embodiment of the present invention provides a method for determining a preferred conflict permission, so as to determine a conflict permission in a permission set for a certain target subject, where some technical features are the same as those of the first embodiment, and reference may be made to the first embodiment for specific description and corresponding technical effects. Furthermore, in the embodiment, the abnormal access record is judged through the retention time of the page, so that the influence of the abnormal access record on the session is reduced, the accuracy of determining the session is improved, and the accuracy of determining the conflict authority is further improved. Specifically, fig. 2 is a flowchart of a method for determining a conflict permission according to a second embodiment of the present invention, and as shown in fig. 2, the method for determining a conflict permission according to the second embodiment includes steps S201 to S210 as follows.
Step S201: and acquiring historical access information of the target subject.
Step S202: and acquiring the access address in the historical access information.
Step S203: and acquiring page operation performed on the page when the access address is accessed.
Step S204: the page dwell time on the page when the access address is accessed is calculated.
Step S205: and generating an access record according to the access address, the page operation corresponding to the access address and the page retention time.
In step S203, a plurality of page operations performed on the page when the access address is accessed are obtained, and the plurality of page operations form a page operation set Ω op ═ (op)1,op2,op3...), then in this step S205, according to the access address urliPage operation omega op corresponding to access addressiAnd a page dwell time ΔiGenerating an access record Ri=(urli,Ωopi,Δi)。
Step S206: and taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold value and the page dwell time within a preset dwell time range as a session.
Through the step, the dwell time of the pages of the access records in the session is within the preset dwell time range, so that abnormal access in the session is eliminated.
Optionally, the page dwell time corresponding to different access addresses is different from the corresponding preset dwell time range. For different access addresses, the content displayed on the page is different from the operable content, and the adaptive page dwell time range is set for different access addresses, so that the accuracy of abnormal access judgment can be improved.
Further optionally, the preset dwell time range is calculated by: obtaining an access record comprising an access address corresponding to the retention time of the page to obtain a similar access record; and calculating a preset stay time range according to the stay time of the pages of the similar access records.
It can be seen that, when the relationship between the page dwell time in one access record and the preset dwell time range is judged, the preset dwell time range is calculated according to the page dwell time of other access records (namely similar access records) with the same access address as the access record, so that the calculation accuracy of the preset dwell time range is improved.
Further optionally, the step of calculating the preset stay time range according to the page stay time of the similar access record includes: drawing a box line graph according to the page staying time of the similar access records; calculating a first quartile Q1, a third quartile Q3 and a quartile distance QR of the box plot; the preset residence time range (. delta.) was calculated using the following formulatimemin,δtimemax):δtimemin=Q1-a*QR,δtimemaxQ3+ b QR, where a and b are both dimensionless coefficients.
For the boxplot, the first quartile Q1, also called the "smaller quartile", is equal to the 25 th% of all values of the page dwell time arranged from small to large. The second quartile Q2, also known as the median, is equal to the 50% number of all values of the page dwell time, arranged from small to large. The third quartile Q3, also known as the "larger quartile," is equal to the 75% of all values of the page dwell time, arranged from small to large. The difference between the third quartile and the first quartile is also called as a quartile distance QR. Optionally, a and b are both 1.5.
Step S207: and determining the access record with the latest access time in the session as an access target.
In particular, for one session, several access records R are includediThe session is Record ═ R1,R2.R3,...Ri,Ri+1,......RMAX]Wherein R isMAX=(urlMAX,ΩopMAX,ΔMAX) To access the target.
Step S208: and dividing a plurality of access targets adjacent to the access time into a behavior track.
In particular, at a plurality of access targets RMAX1,RMAX2,RMAX3,RMAX4,RMAX5,RMAX6,......RMAXNIn which several access targets with adjacent access times are divided into a behavior trace, e.g. RMAX1,RMAX2,RMAX3As a behavioral track, RMAX4,RMAX5For a behavior trace, optionally, a time window may be set, and the access targets in a time window are divided into a behavior trace.
Step S209: and judging whether the behavior track is a dangerous behavior track or not through the threat model.
Step S210: and when the behavior track is a dangerous behavior track, determining the authority corresponding to the dangerous behavior track as a conflict authority in the authority set of the target subject.
By adopting the method for determining the conflict permission provided by the embodiment, the access record comprises the page staying time, the access record with the page staying time exceeding the preset page staying time range is used as the abnormal access record, and meanwhile, the abnormal access record does not comprise the session, so that the influence of the abnormal access record on the session can be reduced, the accuracy of determining the session is improved, namely, the accuracy of determining the access target is improved, and the accuracy of determining the conflict permission is further improved. Furthermore, when the abnormal access record is judged, different page retention time ranges are set for different access addresses, so that the accuracy of judging the abnormal access record can be improved; furthermore, the page staying time range is determined according to the page staying time of the similar access records, and the accuracy of the page staying time range can be improved.
EXAMPLE III
A third embodiment of the present invention provides a method for determining preferably conflicting rights, so as to determine conflicting rights in a rights set for a certain target subject, where partial technical features are the same as those of the first and second embodiments, and reference may be made to the first and second embodiments for specific description and corresponding technical effects. Further, the third embodiment obtains the access record cycle according to the access time to judge each session, and the judgment logic is simple and the accuracy is high. Specifically, fig. 3 is a flowchart of a determination method of conflicting permissions according to a third embodiment of the present invention, and as shown in fig. 3, the determination method of conflicting permissions according to the third embodiment includes steps S301 to S316 as follows.
Step S301: and acquiring historical access information of the target subject.
Step S302: and acquiring the access address in the historical access information.
Step S303: and acquiring page operation performed on the page when the access address is accessed.
Step S304: the page dwell time on the page when the access address is accessed is calculated.
Step S305: and generating an access record according to the access address, the page operation corresponding to the access address and the page retention time.
Step S306: one access record is acquired in the access time sequence as a first access record.
Optionally, for the acquired historical access information, the step S306 may be executed after each access record is generated, or the step S306 may be executed after all access records are generated, and both manners are within the protection scope of the present invention.
When step S306 is executed, the access records are obtained according to the access time sequence, and the access records can be obtained according to the positive sequence of the access time, that is, the access record with the early access time is obtained first, and the access record with the late access time is obtained later; or, the access records may be obtained in the reverse order of the access time, which is not described herein again.
For convenience of description, the currently acquired access record is named as the first access record, and the "first" herein does not constitute a limitation on the order of access records.
Step S307: and judging whether the dwell time of the page in the first access record is within a preset dwell time range, and judging whether the access record set comprises the access record.
For the currently acquired first access record, a relationship between the page dwell time and a preset dwell time range is determined, where the preset dwell time range is used to identify a dwell time length range in which a user normally accesses an access address, and accesses outside the range belong to abnormal accesses, that is, the page dwell time is greater than a maximum value of the preset dwell time range, or the page dwell time is less than a minimum value of the preset dwell time range, both of which represent that the access belongs to abnormal accesses, for example, the page dwell time caused by a background response fault is too long, and for example, the page dwell time caused by a user misoperation is too short.
Meanwhile, whether the access record set comprises the access record or not is judged aiming at the current access record set. When the first access record is the first access record in the historical access information, firstly, an empty access record set is created.
And after judging the page dwell time and the access record set, executing different steps based on different judgment results, wherein when the page dwell time is not within the preset dwell time range and the access record set does not include an access record (corresponding to the NN in fig. 3), returning to the step S306, and acquiring a new access record for judgment. For other cases, the following steps are performed respectively, and the detailed description is given below.
Step S308: and calculating the similarity between the first access record and the latest access record in the access record set.
By the judgment of the above step S307, when the page staying time is within the preset staying time range and the access record (corresponding to YY in fig. 3) is included in the access record set, the step S308 is performed. In this step S308, the similarity of the first access record to the latest access record in the access record set is calculated, and the similarity of the first access record and the access record adjacent to the first access record in the access record set is calculated.
Step S309: and judging whether the similarity is greater than or equal to a preset similarity threshold value.
The similarity threshold is used to identify whether two access records belong to the same session, wherein when the similarity is greater than or equal to a preset similarity threshold (corresponding to Y in fig. 3), it indicates that the two access records are similar and belong to the same session, and step S310 is executed. When the similarity of the two access records is smaller than the preset similarity threshold (corresponding to N in fig. 3), it indicates that the two access records are not similar and do not belong to the same session, and the following step S311 is executed.
Step S310: the first access record is written to the set of access records.
After step S310 is executed, the process returns to step S306.
By the judgment of the step S307, when the page staying time is within the preset staying time range and the access record set does not include an access record (corresponding to YN in fig. 3), it indicates that the previous session is ended, a new session is opened, and the first access record belongs to the first access record in the new session, so that the step S310 is executed, and after the first access record is written into the access record set, the step S306 is returned, and an access record is obtained again for judgment.
Through the judgment of the step S309, when the similarity is greater than or equal to the preset similarity threshold, it indicates that the first access record and the access record in the current access record set belong to the same session, so the step S310 is executed, and after the first access record is written into the access record set, the step S306 is returned to, and an access record is obtained again for judgment.
Step S311: outputting the access record set to obtain a session, emptying the access record set, and adding the first access record into the access record set.
After step S311 is executed, the process returns to step S306.
Through the judgment of the step S309, when the similarity is smaller than the preset similarity threshold, it indicates that the first access record does not belong to the same session as the access record in the current access record set, so that executing the step S310, the access record set is output to obtain a session, the access record set is emptied, the previous session is ended, a new session is opened, the first access record is written into the emptied access record set, so that the first access record becomes the first access record in the new session, and then returning to the step S306, and a new access record is obtained for judgment.
Step S312: and outputting the access record set to obtain a session, and emptying the access record set.
After step S312 is executed, the process returns to step S306.
By the judgment of the step S307, when the page staying time is not within the preset staying time range and the access record set includes the access record (corresponding to NY in fig. 3), it indicates that the previous session is ended, a new session is opened, the first access record is an abnormal access record, and the first access record is discarded, so that the step S312 is executed, the access record set is output first to obtain a session, then the access record set is cleared, the previous session is ended, a new session is opened, and then the step S306 is returned to, and an access record is obtained again for judgment.
Step S313: and determining the access record with the latest access time in the session as an access target.
After all the access records are processed, step S313 is executed.
Through the loop from step S306 to step S312, a plurality of sessions corresponding to the historical access information can be obtained, and the last access record (i.e. the access record with the latest access time) in each session is used as the access target.
Step S314: and dividing a plurality of access targets adjacent to the access time into a behavior track.
Step S315: and judging whether the behavior track is a dangerous behavior track or not through the threat model.
Step S316: and when the behavior track is a dangerous behavior track, determining the authority corresponding to the dangerous behavior track as a conflict authority in the authority set of the target subject.
Example four
Corresponding to the first embodiment, a fourth embodiment of the present invention provides a device for determining a conflict permission, and reference may be made to the above for corresponding technical features and technical effects, which are not described herein again. Fig. 4 is a block diagram of an apparatus for determining a conflict permission according to a fourth embodiment of the present invention, as shown in fig. 4, the apparatus includes an obtaining module 401, an analyzing module 402, a first determining module 403, a determining module 404, and a second determining module 405.
The acquisition module 401 is configured to acquire historical access information of a target subject, and the analysis module 402 is configured to analyze the historical access information to obtain multiple access targets, where the access targets include access addresses and page operations performed when the access addresses are accessed; the first determining module 403 is configured to determine a behavior trajectory according to the access targets, where the behavior trajectory includes a plurality of access targets with adjacent access times; the judging module 404 is configured to judge whether the behavior trajectory is a dangerous behavior trajectory through the threat model; and the second determining module 405 is configured to determine, in the permission set of the target subject, that the permission corresponding to the dangerous behavior trajectory is the conflict permission when the behavior trajectory is the dangerous behavior trajectory.
Optionally, in an embodiment, the parsing module 402 includes a parsing unit, a first determining unit, and a second determining unit, where the parsing unit is configured to parse historical access information to obtain a plurality of access records, where the access records include an access address and a page operation performed when the access address is accessed; the first determining unit is used for determining a session according to the access records, wherein the session comprises a plurality of access records with adjacent access time; and the second determining unit is used for determining the access record with the latest access time in the session as the access target.
Optionally, in an embodiment, the first determining unit, when determining the session according to the access records, is further configured to regard, as one session, several access records whose similarities are greater than a preset similarity threshold and whose access times are adjacent.
Optionally, in an embodiment, when the parsing unit parses the historical access information to obtain a plurality of access records, the specifically executed steps include: acquiring an access address in historical access information; acquiring page operation performed on a page when an access address is accessed; calculating the residence time of the page on the page when the access address is accessed; the first determining unit is further configured to use a plurality of access records, as a session, where the similarity is greater than a preset similarity threshold, the page dwell time is within a preset dwell time range, and the access records are adjacent to each other.
Optionally, in an embodiment, when the similarity is greater than a preset similarity threshold, the page staying time is within a preset staying time range, and a plurality of adjacent access records are taken as a session, the first determining unit specifically performs the following steps: step S1: acquiring an access record as a first access record according to the access time sequence; step S2: judging whether the dwell time of the page in the first access record is within a preset dwell time range or not, and judging whether the access record set comprises the access record or not, wherein when the dwell time of the page is within the preset dwell time range and the access record set comprises the access record, the step S3 is executed, when the dwell time of the page is within the preset dwell time range and the access record set does not comprise the access record, the step S5 is executed, when the dwell time of the page is not within the preset dwell time range and the access record set comprises the access record, the step S7 is executed, and when the dwell time of the page is not within the preset dwell time range and the access record set does not comprise the access record, the step S1 is returned; step S3: calculating the similarity between the first access record and the latest access record in the access record set; step S4: judging whether the similarity is greater than or equal to a preset similarity threshold, wherein when the similarity is greater than or equal to the preset similarity threshold, executing step S5, and when the similarity is less than the preset similarity threshold, executing step S6; step S5: writing the first access record into the access record set, and returning to step S1; step S6: outputting the access record set to obtain a session, emptying the access record set, adding the first access record into the access record set, and returning to the step S1; step S7: the access record set is output to get a session, the access record set is emptied, and the process returns to step S1.
Optionally, in an embodiment, the page dwell times corresponding to different access addresses are different, and the corresponding preset dwell time ranges are different, and the first determining unit is further configured to calculate the preset dwell time range by adopting the following steps: obtaining an access record comprising an access address corresponding to the retention time of the page to obtain a similar access record; and calculating a preset stay time range according to the stay time of the pages of the similar access records.
Optionally, in an embodiment, when the first determining unit calculates the preset staying time range according to the staying time of the pages of the similar access records, the specifically executed steps include: drawing a box line graph according to the page staying time of the similar access records; calculating a first quartile Q1, a third quartile Q3 and a quartile distance QR of the box plot; is calculated by the following formulaCalculating a predetermined dwell time range (delta)timemin,δtimemax):δtimemin=Q1-a*QR,δtimemaxQ3+ a QR, where a is a dimensionless coefficient.
EXAMPLE five
In this fifth embodiment, a computer device is further provided, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server, or a rack server (including an independent server or a server cluster formed by a plurality of servers) capable of executing programs, and the like. As shown in fig. 5, the computer device 01 of the present embodiment at least includes but is not limited to: a memory 011 and a processor 012, which are communicatively connected to each other via a system bus, as shown in fig. 5. It is noted that fig. 5 only shows the computer device 01 having the component memory 011 and the processor 012, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
In this embodiment, the memory 011 (i.e., a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 011 can be an internal storage unit of the computer device 01, such as a hard disk or a memory of the computer device 01. In other embodiments, the memory 011 can also be an external storage device of the computer device 01, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device 01. Of course, the memory 011 can also include both internal and external memory units of the computer device 01. In this embodiment, the memory 011 is generally used to store an operating system installed in the computer device 01 and various application software, such as program codes of the conflict authority determining apparatus in the second embodiment. Further, the memory 011 can also be used to temporarily store various kinds of data that have been output or are to be output.
The processor 012 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor, or other data Processing chip in some embodiments. The processor 012 is generally used to control the overall operation of the computer device 01. In the present embodiment, the processor 012 is configured to run a program code stored in the memory 011 or process data, for example, a determination method of a collision authority or the like.
EXAMPLE six
The sixth embodiment further provides a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., on which a computer program is stored, which when executed by a processor implements corresponding functions. The computer-readable storage medium of this embodiment is used for a device for determining storage conflict permissions, and when executed by a processor, the device implements the method for determining conflict permissions of the first embodiment.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A method for determining conflicting rights, comprising:
acquiring historical access information of a target subject;
analyzing the historical access information to obtain a plurality of access targets, wherein the access targets comprise access addresses and page operations performed when the access addresses are accessed;
dividing a plurality of access targets adjacent to the access time into a behavior track;
judging whether the behavior track is a dangerous behavior track or not through a threat model; and
and when the behavior track is the dangerous behavior track, determining that the authority corresponding to the dangerous behavior track is a conflict authority in the authority set of the target subject.
2. The method for determining conflicting rights according to claim 1 wherein the step of parsing the historical access information to obtain a plurality of access targets comprises:
analyzing the historical access information to obtain a plurality of access records, wherein the access records comprise the access addresses and page operations performed when the access addresses are accessed;
determining a session according to the access records, wherein the session comprises a plurality of access records adjacent to the access time; and
and determining the access record with the latest access time in the session as the access target.
3. The method of claim 2, wherein the step of determining a session based on the access record comprises:
and taking a plurality of access records with similarity larger than a preset similarity threshold and adjacent access time as one session.
4. The method of claim 3, wherein the conflict authority is determined,
the step of parsing the historical access information to obtain a plurality of access records comprises: acquiring the access address in the historical access information; acquiring the page operation performed on a page when the access address is accessed; calculating the residence time of the page on the page when the access address is accessed; generating the access record according to the access address, the page operation corresponding to the access address and the page dwell time,
the step of using a plurality of adjacent access records with the similarity greater than a preset similarity threshold as one session comprises the following steps: and taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold value and the page dwell time within a preset dwell time range as the session.
5. The method for determining conflicting rights according to claim 4, wherein the step of regarding a plurality of access records with similarity greater than a preset similarity threshold, the page dwell time within a preset dwell time range and adjacent access records as one session comprises:
step S1: acquiring one access record as a first access record according to the access time sequence;
step S2: judging whether the dwell time of the page in the first access record is within a preset dwell time range, and judging whether an access record set comprises the access record, wherein when the dwell time of the page is within the preset dwell time range and the access record set comprises the access record, a step S3 is executed, when the dwell time of the page is within the preset dwell time range and the access record set does not comprise the access record, a step S5 is executed, when the dwell time of the page is not within the preset dwell time range and the access record set comprises the access record, a step S7 is executed, and when the dwell time of the page is not within the preset dwell time range and the access record set does not comprise the access record, the step S1 is returned;
step S3: calculating the similarity between the first access record and the latest access record in the access record set;
step S4: judging whether the similarity is greater than or equal to the preset similarity threshold, wherein when the similarity is greater than or equal to the preset similarity threshold, executing step S5, and when the similarity is less than the preset similarity threshold, executing step S6;
step S5: writing the first access record into the access record set, and returning to step S1;
step S6: outputting the access record set to obtain one session, emptying the access record set, adding the first access record into the access record set, and returning to the step S1;
step S7: outputting the access record set to obtain one of the sessions, emptying the access record set, and returning to step S1.
6. The method for determining conflict permission according to claim 4 or 5, wherein the preset stay time ranges corresponding to different preset stay time ranges of the page stay time corresponding to different access addresses are different, and the preset stay time ranges are calculated by adopting the following steps:
obtaining an access record comprising an access address corresponding to the retention time of the page to obtain a similar access record; and
and calculating the preset stay time range according to the page stay time of the similar access record.
7. The method for determining conflicting rights according to claim 6, wherein the step of calculating the preset dwell time range based on the page dwell times of the similar access records comprises:
drawing a box line graph according to the page staying time of the similar access records;
calculating a first quartile Q1, a third quartile Q3, and a quartile distance QR of the box plot;
calculating the preset stay time range (δ) using the following formulatimemin,δtimemax):
δtimemin=Q1-a*QR,δtimemaxQ3+ a QR, where a is a dimensionless coefficient.
8. An apparatus for determining conflicting rights, comprising:
the acquisition module is used for acquiring historical access information of the target subject;
the analysis module is used for analyzing the historical access information to obtain a plurality of access targets, wherein the access targets comprise access addresses and page operations carried out when the access addresses are accessed;
the first determining module is used for determining a behavior track according to the access targets, wherein the behavior track comprises a plurality of access targets with adjacent access time;
the judging module is used for judging whether the behavior track is a dangerous behavior track or not through the threat model; and
and the second determining module is used for determining that the authority corresponding to the dangerous behavior track is a conflict authority in the authority set of the target subject when the behavior track is the dangerous behavior track.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 7 are implemented by the processor when executing the computer program.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implements the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911421731.2A CN111159719B (en) | 2019-12-31 | 2019-12-31 | Determination method and device of conflict authority, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911421731.2A CN111159719B (en) | 2019-12-31 | 2019-12-31 | Determination method and device of conflict authority, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111159719A CN111159719A (en) | 2020-05-15 |
| CN111159719B true CN111159719B (en) | 2022-02-08 |
Family
ID=70560575
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911421731.2A Active CN111159719B (en) | 2019-12-31 | 2019-12-31 | Determination method and device of conflict authority, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111159719B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102843366A (en) * | 2012-08-13 | 2012-12-26 | 北京百度网讯科技有限公司 | Network resource access permission control method and device |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN103973503A (en) * | 2014-05-29 | 2014-08-06 | 北京中电普华信息技术有限公司 | Method and system for controlling mobile application permission |
| CN105760745A (en) * | 2014-12-15 | 2016-07-13 | 华为软件技术有限公司 | Authority management method and device |
| CN106056867A (en) * | 2016-06-30 | 2016-10-26 | 北京奇虎科技有限公司 | Monitoring method and apparatus |
| CN110287694A (en) * | 2019-06-26 | 2019-09-27 | 维沃移动通信有限公司 | Application management method, mobile terminal and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3069465B1 (en) * | 2013-11-14 | 2019-07-31 | Pleasant Solutions Inc. | System and method for credentialed access to a remote server |
-
2019
- 2019-12-31 CN CN201911421731.2A patent/CN111159719B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102843366A (en) * | 2012-08-13 | 2012-12-26 | 北京百度网讯科技有限公司 | Network resource access permission control method and device |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN103973503A (en) * | 2014-05-29 | 2014-08-06 | 北京中电普华信息技术有限公司 | Method and system for controlling mobile application permission |
| CN105760745A (en) * | 2014-12-15 | 2016-07-13 | 华为软件技术有限公司 | Authority management method and device |
| CN106056867A (en) * | 2016-06-30 | 2016-10-26 | 北京奇虎科技有限公司 | Monitoring method and apparatus |
| CN110287694A (en) * | 2019-06-26 | 2019-09-27 | 维沃移动通信有限公司 | Application management method, mobile terminal and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 《ISO/IEC/IEEE International Standard - Systems and software engineering -- Vocabulary》;IEEE;《ISO/IEC/IEEE 24765:2010(E)》;20101215;第1-418页 * |
| 《基于本体和规则访问控制模型及应用研究》;吴柯桦;《万方数据》;20181218;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111159719A (en) | 2020-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109743315B (en) | Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website | |
| CN109327439B (en) | Risk identification method and device for service request data, storage medium and equipment | |
| CN107943949B (en) | Method and server for determining web crawler | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN109344611B (en) | Application access control method, terminal equipment and medium | |
| CN112532631A (en) | Equipment safety risk assessment method, device, equipment and medium | |
| CN114598504A (en) | Risk assessment method and device, electronic equipment and readable storage medium | |
| CN110750765B (en) | Service system, front-end page control method thereof, computer device, and storage medium | |
| CN112348371A (en) | Cloud asset security risk assessment method, device, equipment and storage medium | |
| CN114124414B (en) | Method and device for generating honey service, method for capturing attack behavior data, computer equipment and storage medium | |
| CN111159719B (en) | Determination method and device of conflict authority, computer equipment and storage medium | |
| CN111181979B (en) | Access control method, device, computer equipment and computer readable storage medium | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| CN111949363A (en) | Service access management method, computer equipment, storage medium and system | |
| CN111143824B (en) | Method and device for determining redundancy permission, computer equipment and readable storage medium | |
| CN112702349B (en) | Network attack defense method and device and electronic bidding transaction platform | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN109600361A (en) | Identifying code anti-attack method and device based on hash algorithm | |
| CN113014601A (en) | Communication detection method, device, equipment and medium | |
| CN113806737A (en) | Malicious process risk level evaluation method, terminal device and storage medium | |
| CN110020057B (en) | Method and device for identifying spam comment information | |
| CN107465744B (en) | Data downloading control method and system | |
| CN113315739A (en) | Malicious domain name detection method and system | |
| CN111967043B (en) | Method, device, electronic equipment and storage medium for determining data similarity | |
| CN110442845B (en) | File repetition rate calculation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Patentee after: QAX Technology Group Inc. Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Patentee before: QAX Technology Group Inc. Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| CP01 | Change in the name or title of a patent holder |