CN113765924A - Safety monitoring method, terminal and equipment based on cross-server access of user - Google Patents

Safety monitoring method, terminal and equipment based on cross-server access of user Download PDF

Info

Publication number
CN113765924A
CN113765924A CN202111049378.7A CN202111049378A CN113765924A CN 113765924 A CN113765924 A CN 113765924A CN 202111049378 A CN202111049378 A CN 202111049378A CN 113765924 A CN113765924 A CN 113765924A
Authority
CN
China
Prior art keywords
server
login
user
behavior
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111049378.7A
Other languages
Chinese (zh)
Inventor
余乐贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Weikun Shanghai Technology Service Co Ltd
Original Assignee
Weikun Shanghai Technology Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Weikun Shanghai Technology Service Co Ltd filed Critical Weikun Shanghai Technology Service Co Ltd
Priority to CN202111049378.7A priority Critical patent/CN113765924A/en
Publication of CN113765924A publication Critical patent/CN113765924A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application is applicable to the field of information security, and provides a security monitoring method, a terminal and equipment based on cross-server access of a user, wherein the method comprises the following steps: when a user login behavior of a first server in a server cluster is monitored, first login process information of the user login behavior in the first server and TCP session information corresponding to the user login behavior in the first server are obtained; determining a login opposite end corresponding to the user login behavior in the first server based on the TCP session information; when the login opposite terminal is determined to be a second server in the server cluster, second login process information corresponding to user login behaviors in the second server is traced; and storing the first login process information and the second login process information in the same login sequence in an associated manner to obtain cross-server access security monitoring information. The scheme can improve the accuracy and effectiveness of the safety control of the server.

Description

Safety monitoring method, terminal and equipment based on cross-server access of user
Technical Field
The application belongs to the field of information security, and particularly relates to a security monitoring method, a terminal and equipment based on cross-server access of a user.
Background
With the popularization and application of network technology, network security is more and more important, and especially, network security protection of a server side providing network services for users is particularly important, and potential external attacks possibly suffered by the server are discovered in time, so that the safe operation of the server side is ensured.
However, at present, various types of security protection software generally monitor user operations in different servers respectively to ensure the safe operation of each server, but when facing more hidden and complicated network attacks, the existing method cannot accurately identify the servers, which results in low accuracy and coverage rate of security protection.
Disclosure of Invention
The embodiment of the application provides a security monitoring method, a terminal and equipment based on cross-server access of a user, and aims to solve the problems that in the prior art, when a more concealed and complicated network attack is faced, the security protection accuracy and coverage rate are low due to the fact that the existing method cannot accurately identify the network attack.
A first aspect of an embodiment of the present application provides a security monitoring method based on cross-server access by a user, including:
when a user login behavior of a first server in a server cluster is monitored, acquiring first login process information of the user login behavior in the first server and acquiring TCP session information corresponding to the user login behavior in the first server; the first login process information comprises the address of the first server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the first server;
determining a login opposite terminal corresponding to the user login behavior in the first server based on the TCP session information;
when the login opposite terminal is determined to be a second server in the server cluster, second login process information corresponding to the user login behavior in the second server is traced based on the TCP session information; the second login process information comprises the address of the second server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the second server;
and storing the first login process information and the second login process information in the same login sequence in an associated manner to obtain cross-server access security monitoring information.
A second aspect of an embodiment of the present application provides a security monitoring device based on cross-server access by a user, including:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring first login process information of a first server of a user login behavior and acquiring TCP session information corresponding to the user login behavior in the first server when the user login behavior of the first server in a server cluster is monitored; the first login process information comprises the address of the first server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the first server;
a determining module, configured to determine, based on the TCP session information, a login opposite end corresponding to the user login behavior in the first server;
a second obtaining module, configured to, when it is determined that the login opposite end is a second server in the server cluster, trace back second login process information corresponding to the user login behavior in the second server based on the TCP session information; the second login process information comprises the address of the second server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the second server;
and the storage module is used for storing the first login process information and the second login process information into the same login sequence in an associated manner to obtain cross-server access security monitoring information.
A third aspect of embodiments of the present application provides a terminal, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method according to the first aspect when executing the computer program.
A fourth aspect of embodiments of the present application provides a computer-readable storage medium, in which a computer program is stored, which, when executed by a processor, performs the steps of the method according to the first aspect.
A fifth aspect of the present application provides a computer program product, which, when run on a terminal, causes the terminal to perform the steps of the method of the first aspect described above.
Therefore, in the embodiment of the application, the user login behaviors in the independent servers are associated by tracing the user login behaviors in different servers, the existing independent segmentation type information analysis operation on the independent servers is changed, the construction of the behavior portrait corresponding to the user cross-server login behaviors is realized, the user behavior analysis is better realized, and the accuracy and the effectiveness of the server safety control are improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a first flowchart of a security monitoring method based on cross-server access of a user according to an embodiment of the present application;
fig. 2 is a flowchart ii of a security monitoring method based on cross-server access by a user according to an embodiment of the present application;
fig. 3 is a structural diagram of a security monitoring device based on cross-server access by a user according to an embodiment of the present application;
fig. 4 is a block diagram of a computer device according to an embodiment of the present disclosure.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
In particular implementations, the terminals described in embodiments of the present application include, but are not limited to, other portable devices such as mobile phones, laptop computers, or tablet computers having touch sensitive surfaces (e.g., touch screen displays and/or touch pads). It should also be understood that in some embodiments, the device is not a portable communication device, but is a desktop computer having a touch-sensitive surface (e.g., a touch screen display and/or touchpad).
In the discussion that follows, a terminal that includes a display and a touch-sensitive surface is described. However, it should be understood that the terminal may include one or more other physical user interface devices such as a physical keyboard, mouse, and/or joystick.
The terminal supports various applications, such as one or more of the following: a drawing application, a presentation application, a word processing application, a website creation application, a disc burning application, a spreadsheet application, a gaming application, a telephone application, a video conferencing application, an email application, an instant messaging application, an exercise support application, a photo management application, a digital camera application, a web browsing application, a digital music player application, and/or a digital video player application.
Various applications that may be executed on the terminal may use at least one common physical user interface device, such as a touch-sensitive surface. One or more functions of the touch-sensitive surface and corresponding information displayed on the terminal can be adjusted and/or changed between applications and/or within respective applications. In this way, a common physical architecture (e.g., touch-sensitive surface) of the terminal can support various applications with user interfaces that are intuitive and transparent to the user.
It should be understood that, the sequence numbers of the steps in this embodiment do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of the process, and should not constitute any limitation to the implementation process of the embodiment of the present application.
In order to explain the technical solution described in the present application, the following description will be given by way of specific examples.
Referring to fig. 1, fig. 1 is a first flowchart of a security monitoring method based on cross-server access of a user according to an embodiment of the present application. As shown in fig. 1, a security monitoring method based on cross-server access of users includes the following steps:
step 101, when it is monitored that a first server in a server cluster has a user login behavior, acquiring first login process information of the user login behavior in the first server and acquiring TCP session information corresponding to the user login behavior in the first server.
The first login process information comprises the address of the first server, the sequence number and the creation time of the login process corresponding to the user login behavior in the first server.
The scheme is applied to a multi-server scene, a server monitoring platform can be specifically arranged, cross-server login behaviors in the multi-server scene are specifically monitored, and discrimination of user attack behaviors in the multi-server scene is achieved through monitoring information.
On a server, when a user login behavior occurs in the server, a TCP (Transmission Control Protocol) session is followed to implement login connection between a login end and the server, after the login connection is established, a sshd process is correspondingly generated in the server as a daemon process of the current session, specifically, an SSH (Secure Shell) is a security Protocol established on the basis of an application layer and a transport layer, and the sshd service uses the SSH Protocol to perform remote Control and complete file transfer between computers. The daemon process may continue to derive sub-processes for performing user operations to develop a series of instruction operations associated with the current login behavior, such as a large number of redundant processing operations of invoking, modifying, maliciously deriving data for the server to occupy server processing resources, and the like.
When the cross-server login scene is aimed at, the instruction operation may further include an operation of establishing a connection between the server and a next server, and at this time, the derived sub-process includes a process of instructing the current server to log in to the next server, where an address of a target server for establishing the connection is indicated in the process, and an action is executed based on the process, where the corresponding action is to establish a TCP session with the target server, so as to implement the cross-server login connection.
When logging in process information of a server logging in behavior, the server identification code needs to be recorded to identify which server the current logging in behavior specifically occurs on. Multiple terminals can log in at one time point in one server, and the ID of the sshd service process and the process creation time of the server side need to be recorded, so that a specific server login event occurring at a certain time point in one server can be uniquely identified based on the creation time and the process ID of the sshd service process, and accurate recording of user login information is realized.
One login is identified by the server address, the ID of the sshd process and the creation time of sshd, and different users can be distinguished in this way even if they log on to the same server at the same time due to different process IDs.
In a specific implementation process, the monitoring of the server may be monitoring executed activities in the server, and specifically may be implemented by performing real-time capture analysis on execution conditions of each process in the server, or by using a server log.
Specifically, an information grabbing component is configured in each server of the server cluster; and acquiring a server log of each server in the server cluster based on the information capturing component, and monitoring the behavior of each server in the server cluster based on the server log.
The information capturing component is specifically an agent configured in the server. When the server logs are acquired, the local execution operation of the servers can be recorded by the agent configured in each server and reported to the monitoring platform, and the server logs uploaded by the agents in different servers can be acquired so as to perform operation analysis on the servers based on the server log content.
In particular, a server log is a record of the operational status of a server. The contents of the field records in the server log include, for example:
date (date): a date on which the operation request was issued;
time (time): time of issuing the operation request;
client IP address (c-IP): the IP address of the client sending the operation request;
user name (cs-username): accessing a name of an authenticated user of the server;
server name (s-computername): generating a name of a server of the log file item;
server IP address (s-IP): generating an IP address of a server of the log file entry;
server port (s-port): a server port number configured for the service;
method (cs-method): requested operations, such as GET methods;
number of bytes sent (sc-bytes): the number of bytes sent by the server;
number of bytes received (cs-bytes): the number of bytes received by the server;
time-token used: the time taken for the operation (milliseconds);
protocol version (cs-version): protocol version (HTTP or FTP) used by the client, etc.
When the agent in the server records the local operation instruction of the server, the instruction content needing to be monitored can be set in advance, the server log is obtained by capturing and recording the relevant information, and the server log is uploaded to the monitoring platform.
Correspondingly, in a specific implementation process, when it is monitored that a user login behavior occurs in a first server in a server cluster, acquiring first login process information of the user login behavior in the first server and acquiring TCP session information corresponding to the user login behavior in the first server includes:
when first sshd process information corresponding to a user login behavior is monitored from a server log of a first server, determining that the user login behavior occurs in the first server;
TCP session information associated with the first sshd process is extracted from the server log of the first server, and the address of the first server, the sequence number and the creation time of the first sshd process are extracted from the server log of the first server to form first login process information.
The process of acquiring the first login process information of the user login behavior in the first server and acquiring the TCP session information corresponding to the user login behavior in the first server is associated with the captured server log, and the extraction and analysis of the information related to the user login behavior are performed based on the acquired log information of each server in the server cluster, so that the feasibility of server safety monitoring is improved.
It should be noted that the servers in the server cluster may be independent servers, or may also be cloud servers that provide basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, Network services, cloud communication, middleware services, domain name services, security services, Content Delivery Networks (CDNs), big data platforms, and artificial intelligence platforms.
And 102, determining a login opposite terminal corresponding to the user login behavior in the first server based on the TCP session information.
Wherein, the TCP session information includes: source IP address, source port, destination IP address, destination port.
The source IP address is an IP address of a login opposite terminal, and the destination IP address is an IP address of the first server which is determined to have user login behavior at present.
In a specific implementation process, the determining, based on the TCP session information, a login opposite end corresponding to a user login behavior in the first server includes:
extracting a session source end address from TCP session information; and based on the session source end address, when a second server with the address consistent with the session source end address exists in the server cluster, determining the second server as a login opposite end corresponding to the user login behavior.
Or based on the address of the session source end, when the address of the session source end is determined to be the address of the bastion machine corresponding to the server cluster, the bastion machine is determined to be the login opposite end corresponding to the login behavior of the user.
Wherein, the session source end address is the source IP address contained in the TCP session information. The bastion machine is a system and component for providing security management and control.
According to the process, the first jump of the login behavior association of each jump can be quickly positioned through the association of the user login behaviors in the related processes of different servers, the first jump is usually from a bastion machine, when the source terminal of the current user login behavior is not the bastion machine, the fact that the user login behavior is not traced to the first jump at the moment is indicated, the user login information recorded in the source terminal of the current user login behavior is extracted and associated, and when the source terminal of the current user login behavior is the bastion machine, the fact that the first jump of the login behavior is traced is considered.
As an optional implementation manner, when determining that the source address is the address of the bastion machine corresponding to the server cluster, the determining, based on the source address, of the bastion machine as the login opposite end corresponding to the user login behavior further includes:
accessing a user login log of the bastion machine, and acquiring source user information of a user login behavior from the user login log; and based on the source user information, if the login user corresponding to the user login behavior is determined not to be the permitted user, warning.
At the moment, whether the source user of the user login behavior is a permitted user can be confirmed by accessing the user login log of the bastion machine, so that whether the login behavior is suspicious can be judged more quickly, and when the source user is judged to be the user who is not permitted, a warning prompt needs to be given to remind a potential attack risk.
And 103, when the login opposite end is determined to be a second server in the server cluster, tracing second login process information corresponding to the user login behavior in the second server based on the TCP session information.
The second login process information comprises the address of the second server, the sequence number and the creation time of the login process corresponding to the user login behavior in the second server.
Specifically, an information grabbing component is configured in each server of the server cluster; and obtaining a server log of each server in the server cluster based on the information capturing component, and tracing second login process information corresponding to the user login behavior in the second server based on the server log.
Specifically, as an optional implementation manner, the tracing, based on the TCP session information, second login process information corresponding to the user login behavior in the second server includes:
determining a TCP session creation process associated with the TCP session information in the second server based on the TCP session information; based on the TCP session creation process, determining a second sshd process corresponding to the user login behavior in the second server from a process stack to which the TCP session creation process belongs; and acquiring the address of the second server and the sequence number and the creation time of the second sshd process to form second login process information.
When a TCP session is in progress between two terminals, both terminals that have logged in have TCP session information recorded in correspondence with the TCP session. That is, the TCP session information corresponding to the current user login behavior in the first server exists in both the first server and the login opposite terminal.
When it is determined that the login opposite terminal is the second server based on the TCP session information, a process associated with the login opposite terminal needs to be determined from the second server.
Specifically, when a TCP session is established between the second server and the first server to realize the cross-server login of the user, the user needs to be realized based on a sub-process derived from the sshd process in the user.
Therefore, a TCP session creation process corresponding to the TCP session creation process in the second server may be determined based on the TCP session information, where the TCP session creation process is specifically a sub-process derived from the daemon process corresponding to the user login behavior in the local computer of the second server, and at this time, the TCP session creation process belongs to the corresponding process stack, and a second sshd process corresponding to the user login behavior in the second server may be determined from the process stack to which the TCP session creation process belongs.
And then the sequence number and the creation time of the second sshd process are obtained, and the sequence number and the creation time and the address of the second server together form second login process information.
In the process, the user login behaviors of different servers are traced, and after the user login behavior information of the first server is acquired, the second login behavior information of the opposite server is acquired, so that the user login behaviors of the two independent servers are associated, and the existing independent split type information analysis operation of the independent servers is changed.
And because of the uniqueness of the TCP connection (all information of two TCP connections cannot be the same at the same time), the accurate association to the previous hop can be realized, and the condition of messy association can not occur.
And 104, storing the first login process information and the second login process information in the same login sequence in an associated mode to obtain cross-server access security monitoring information.
Wherein all login process information recorded in one login sequence corresponds to the same login user.
By associating the login information recorded in different independent servers with the same user, the user login behaviors in the servers recorded in the login sequence can be connected in series, the user cross-server login sequence is focused more on, the user cross-server login behavior of the user is subjected to user login behavior portrait construction, the user login behavior is analyzed, and a safety monitoring result is obtained.
In the embodiment of the application, the user login behaviors in the independent servers are associated by tracing the user login behaviors in different servers, the existing independent segmentation type information analysis operation on the independent servers is changed, the construction of behavior portraits corresponding to the user cross-server login behaviors is realized, the user behavior analysis is better realized, and the accuracy and the effectiveness of server safety control are improved.
The embodiment of the application also provides different implementation modes of the safety monitoring method based on the cross-server access of the user.
Referring to fig. 2, fig. 2 is a flowchart two of a security monitoring method based on cross-server access of a user according to an embodiment of the present application. As shown in fig. 2, a security monitoring method based on cross-server access of users includes the following steps:
step 201, when it is monitored that a first server in the server cluster has a user login behavior, acquiring first login process information of the user login behavior in the first server and acquiring TCP session information corresponding to the user login behavior in the first server.
The first login process information comprises the address of the first server, the sequence number and the creation time of the login process corresponding to the user login behavior in the first server.
The implementation process of this step is the same as that of step 101 in the foregoing embodiment, and is not described here again.
Step 202, determining a login opposite terminal corresponding to the user login behavior in the first server based on the TCP session information.
The implementation process of this step is the same as that of step 102 in the foregoing embodiment, and is not described here again.
And 203, when the login opposite end is determined to be a second server in the server cluster, tracing second login process information corresponding to the user login behavior in the second server based on the TCP session information.
The second login process information comprises the address of the second server, the sequence number and the creation time of the login process corresponding to the user login behavior in the second server.
The implementation process of this step is the same as the implementation process of step 103 in the foregoing embodiment, and is not described here again.
And 204, storing the first login process information and the second login process information in the same login sequence in an associated mode to obtain cross-server access security monitoring information.
The implementation process of this step is the same as that of step 104 in the foregoing embodiment, and is not described here again.
And step 205, acquiring a login jump path of the user login behavior in the server cluster based on the login sequence.
Here, the login jump path includes different server nodes, and the jump sequence of the user login behavior at each server node.
And step 206, acquiring a command sequence executed by each server in the login jump path under the user login behavior.
Step 207, based on the command sequence, identifying the server operation triggered by the user login behavior in each server.
And a daemon process corresponding to the user login behavior in the server can continue to derive a sub-process, and the sub-process corresponds to a command sequence under the user login behavior, so that the server executes the server operation indicated by the user.
The server operations include, for example, data retrieval, modification, data calculation, and the like.
And step 208, judging the safety of the user login behavior based on the server operation and the login jump path.
Through acquisition of the login jump path, user login behaviors in all servers recorded in the login sequence are connected in series to construct a user login behavior portrait, and independent and segmented information is fused in combination with server operations executed in different server nodes on the login jump path to judge whether the current user login behavior is a suspicious behavior or not, so that user behavior analysis is better realized, and accuracy and effectiveness of server safety control are improved.
The embodiment of the application can acquire and process related data based on an artificial intelligence technology. Among them, Artificial Intelligence (AI) is a theory, method, technique and application system that simulates, extends and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge and uses the knowledge to obtain the best result.
The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
According to the embodiment of the application, the user login behaviors in the independent servers are associated through tracing the user login behaviors in different servers, the existing independent segmentation type information analysis operation carried out on the independent servers is changed by combining the login jump path of the user login behaviors and the server operation executed in different server nodes on the login jump path, the construction of behavior portraits corresponding to the user cross-server login behaviors is achieved, the user behavior analysis is better achieved, and the accuracy and the effectiveness of server safety control are improved.
Referring to fig. 3, fig. 3 is a block diagram of a security monitoring device based on user cross-server access according to an embodiment of the present application, and for convenience of explanation, only a part related to the embodiment of the present application is shown.
The security monitoring device 300 based on the cross-server access of the user comprises:
a first obtaining module 301, configured to, when it is monitored that a user login behavior occurs in a first server in a server cluster, obtain first login process information of the user login behavior in the first server and obtain TCP session information corresponding to the user login behavior in the first server; the first login process information comprises the address of the first server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the first server;
a determining module 302, configured to determine, based on the TCP session information, a login opposite end corresponding to the user login behavior in the first server;
a second obtaining module 303, configured to, when it is determined that the login opposite end is a second server in the server cluster, trace back second login process information corresponding to the user login behavior in the second server based on the TCP session information; the second login process information comprises the address of the second server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the second server;
a storage module 304, configured to store the first login process information and the second login process information in a same login sequence in an associated manner, so as to obtain cross-server access security monitoring information.
The determining module is specifically configured to:
extracting a session source end address from the TCP session information;
based on the session source end address, when determining that the second server with the address consistent with the session source end address exists in the server cluster, determining the second server as a login opposite end corresponding to the user login behavior; or based on the address of the session source end, when the address of the session source end is determined to be the address of the bastion machine corresponding to the server cluster, the bastion machine is determined to be the login opposite end corresponding to the user login behavior.
The device also includes:
the security judgment module is used for accessing a user login log of the bastion machine and acquiring source user information of the user login behavior from the user login log; and based on the source user information, if the login user corresponding to the user login behavior is determined not to be a permitted user, warning.
The safety discrimination module is further configured to:
acquiring a login jump path of the user login behavior in the server cluster based on the login sequence;
acquiring a command sequence executed by each server in the login skip path under the user login behavior;
based on the command sequence, identifying server operation triggered by the user login behavior in each server;
and judging the safety of the user login behavior based on the server operation and the login jump path.
Each server of the server cluster is provided with an information capturing component; correspondingly, the device also comprises:
the log acquisition module is used for acquiring the server log of each server in the server cluster based on the information capture component; and monitoring the behavior of each server in the server cluster based on the server log.
The first obtaining module is specifically configured to:
when first sshd process information corresponding to a user login behavior is monitored from a server log of the first server, determining that the user login behavior occurs in the first server;
and extracting TCP session information associated with the first sshd process from a server log of the first server, and extracting the address of the first server and the sequence number and creation time of the first sshd process from the server log of the first server to form the first login process information.
The second obtaining module is specifically configured to:
determining a TCP session creation process in the second server associated with the TCP session information based on the TCP session information;
determining a second sshd process corresponding to the user login behavior in the second server from a process stack to which the TCP session creation process belongs based on the TCP session creation process;
and acquiring the address of the second server and the sequence number and the creation time of the second sshd process to form the second login process information.
The safety monitoring device based on the cross-server access of the user provided by the embodiment of the application can realize each process of the safety monitoring method based on the cross-server access of the user, can achieve the same technical effect, and is not repeated here for avoiding repetition.
Fig. 4 is a block diagram of a computer device according to an embodiment of the present disclosure. As shown in the figure, the computer apparatus 4 of this embodiment includes: at least one processor 40 (only one shown in fig. 4), a memory 41, and a computer program 42 stored in the memory 41 and executable on the at least one processor 40, the steps of any of the various method embodiments described above being implemented when the computer program 42 is executed by the processor 40.
The computer device 4 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The computer device 4 may include, but is not limited to, a processor 40, a memory 41. Those skilled in the art will appreciate that fig. 4 is merely an example of a computer device 4 and is not intended to limit computer device 4 and may include more or fewer components than those shown, or some of the components may be combined, or different components, e.g., the computer device may also include input output devices, network access devices, buses, etc.
The Processor 40 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. The memory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 4. Further, the memory 41 may also include both an internal storage unit and an external storage device of the computer device 4. The memory 41 is used for storing the computer program and other programs and data required by the computer device. The memory 41 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal and method may be implemented in other ways. For example, the above-described apparatus/terminal embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow in the method of the embodiments described above can be realized by a computer program, which can be stored in a computer-readable storage medium and can realize the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The present application realizes all or part of the processes in the method of the above embodiments, and may also be implemented by a computer program product, when the computer program product runs on a terminal, the steps in the above method embodiments may be implemented when the terminal executes the computer program product.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.

Claims (10)

1. A safety monitoring method based on cross-server access of users is characterized by comprising the following steps:
when a user login behavior of a first server in a server cluster is monitored, acquiring first login process information of the user login behavior in the first server and acquiring TCP session information corresponding to the user login behavior in the first server; the first login process information comprises the address of the first server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the first server;
determining a login opposite terminal corresponding to the user login behavior in the first server based on the TCP session information;
when the login opposite terminal is determined to be a second server in the server cluster, second login process information corresponding to the user login behavior in the second server is traced based on the TCP session information; the second login process information comprises the address of the second server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the second server;
and storing the first login process information and the second login process information in the same login sequence in an associated manner to obtain cross-server access security monitoring information.
2. The method according to claim 1, wherein the determining a login opposite end corresponding to the user login behavior in the first server based on the TCP session information comprises:
extracting a session source end address from the TCP session information;
based on the session source end address, when determining that the second server with the address consistent with the session source end address exists in the server cluster, determining the second server as a login opposite end corresponding to the user login behavior; alternatively, the first and second electrodes may be,
and based on the session source end address, when the session source end address is determined to be the address of the bastion machine corresponding to the server cluster, determining the bastion machine as a login opposite end corresponding to the user login behavior.
3. The method as claimed in claim 2, wherein, after determining the bastion as the login opposite end corresponding to the user login behavior when determining the source address as the address of the bastion corresponding to the server cluster based on the source address, further comprising:
accessing a user login log of the bastion machine, and acquiring source user information of the user login behavior from the user login log;
and based on the source user information, if the login user corresponding to the user login behavior is determined not to be a permitted user, warning.
4. The method of claim 1, wherein the associating and storing the first login process information and the second login process information in a same login sequence, after obtaining cross-server access security monitoring information, further comprises:
acquiring a login jump path of the user login behavior in the server cluster based on the login sequence;
acquiring a command sequence executed by each server in the login skip path under the user login behavior;
based on the command sequence, identifying server operation triggered by the user login behavior in each server;
and judging the safety of the user login behavior based on the server operation and the login jump path.
5. The method of claim 1, wherein each server of the server cluster is configured with an information crawling component; when it is monitored that a first server in a server cluster has a user login behavior, before acquiring first login process information of the user login behavior in the first server and acquiring TCP session information corresponding to the user login behavior in the first server, the method further includes:
acquiring a server log of each server in the server cluster based on the information capturing component;
and monitoring the behavior of each server in the server cluster based on the server log.
6. The method according to claim 1 or 5, wherein when it is monitored that a user login behavior occurs to a first server in a server cluster, acquiring first login process information of the user login behavior in the first server and acquiring TCP session information corresponding to the user login behavior in the first server comprises:
when first sshd process information corresponding to a user login behavior is monitored from a server log of the first server, determining that the user login behavior occurs in the first server;
and extracting TCP session information associated with the first sshd process from a server log of the first server, and extracting the address of the first server and the sequence number and creation time of the first sshd process from the server log of the first server to form the first login process information.
7. The method according to claim 1, wherein said tracing second login process information corresponding to said user login behavior in said second server based on said TCP session information comprises:
determining a TCP session creation process in the second server associated with the TCP session information based on the TCP session information;
determining a second sshd process corresponding to the user login behavior in the second server from a process stack to which the TCP session creation process belongs based on the TCP session creation process;
and acquiring the address of the second server and the sequence number and the creation time of the second sshd process to form the second login process information.
8. A security monitoring device based on cross-server access of users, comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring first login process information of a first server of a user login behavior and acquiring TCP session information corresponding to the user login behavior in the first server when the user login behavior of the first server in a server cluster is monitored; the first login process information comprises the address of the first server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the first server;
a determining module, configured to determine, based on the TCP session information, a login opposite end corresponding to the user login behavior in the first server;
a second obtaining module, configured to, when it is determined that the login opposite end is a second server in the server cluster, trace back second login process information corresponding to the user login behavior in the second server based on the TCP session information; the second login process information comprises the address of the second server, and the sequence number and the creation time of the login process corresponding to the user login behavior in the second server;
and the storage module is used for storing the first login process information and the second login process information into the same login sequence in an associated manner to obtain cross-server access security monitoring information.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
CN202111049378.7A 2021-09-08 2021-09-08 Safety monitoring method, terminal and equipment based on cross-server access of user Pending CN113765924A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111049378.7A CN113765924A (en) 2021-09-08 2021-09-08 Safety monitoring method, terminal and equipment based on cross-server access of user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111049378.7A CN113765924A (en) 2021-09-08 2021-09-08 Safety monitoring method, terminal and equipment based on cross-server access of user

Publications (1)

Publication Number Publication Date
CN113765924A true CN113765924A (en) 2021-12-07

Family

ID=78793918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111049378.7A Pending CN113765924A (en) 2021-09-08 2021-09-08 Safety monitoring method, terminal and equipment based on cross-server access of user

Country Status (1)

Country Link
CN (1) CN113765924A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001854A (en) * 2022-07-18 2022-09-02 江苏艾盾网络科技有限公司 Big data-based tracing-prevention server cluster management and control system and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107295086A (en) * 2017-06-28 2017-10-24 杭州云英网络科技有限公司 Collect group session anti-loss method and system
CN109450976A (en) * 2018-10-09 2019-03-08 网宿科技股份有限公司 A kind of method and device of the access of operation system
WO2020093214A1 (en) * 2018-11-05 2020-05-14 深圳市欢太科技有限公司 Application program login method, application program login device and mobile terminal
CN113259342A (en) * 2021-05-11 2021-08-13 鸬鹚科技(深圳)有限公司 Login verification method, device, computer equipment and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107295086A (en) * 2017-06-28 2017-10-24 杭州云英网络科技有限公司 Collect group session anti-loss method and system
CN109450976A (en) * 2018-10-09 2019-03-08 网宿科技股份有限公司 A kind of method and device of the access of operation system
WO2020093214A1 (en) * 2018-11-05 2020-05-14 深圳市欢太科技有限公司 Application program login method, application program login device and mobile terminal
CN113259342A (en) * 2021-05-11 2021-08-13 鸬鹚科技(深圳)有限公司 Login verification method, device, computer equipment and medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001854A (en) * 2022-07-18 2022-09-02 江苏艾盾网络科技有限公司 Big data-based tracing-prevention server cluster management and control system and method

Similar Documents

Publication Publication Date Title
US10404729B2 (en) Device, method, and system of generating fraud-alerts for cyber-attacks
CN110413908B (en) Method and device for classifying uniform resource locators based on website content
US8806644B1 (en) Using expectation measures to identify relevant application analysis results
CN109376078B (en) Mobile application testing method, terminal equipment and medium
CN110442712B (en) Risk determination method, risk determination device, server and text examination system
TWI709057B (en) Method for diagnosing whether network system is breached by hackers and related method for generating suspicious event sequence diagram
CN111885007B (en) Information tracing method, device, system and storage medium
CN111221625B (en) File detection method, device and equipment
CN109547426B (en) Service response method and server
WO2021129335A1 (en) Operation monitoring method and apparatus, operation analysis method and apparatus
CN111049786A (en) Network attack detection method, device, equipment and storage medium
CN110543506A (en) Data analysis method and device, electronic equipment and storage medium
US10693897B2 (en) Behavioral and account fingerprinting
CN103488947A (en) Method and device for identifying instant messaging client-side account number stealing Trojan horse program
CN115150261A (en) Alarm analysis method and device, electronic equipment and storage medium
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
CN116545678A (en) Network security protection method, device, computer equipment and storage medium
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN105227528B (en) To the detection method and device of the attack of Web server group
CN113765924A (en) Safety monitoring method, terminal and equipment based on cross-server access of user
CN108092795A (en) A kind of reminding method, terminal device and computer-readable medium
CN113839944B (en) Method, device, electronic equipment and medium for coping with network attack
CN114531294A (en) Network anomaly sensing method and device, terminal and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN112003833A (en) Abnormal behavior detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20211207