CN116723212A - Data processing method, device, electronic equipment and computer readable storage medium - Google Patents

Data processing method, device, electronic equipment and computer readable storage medium Download PDF

Info

Publication number
CN116723212A
CN116723212A CN202310614335.1A CN202310614335A CN116723212A CN 116723212 A CN116723212 A CN 116723212A CN 202310614335 A CN202310614335 A CN 202310614335A CN 116723212 A CN116723212 A CN 116723212A
Authority
CN
China
Prior art keywords
employee
data
log
behavior
service system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310614335.1A
Other languages
Chinese (zh)
Inventor
何艳波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202310614335.1A priority Critical patent/CN116723212A/en
Publication of CN116723212A publication Critical patent/CN116723212A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides a data processing method, a data processing device, electronic equipment and a computer readable storage medium, which can be applied to the technical field of big data. The method comprises the following steps: acquiring behavior data of at least one employee, the behavior data comprising: mail sending log, file printing log, remote control office terminal log, service system server log, service system database operation log and service system server operation log; determining whether a security risk exists for the behaviour of each employee based on the behavioural data and the basic information of the at least one employee, the basic information of each employee comprising at least one of: name, identity, mobile phone number, or address of office terminal used, the identity is identification card number or work number. The basic information of the staff and various behavior data are fused to find the corresponding relation between the behaviors and the staff, so that abnormal behaviors of the staff can be found in time, and the security risk of the data in an enterprise can be reduced.

Description

Data processing method, device, electronic equipment and computer readable storage medium
Technical Field
The present application relates to the field of big data technologies, and in particular, to a data processing method, apparatus, electronic device, and computer readable storage medium.
Background
In recent years, with the convergence of information technology and human production and living, various data collected, stored, transmitted, processed and generated through a network has been rapidly increased. The mass data is gathered and becomes an important market economic element, and has great and profound effects on economic development, social management and people's life. Data security is also particularly important to enterprises.
However, with the advent and development of technologies for enhancing network anonymity such as bitcoin and darknet, some industry chains for making a profit by using data are gradually generated, and a way for making a profit by using data is provided for enterprise staff and internal staff, which clearly promotes serious security risks of the internal data of the enterprise, for example, some business staff may make a profit by revealing secret data of the enterprise, etc.
Therefore, it is desirable to provide a method capable of analyzing whether the behaviors of the staff have security risks in time and reducing the security risks of data in enterprises.
Disclosure of Invention
The application provides a data processing method, a data processing device, electronic equipment and a computer readable storage medium, which can discover abnormal behaviors of staff in time and reduce the security risk of data in enterprises.
In a first aspect, the present application provides a data processing method, including: acquiring behavior data of at least one employee, the behavior data comprising: mail sending log, file printing log, remote control office terminal log, service system server log, service system database operation log and service system server operation log; determining whether a security risk exists for the behaviour of each employee based on the behavioural data and the basic information of the at least one employee, the basic information of each employee comprising at least one of: name, identity, mobile phone number, or address of office terminal used, the identity is identification card number or work number.
In a second aspect, the present application provides a data processing apparatus comprising: an acquisition module and a determination module; the obtaining module is used for obtaining behavior data of at least one employee, wherein the behavior data comprises: mail sending log, file printing log, remote control office terminal log, service system server log, service system database operation log and service system server operation log; the determining module is used for determining whether the behavior of each employee has a security risk or not based on the behavior data and the basic information of the at least one employee, and the basic information of each employee comprises at least one of the following: name, identity, mobile phone number, or address of office terminal used, the identity is identification card number or work number.
In a third aspect, the present application provides an electronic device comprising a processor and a memory; wherein the memory is for storing computer instructions and the processor is for executing the computer instructions stored in the memory to implement the method as described above.
In a fourth aspect, the present application provides a computer readable storage medium having stored therein computer instructions which, when executed, cause the aforementioned data processing method to be implemented.
In a fifth aspect, the application provides a computer program product comprising a computer program which, when executed, causes the aforementioned data processing method to be implemented.
According to the data processing method, the device, the electronic equipment and the computer readable storage medium, the basic information of the staff and various behavior data are subjected to deep fusion to find the corresponding relation between the behaviors and the staff, namely, which behaviors are made by which staff is determined, so that whether the behaviors of the staff have safety risks is analyzed, the abnormal behaviors of the staff can be found in time, the safety risks of the data in enterprises can be reduced, and larger losses are avoided.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
FIG. 1 is a system diagram of a data processing method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of a data processing method according to an embodiment of the present application;
FIGS. 3 and 4 are two other schematic flowcharts of a data processing method according to an embodiment of the present application;
FIG. 5 is a schematic block diagram of a data processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic block diagram of an electronic device according to an embodiment of the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
It should be noted that, the basic information (which may include, but is not limited to, user address information, personal information of the employee, etc.) and data (including, but not limited to, data for analysis, stored data, presented data, etc.) of the employee are information and data authorized by the employee or fully authorized by each party, and the collection, use and processing of the related data is required to comply with related laws and regulations and standards, and a corresponding operation entry is provided for the employee to select authorization or rejection.
It should be noted that, in order to clearly describe the technical solution of the embodiments of the present application, in the embodiments of the present application, the words "first", "second", and the like are used to distinguish the same item or similar items having substantially the same function and effect. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ.
In the embodiment of the present application, the preset duration, the threshold value, and the preset label, for example, the first preset duration, the second preset duration, the first threshold value, the second threshold value, the third threshold value, the first preset label, and the second preset label may be predefined, or may be configured by an operator of the data processing apparatus, the values of the preset durations may be the same or different, the values of the thresholds may be the same or different, and the values of the preset labels may be the same or different, which is not limited by the present application.
It should be noted that the data processing method and apparatus provided by the present application may be applied to the technical field of big data, and may also be applied to any field other than the technical field of big data.
In recent years, with the convergence of information technology and human production and living, various data collected, stored, transmitted, processed and generated through a network has been rapidly increased. The mass data is gathered and becomes an important market economic element, and has great and profound effects on economic development, social management and people's life. Data security is also particularly important to enterprises. However, with the advent and development of technologies for enhancing network anonymity such as bitcoin and darknet, some industry chains for making a profit by using data are gradually generated, and a way for making a profit by using data is provided for enterprise staff and internal staff, which clearly promotes serious security risks of the internal data of the enterprise, for example, some business staff may make a profit by revealing secret data of the enterprise, etc.
Based on the above problems, the embodiments of the present application provide a data processing method, apparatus, electronic device, and computer readable storage medium, which further analyze whether the behaviors of an employee have a security risk by performing deep fusion on basic information of the employee and various behavior data, so as to discover abnormal behaviors of the employee in time, and avoid causing larger losses.
In order to better understand the data processing method provided by the present application, a system suitable for the data processing method provided by the embodiment of the present application is first briefly described.
Fig. 1 is a schematic system diagram of a data processing method according to an embodiment of the present application.
The data processing method provided by the application can be executed by a data processing device, and the data processing device comprises, but is not limited to, a computer, a server or an electronic device such as a server cluster. The data processing device may be communicatively connected to a plurality of servers and a plurality of office terminals to obtain various behavioral data and analyze and process the behavioral data.
As shown in fig. 1, a system suitable for the data processing method provided in the embodiment of the present application may include a computer 110, a server 120 of a mailbox, a server 130 of a printer, an office terminal 140, a server 150 of a business system, and a database 160 of a business system.
Wherein the computer 110 may be one example of a data processing apparatus, the computer 110 may communicate with the server 120 of the mailbox, and obtain a mail transmission log from the server 120 of the mailbox; the computer 110 may communicate with the server 130 of the printer, and obtain a file print log from the server 130 of the printer; the computer 110 may communicate with the office terminal 140, obtaining a remote control office terminal log from the office terminal 140; the computer 110 may communicate with a server 150 of a business system, obtain a server log of the business system and a server operation log of the business system from the server 150 of the business system; the computer 110 may communicate with a database 160 of the business system, and obtain a database oplog of the business system from the database 160 of the business system. The database of the business system may be deployed on a server of the business system. The server according to the present application may be an entity server device or a cloud server, which is not limited in this way.
It is to be understood that although the office terminal 140 in fig. 1 is illustrated as a computer, in a practical application scenario, the office terminal may include, but is not limited to, a computer, a notebook computer, a tablet computer, a mobile phone, or the like. In addition, the business system related to the application comprises a software system used by staff in office.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Referring to fig. 2, fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present application. The method shown in fig. 2 may be performed by a data processing apparatus or by a component in a data processing apparatus (e.g. by a chip or a system-on-chip). The data processing means may be implemented by means of software and/or hardware, as the application is not limited in this respect.
As shown in fig. 2, the data processing method 200 may include steps 210 and 220, each of which is described below in fig. 2.
In step 210, behavioral data of at least one employee is obtained.
Behavior data may include, but is not limited to: mail sending log, file printing log, remote control office terminal log, service system server log, service system database operation log and service system server operation log.
The mail sending log may include, but is not limited to: the mail sending account number, the mail receiving account number, the mail copying account number, the mail sending time, the mail title, the mail content and the attachment, and the address of the electronic equipment for sending the mail.
The file print log may include, but is not limited to: information such as address of office terminal, file content, file printing time and number of prints, etc. which send out printing instruction.
The address of the electronic device or the address of the office terminal to which the present application relates may include, but is not limited to, a media access control (media access control, MAC) address and/or an internet protocol (internet protocol, IP) address, etc.
The remote control office terminal log may include, but is not limited to: an address of an electronic device that initiates a remote control instruction to the office terminal, a time at which the remote control instruction to the office terminal is initiated, an address of the office terminal that is remotely controlled, a time period for remotely controlling the office terminal, and the like.
Server logs for business systems include, but are not limited to: the address of the electronic device logging in the service system, the logging time, and the browsing record and the operation record of the service system account number logging in the service system, wherein the operation record includes, but is not limited to, the data content, the downloading amount and the downloading time of the data downloaded from the service system.
The database operation log of the service system can be understood as a log for operating a database of the service system, an employee with management authority on the database can log in the database by using a database management account, operations such as adding, deleting, modifying and downloading data can be performed on tables and data in the tables in the database, namely, operation behavior types of the database comprise downloading data, adding new tables, deleting tables and modifying tables, wherein the modifying tables can comprise modifying table names, adding fields in the tables, adding data items in the tables, deleting fields in the tables, deleting data items in the tables, modifying fields in the tables, modifying data items in the tables, and the like. Database oplogs for business systems may include, but are not limited to: the address of the electronic device logged in the database of the business system by using the database management account, the IP address of the logged-in database, the time of operating the database, the operation behavior type and the like.
The server operation log of the service system can be understood as a log for operating a server of the service system, and staff with management authority on the server of the service system can log in the server by using a server management account to update the service system. The server oplog of the business system may include, but is not limited to: the server logging in the service system manages the time of the account number and the address of the electronic device, the time of updating the service system, the updated content, and the like.
The data processing device or a component in the data processing device may obtain the corresponding behavior data from a server and an office terminal having a communication connection with the data processing device. The detailed description may refer to the related description in fig. 1, and for brevity, will not be repeated here.
In step 220, it is determined whether the behavior of each employee is at a security risk based on the behavior data and the basic information of the at least one employee.
The basic information of each employee includes at least one of the following: name, identity, mobile phone number, or address of office terminal used, the identity is identification card number or work number. The basic information of the at least one employee may be manually pre-entered and stored, or may be directly read from a database, which is not limited by the present application.
It is to be understood that the basic information of each employee may include, but is not limited to: name, identity, phone number, or address of office terminal used. For example, age, gender, time of job entry, job, department of job, and job status, etc., where job status may include job in progress, holiday, job departure, etc., and the application is not limited in any way.
The data processing device or the components in the data processing device can normalize identities of the staff, the mailbox account, the service system account and the like based on the behavior data and the basic information of the staff, namely, determine which account corresponds to which staff, so that the behavior related to the accounts can be analyzed based on the behavior data to be the behavior of which staff, and further, the security risk of the behavior of which staff can be determined.
Based on the technical content, the corresponding relation between the behaviors and the staff is found by carrying out deep fusion on the basic information of the staff and various behavior data, namely, which behaviors are made by which staff is determined, and whether the behaviors of the staff have safety risks is further analyzed, so that abnormal behaviors of the staff are found in time, the safety risk of the data in enterprises can be reduced, and larger losses are avoided.
In some implementations, the foregoing step 210 includes: the method includes the steps of obtaining a mail sending log from a server of a mailbox, obtaining a file printing log from a server of a printer, obtaining a remote control office terminal log from an office terminal, obtaining a server log of a business system and a server operation log of the business system from a server of the business system, and obtaining a database operation log of the business system from a database of the business system.
The data processing device may be communicatively connected to a plurality of servers and a plurality of office terminals to obtain various behavioral data. The data processing device or the components in the data processing device can communicate with a server of the mailbox, and mail sending logs are obtained from the server of the mailbox; the data processing apparatus or a component in the data processing apparatus may communicate with a server of the printer, and obtain a file print log from the server of the printer; the data processing device or the components in the data processing device can communicate with the office terminal, and the remote control office terminal log is obtained from the office terminal; the data processing device or a component in the data processing device can communicate with a server of the service system, and a server log of the service system and a server operation log of the service system are obtained from the server of the service system; the data processing device or a component in the data processing device may communicate with a database of the business system, from which a database operation log of the business system is obtained. The detailed description may refer to the related description of fig. 1, and for brevity, will not be repeated here.
It will be appreciated that the data processing apparatus or components thereof may periodically obtain corresponding behavioural data from a server and office terminal having a communication connection with the data processing apparatus; alternatively, the server and the office terminal having communication connection with the data processing apparatus may periodically report corresponding behavior data to the data processing apparatus or the components in the data processing apparatus, which is not limited in the present application.
In an actual application scenario, the period duration may be set according to requirements, for example, the period duration may be 4 hours, 8 hours, 12 hours, 24 hours, or 48 hours, and the application is not limited in any way.
In some implementations, the at least one employee includes a first employee, the first employee being any one of the at least one employee, and the step 220 includes: extracting account information from the behavior data, wherein the account information comprises a mailbox account, a service system account, a management account of a database of the service system and a management account of a server of the service system; determining the corresponding relation between account information and the first worker; based on the behavior data and the corresponding relation, obtaining a behavior chain of the first employee, wherein the behavior chain is formed by connecting behaviors of the first employee in series by taking time as a chain; based on the chain of actions, it is determined whether the first employee's actions present a security risk.
The data processing apparatus or a component in the data processing apparatus may extract account information from the behavior data, for example, may extract a departure mailbox account from a mail transmission log; the service system account number of the login service system can be extracted from the server log of the service system; the database management account number logged in the database can be extracted from the database operation log of the business system, and the address of the electronic equipment logged in the database of the business system by using the database management account number can also be extracted; the management account number of the server of the service system logging in the server may be extracted from the server operation log of the service system, and the address of the electronic device logging in the server of the service system using the management account number of the server may also be extracted.
After the account information is extracted, the extracted account information and the basic information of the at least one employee can be analyzed to determine which accounts belong to the first employee, that is, determine the corresponding relationship between the account information and the first employee.
For example, some accounts, when registered or set, include pinyin for the employee's name, e.g., the mailbox account "zhangsan @", may find a name, e.g., "Zhangsan", in the basic information of the at least one employee that matches the pinyin "zhangsan". Under the condition that only one name matched with the pinyin exists, the mailbox account can be determined to belong to the employee; under the condition that a plurality of names matched with the pinyin exist, information can be analyzed again according to telephone numbers associated with the mailbox account, names, departments, identity marks and the like related in mail deposit, and staff with highest relevance to the mailbox account is analyzed, so that the mailbox account can be determined to belong to the staff.
For a detailed description of the manner of determining the service system account number and the employee corresponding thereto, reference may be made to the above description of the manner of determining the mailbox account number and the employee corresponding thereto, which is not repeated herein for brevity.
For the management account number of the database of the business system, for the staff with the authority to log in the database of the business system, the address of the electronic equipment logged in the database of the business system can be analyzed to determine which staff the electronic equipment belongs to, and the staff to which the electronic equipment belongs can be considered to have the authority to log in the database of the business system, so that the staff can be determined to have a corresponding relation with the management account number of the database of the business system.
For a detailed description of the manner of determining the management account number of the server of the service system and the employee corresponding thereto, reference may be made to the above description of the manner of determining the management account number of the database of the service system and the employee corresponding thereto, and for brevity, the description will not be repeated here.
After the corresponding relation between the account information and the staff is determined, the behaviors of the first staff can be connected in series by taking time as a chain based on the behavior data and the corresponding relation to form a behavior chain of the staff; a determination may then be made, based on the chain of actions, whether the first employee's action is at a security risk.
In some implementations, determining whether the first employee's behavior is at a security risk based on the chain of behaviors includes: based on the chain of actions, determining that the first employee's action is at a security risk if the first employee's action meets any of the following conditions: logging in the business system at different geographic positions within a first preset duration; or the number of the sent mails in the second preset time period is larger than a first threshold value; or the downloading amount of the data with the first preset label from the service system is larger than a second threshold value; or the downloading amount of the data with the second preset label from the database of the service system is larger than a third threshold value; or, the printed file content relates to data with a third preset label; or, the used office terminal is remotely controlled for a longer time than a third preset time.
For example, in the event that a first employee logs into the business system at a different geographic location within a first preset time period, it may be determined that the first employee's behavior is at a security risk. The first preset duration may be a shorter duration, for example, may be set to 5 minutes, 10 minutes, 20 minutes, and the like, which is not limited in the present application.
For another example, in the case where the number of emails sent by the first employee in the second preset time period is greater than the first threshold, it may be determined that the behavior of the first employee has a security risk. The second preset time period may be a unit time period, for example, may be set to 20 minutes, 30 minutes, 1 hour, 2 hours, and the like, which is not limited by the present application. The first threshold may be set according to requirements, for example, may be set to 5, 10, 20, etc., which the present application is not limited to.
It is understood that in practical application, the second preset duration may be equal to the first preset duration, or may not be equal to the first preset duration, which is not limited in the present application.
For another example, in the case that the downloading amount of the first worker from the service system to the data with the first preset tag is greater than the second threshold, it may be determined that the first worker's behavior has a security risk. The first preset tag is preset, for example, some important data may be provided with a tag, which is not limited by the present application. The second threshold may be set according to requirements, for example, may be set to 1 Gigabyte (GB), 2GB, 5GB, 10GB, and the like, which is not limited by the present application.
Also for example, in the case where the first employee downloads data with the second preset tag from the database of the business system more than a third threshold, it may be determined that there is a security risk for the first employee's behavior. The second preset label is preset, for example, a label can be set for some important data, which is not limited by the application. The third threshold may be set according to requirements, for example, may be set to 1GB, 2GB, 5GB, 10GB, etc., which is not limited by the present application.
It is understood that the third threshold may be the same as the second threshold or different from the second threshold, which is not limited by the present application.
Also for example, where the content of the file printed by the first employee relates to data with a third preset tag, it may be determined that the first employee's behavior is at a security risk. The third preset tag is similar to the first preset tag and the second preset tag, and the third preset tag is preset, for example, tags can be set for some important data, which is not limited by the application.
Also for example, in a case where the used office terminal of the first employee is remotely controlled for a period of time longer than a third preset period of time, it may be determined that there is a security risk for the behavior of the first employee. The third preset duration may be a longer duration, for example, may be set to 1 hour, 2 hours, 4 hours, and the like, which is not limited by the present application.
It can be appreciated that in practical application, the third preset duration may be equal to the second preset duration, or may not be equal to the second preset duration, which is not limited in the present application.
In practical application, the method is not limited to the above conditions, for example, when the basic information of the staff member includes a post state, and when the post state of the first staff member is an off-period, and the first staff member has a security risk from the downloading amount of the data with the first preset tag from the business system or the downloading amount of the data with the second preset tag from the database of the business system is greater than the fourth threshold. The fourth threshold may be set according to requirements, for example, may be set to 0.5GB, 1GB, 2GB, etc., which the present application is not limited to. The fourth threshold may be the same as the second threshold or the third threshold, or may be different from the second threshold or the third threshold, which is not limited in the present application.
In some implementations, the foregoing method 200 further includes: generating alarm information when the safety risk exists in the behaviors of the first staff, wherein the alarm information comprises the first staff, the behaviors with the safety risk and the time involved in the behaviors with the safety risk, and the first staff is any one of the at least one staff; and carrying out early warning based on the warning information.
In the case that the first employee's behavior has a security risk, the data processing apparatus or a component in the data processing apparatus may generate alert information, where the alert information includes the first employee, the behavior having a security risk, and a time involved in the behavior having a security risk, for example, "Zhang san", in a period of time, a large number of outgoing mails ", and then may initiate an early warning based on the alert information, so as to remind relevant management personnel to take care more, make an emergency measure, and avoid causing greater loss.
In some implementations, the pre-warning based on the alert information includes: and sending the alarm information to a preset mailbox account number or a mobile phone number.
After the alarm information is generated, the data processing device or components in the data processing device can send the alarm information to a preset mailbox account or mobile phone number to remind relevant management personnel of taking care of and early warning in time.
In some implementations, the alert information further includes a risk type corresponding to the security risk-existing behavior, and sending the alert information to a preset mailbox account or mobile phone number includes: and sending the alarm information to a preset mailbox account or mobile phone number based on an alarm template corresponding to the risk type.
That is, at least one alert template corresponding to the risk type may be stored in the data processing apparatus or a component in the data processing apparatus in advance, and after the alert information is generated, the data processing apparatus or the component in the data processing apparatus may determine the alert template corresponding to the risk type from the at least one alert template, and send the alert information to a preset mailbox account or mobile phone number based on the alert template.
In addition, in practical application, besides the above mentioned early warning mode of sending the warning information to the preset mailbox account or the mobile phone number, the warning information can be displayed through the user interface, and the related manager can be timely reminded, which is not limited by the application.
In order to better understand the data processing method provided by the present solution, the data processing method provided by the present application is described herein below with reference to fig. 3 and 4.
Fig. 3 and fig. 4 are two other schematic flowcharts of a data processing method according to an embodiment of the present application.
As shown in fig. 3, the data processing method provided by the present application may include steps 301 to 306.
In step 301, data is acquired.
The data acquisition in fig. 4 may correspond, that is, the data processing apparatus or a component in the data processing apparatus may acquire data of different structures from a plurality of sources, for example, the behavior data described above, that is, a log including various behavior information, including, but not limited to: mail sending logs, file printing logs, remote control office terminal logs, server logs of a service system, database operation logs of the service system, server operation logs of the service system and the like; basic information of the employee may also be obtained, which may include, but is not limited to: name, identity, phone number, or address of office terminal used, etc. The basic information of the staff can be manually input and stored in advance, or can be directly read from a database, and the application is not limited to the method.
In step 302, data is fused.
The knowledge graph may be constructed corresponding to the deep fusion in fig. 4, i.e. the data processing apparatus or the components in the data processing apparatus may normalize the identities of the employees, mailbox accounts, business system accounts, etc. based on the behavior data and the basic information of the employees, i.e. determine which account corresponds to which employee, and which behaviors were made by which employee. For example, the content of the partial knowledge graph shown in fig. 4 includes entities including a first employee, an office terminal a, an office terminal B, a mailbox account C, a business system account D, a business system, a printer, and the like, and relationships between these entities, for example, the first employee owns the mailbox account C, the office terminal a is used by the first employee, the office terminal B is used by the first employee, the first employee is used for the business system account D, and the like, and thus the behavior chain of the first employee can be obtained based on the behavior data. For a detailed description of the chain of actions, reference may be made to the relevant descriptions in method 200, which are not repeated here for the sake of brevity.
In step 303, the behavior is analyzed.
May correspond to the intelligent analysis in fig. 4, i.e. the data processing device or a component in the data processing device may perform a behavioral analysis based on the employee's behavioral chain.
In step 304, abnormal behavior discovery.
The abnormal behavior discovery in fig. 4 may correspond to that, that is, after the data processing apparatus or the component in the data processing apparatus performs the behavior analysis on the behavior chain of the employee, the behavior of the employee is found to have a security risk based on the preset condition, in other words, the employee is found to have the abnormal behavior, for example, including but not limited to: logging in business system at different geographic positions in short time, sending out mails in large quantity in unit time, downloading large quantity of sensitive data from business system, and downloading sensitive data frequently by employee in off-period.
In step 305, abnormal behavior is pre-warned.
After the staff is found to have abnormal behaviors, the data processing device or components in the data processing device can timely perform abnormal behavior early warning to a security management department, for example, but not limited to, sending the warning information to a preset mailbox account number or a preset mobile phone number and the like.
In step 306, the behavior is traced.
After the personnel of the security management department views the alarm information, the data processing device can respond to the operation of the personnel of the security management department, trace the personnel with security risk, further analyze the personnel's behavior and make corresponding processing, for example, can include but not limited to revoke or shrink certain rights of the personnel, and the like.
Based on the technical content, the corresponding relation between the behaviors and the staff is found by carrying out deep fusion on the basic information of the staff and various behavior data, namely, which behaviors are made by which staff is determined, and whether the behaviors of the staff have safety risks is analyzed, so that abnormal behaviors of the staff are found in time, abnormal behavior early warning is carried out in time, the safety risk of the data in an enterprise can be reduced, and larger losses are avoided.
The foregoing describes a data processing method according to an embodiment of the present application with reference to the accompanying drawings, and next describes a data processing apparatus according to an embodiment of the present application with reference to fig. 5.
Fig. 5 is a schematic block diagram of a data processing apparatus provided by an embodiment of the present application. As shown in fig. 5, the data processing apparatus 500 may include an acquisition module 510 and a determination module 520. The data processing device 500 may be used to implement the steps of the embodiments shown in any of the foregoing figures 2 to 4.
Illustratively, the obtaining module 510 is configured to obtain a module and a determining module; the obtaining module is used for obtaining behavior data of at least one employee, wherein the behavior data comprises: mail sending log, file printing log, remote control office terminal log, service system server log, service system database operation log and service system server operation log; the determining module 520 is configured to determine whether a security risk exists for each employee's behavior based on the behavior data and the basic information of the at least one employee, where the basic information of each employee includes at least one of: name, identity, mobile phone number, or address of office terminal used, the identity is identification card number or work number.
Alternatively, the obtaining module 510 may specifically be configured to obtain the mail sending log from a server of a mailbox, obtain the file printing log from a server of a printer, obtain the remote control office terminal log from an office terminal, obtain a server log of the service system and a server operation log of the service system from a server of the service system, and obtain a database operation log of the service system from a database of the service system.
Optionally, the at least one employee comprises a first employee, the first employee being any one of the at least one employee; the determining module 520 may be specifically configured to extract account information from the behavior data, where the account information includes a mailbox account, a service system account, a management account of a database of the service system, and a management account of a server of the service system; determining a corresponding relation between account information and a first worker; based on the behavior data and the corresponding relation, a behavior chain of the first employee is obtained, wherein the behavior chain is formed by connecting behaviors of the first employee in series by taking time as a chain; based on the chain of actions, it is determined whether the first employee's actions present a security risk.
Optionally, the determining module 520 may be specifically configured to determine, based on the behavior chain, that the behavior of the first worker has a security risk if the behavior of the first worker meets any one of the following conditions: logging in the business system at different geographic positions within a first preset duration; or the number of the sent mails in the second preset time period is larger than a first threshold value; or the downloading amount of the data with the first preset label from the service system is larger than a second threshold value; or the downloading amount of the data with the second preset label from the database of the service system is larger than a third threshold value; or, the printed file content relates to data with a third preset label; or, the used office terminal is remotely controlled for a longer time than a third preset time.
Optionally, the data processing apparatus 500 may further include an early warning module, where the early warning module may be configured to generate, in a case where a security risk exists in a behavior of a first employee, alarm information including the first employee, the behavior with the security risk, and a time involved in the behavior with the security risk, where the first employee is any one of the at least one employee; and carrying out early warning based on the warning information.
Optionally, the early warning module may be specifically configured to send warning information to a preset mailbox account or a preset mobile phone number.
Optionally, the alarm information further includes a risk type corresponding to the behavior with security risk, and the early warning module may be specifically configured to send the alarm information to a preset mailbox account or a mobile phone number based on an alarm template corresponding to the risk type.
It should be understood that the division of the modules in the embodiment of the present application is illustrative, and is merely a logic function division, and other division manners may be implemented in practice. By way of example and not limitation, the data processing apparatus may be further divided into a log acquisition module, a data fusion module, a behavior analysis module, a behavior early warning module, and a behavior tracing module. The log collection module can be used for collecting various behavior data, including but not limited to mail sending logs, file printing logs, remote control office terminal logs, server logs of a service system, database operation logs of the service system, server operation logs of the service system and the like; the data fusion module can be used for carrying out identity normalization on staff, mailbox accounts, service system accounts and the like based on the behavior data and basic information of the staff, namely, determining which account corresponds to which staff and which behaviors are made by which staff, constructing and forming a knowledge graph, and further obtaining a behavior chain of the first staff based on the behavior data; the behavior analysis module can be used for performing behavior analysis based on a behavior chain of the staff and judging whether the behaviors of the staff have safety risks or not based on preset conditions; the behavior early warning module can be used for timely carrying out abnormal behavior early warning on the safety management department; the behavior tracing module can be used for tracing the behaviors of the staff with safety risks in response to the operation of the staff of the safety management department, further analyzing the behaviors of the staff and carrying out corresponding processing. The present application is not limited in any way.
In addition, the functional modules in the embodiments of the present application may be integrated into one processor, or may exist separately. The modules can be realized in the form of hardware or software functional modules.
Fig. 6 is a block diagram of an electronic device, which may be a computer, a server cluster, a cloud server, etc., in accordance with an example embodiment. May be used to implement the method described in the embodiments shown in any of the above figures 2 to 4.
As shown in fig. 6, the electronic device 600 may include at least one processor 610 for implementing the method described in the embodiments shown in any of fig. 2-4.
Illustratively, the processor 610 may be configured to obtain behavioral data of at least one employee, the behavioral data including: mail sending log, file printing log, remote control office terminal log, service system server log, service system database operation log and service system server operation log; determining whether a security risk exists for the behaviour of each employee based on the behavioural data and the basic information of the at least one employee, the basic information of each employee comprising at least one of: name, identity, mobile phone number, or address of office terminal used, the identity is identification card number or work number. Reference is made specifically to the detailed description in the method examples, and details are not described here.
The electronic device 600 may also include at least one memory 620 that may be used to store program instructions and/or data. The memory 620 is configured to store various types of data to support operations at the electronic device 600. The memory 620 may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as a static random access memory (static random access memory, SRAM), read-only memory (ROM), programmable ROM (PROM), erasable Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), magnetic memory, flash memory, magnetic disk, or optical disk.
Memory 620 may be coupled to processor 610. The coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units, or modules, which may be in electrical, mechanical, or other forms for information interaction between the devices, units, or modules. The processor 610 may operate in conjunction with the memory 620. The processor 610 may execute program instructions stored in the memory 620. At least one of the at least one memory may be included in the processor.
The electronic device 600 may also include a receiver 630 and a transmitter 640 for communicating with other devices over a transmission medium, such that the electronic device 600 may communicate with other devices. The processor 610 may receive the data and/or information using the receiver 630, transmit the data and/or information using the transmitter 640, and be configured to implement the methods described in the embodiments shown in any of fig. 2-4.
The specific connection medium between the processor 610, the memory 620, the receiver 630, and the transmitter 640 is not limited in the embodiment of the present application.
In an exemplary embodiment, the electronic device 600 can be implemented by one or more application specific integrated circuits (application specific integrated circuit, ASIC), digital signal processor (digital signal processor, DSP), digital signal processing device (DSP device, DSPD), programmable logic device (programmable logic device, PLD), field programmable gate array (field programmable gate array, FPGA), controller, microcontroller, microprocessor, or other electronic element for performing the above-described methods.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as a memory 620, including instructions executable by the processor 610 of the electronic device 600 to perform the above-described method. For example, the non-transitory computer readable storage medium may be ROM, random access memory (random access memory, RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
The present application also provides a computer program product comprising: a computer program (which may also be referred to as code, or instructions) which, when executed, causes a computer to perform the method as described in the embodiments shown in any of figures 2 to 4.
The present application also provides a computer-readable storage medium storing a computer program (which may also be referred to as code, or instructions). The computer program, when executed, causes a computer to perform the method as described in the embodiments shown in fig. 2 or fig. 3.
Those of ordinary skill in the art will appreciate that the various illustrative logical blocks (illustrative logical block) and steps (steps) described in connection with the embodiments disclosed herein can be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. In the several embodiments provided by the present application, it should be understood that the disclosed apparatus, device and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
In the above embodiments, the functions of the respective functional modules may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions (programs). When the computer program instructions (program) are loaded and executed on a computer, the processes or functions according to the embodiments of the present application are fully or partially produced. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital versatile disk (digital video disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A method of data processing, comprising:
acquiring behavior data of at least one employee, the behavior data comprising: mail sending log, file printing log, remote control office terminal log, service system server log, service system database operation log and service system server operation log;
determining whether a security risk exists for each employee's behavior based on the behavior data and the at least one employee's basic information, each employee's basic information including at least one of: name, identity, mobile phone number, or address of office terminal used, wherein the identity is identity card number or work number.
2. The method of claim 1, wherein the obtaining behavioral data of at least one employee comprises:
the mail sending log is obtained from a server of a mailbox, the file printing log is obtained from a server of a printer, the remote control office terminal log is obtained from an office terminal, the server log of the business system and the server operation log of the business system are obtained from a server of a business system, and the database operation log of the business system is obtained from a database of the business system.
3. The method of claim 2, wherein the at least one employee comprises a first employee, the first employee being any one of the at least one employee;
the determining whether the behavior of each employee of the at least one employee is at a security risk based on the behavior data and the basic information of the at least one employee includes:
extracting account information from the behavior data, wherein the account information comprises a mailbox account, a service system account, a management account of a database of the service system and a management account of a server of the service system;
determining the corresponding relation between the account information and the first employee;
based on the behavior data and the corresponding relation, obtaining a behavior chain of the first employee, wherein the behavior chain is formed by connecting behaviors of the first employee in series by taking time as a chain;
based on the chain of behaviors, determining whether a security risk exists for the first employee's behavior.
4. A method as recited in claim 3, wherein said determining whether the first employee's behavior is at a security risk based on the chain of behaviors comprises:
based on the chain of behaviors, determining that the first employee's behavior is at a security risk if the first employee's behavior meets any of the following conditions:
Logging in the business system at different geographic positions within a first preset duration; or alternatively, the first and second heat exchangers may be,
the number of the sent mails in the second preset time period is larger than a first threshold value; or alternatively, the first and second heat exchangers may be,
downloading the data with the first preset label from the service system to a position greater than a second threshold; or alternatively, the first and second heat exchangers may be,
downloading the data with the second preset label from the database of the service system to be larger than a third threshold; or alternatively, the first and second heat exchangers may be,
the printed file content relates to data with a third preset label; or alternatively, the first and second heat exchangers may be,
the used office terminal is remotely controlled for a period of time longer than a third preset period of time.
5. The method of any one of claims 1 to 4, wherein the method further comprises:
generating alarm information under the condition that the safety risk exists in the behaviors of a first employee, wherein the alarm information comprises the first employee, the behaviors with the safety risk and the time related to the behaviors with the safety risk, and the first employee is any one of the at least one employee;
and carrying out early warning based on the warning information.
6. The method of claim 5, wherein the alerting based on the alert information comprises:
and sending the alarm information to a preset mailbox account or mobile phone number.
7. The method of claim 6, wherein the alert information further includes a risk type corresponding to the security risk-containing behavior, and the sending the alert information to a preset mailbox account or cell phone number includes:
and sending the alarm information to a preset mailbox account or mobile phone number based on an alarm template corresponding to the risk type.
8. A data processing apparatus, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring behavior data of at least one employee, and the behavior data comprises: mail sending log, file printing log, remote control office terminal log, service system server log, service system database operation log and service system server operation log;
a determining module, configured to determine whether a security risk exists in a behavior of each employee based on the behavior data and basic information of the at least one employee, where the basic information of each employee includes at least one of: name, identity, mobile phone number, or address of office terminal used, wherein the identity is identity card number or work number.
9. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
The memory is used for storing computer instructions;
the processor is configured to execute computer instructions stored in the memory to implement the method of any one of claims 1 to 7.
10. A computer readable storage medium having stored therein computer instructions which when executed cause the method of any of claims 1 to 7 to be implemented.
CN202310614335.1A 2023-05-29 2023-05-29 Data processing method, device, electronic equipment and computer readable storage medium Pending CN116723212A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310614335.1A CN116723212A (en) 2023-05-29 2023-05-29 Data processing method, device, electronic equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310614335.1A CN116723212A (en) 2023-05-29 2023-05-29 Data processing method, device, electronic equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN116723212A true CN116723212A (en) 2023-09-08

Family

ID=87874393

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310614335.1A Pending CN116723212A (en) 2023-05-29 2023-05-29 Data processing method, device, electronic equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN116723212A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116938595A (en) * 2023-09-11 2023-10-24 北京格尔国信科技有限公司 Method, system, terminal and storage medium for verifying identity security of terminal equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116938595A (en) * 2023-09-11 2023-10-24 北京格尔国信科技有限公司 Method, system, terminal and storage medium for verifying identity security of terminal equipment
CN116938595B (en) * 2023-09-11 2023-12-26 北京格尔国信科技有限公司 Method, system, terminal and storage medium for verifying identity security of terminal equipment

Similar Documents

Publication Publication Date Title
US10616254B2 (en) Data stream surveillance, intelligence and reporting
US9477574B2 (en) Collection of intranet activity data
KR101503701B1 (en) Method and Apparatus for Protecting Information Based on Big Data
CN103026345A (en) Dynamic multidimensional schemas for event monitoring priority
US10275476B2 (en) Machine to machine data aggregator
CN111078455A (en) Abnormal behavior sequence correlation processing method and device based on time axis, equipment and storage medium
CN107679819B (en) Financial data processing method and device, computer equipment and storage medium
CN116723212A (en) Data processing method, device, electronic equipment and computer readable storage medium
CN104811506A (en) Grease storage remote supervision system and method based on wireless sensor network
CN106598813B (en) Work monitoring keyboard and mouse device and method for monitoring computer using process thereof
CN103490978A (en) Terminal, server and message monitoring method
CN110716973A (en) Big data based security event reporting platform and method
CN110019076B (en) Method, device and equipment for constructing multi-system log data and readable storage medium
US11170449B2 (en) Signals-based data syndication and collaboration
CN112732539A (en) Data responsibility adjustment early warning method and system based on personnel organization and post information transaction
CN111782481A (en) Universal data interface monitoring system and monitoring method
CN107526759A (en) Message processing device and information processing method
CN116405418A (en) Industrial network monitoring and auditing method and device, electronic equipment and storage medium
US9424552B2 (en) Managing website registrations
CN111209171B (en) Closed loop handling method and device for security risk and storage medium
CN104469713B (en) A kind of emergency disposal process short message intelligent operating system
CN112632128A (en) Method and system for checking sensitive data and electronic equipment
CN112686742A (en) Sales invoice risk early warning method and device, storage medium and electronic equipment
CN112580089A (en) Information leakage early warning method, device and system, storage medium and electronic device
CN115830734B (en) Method for preventing card from being punched instead of card and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination