CN117574363B - Data security event detection method, device, computer equipment and storage medium - Google Patents

Data security event detection method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN117574363B
CN117574363B CN202410056105.2A CN202410056105A CN117574363B CN 117574363 B CN117574363 B CN 117574363B CN 202410056105 A CN202410056105 A CN 202410056105A CN 117574363 B CN117574363 B CN 117574363B
Authority
CN
China
Prior art keywords
event
result
asset
space
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410056105.2A
Other languages
Chinese (zh)
Other versions
CN117574363A (en
Inventor
柳遵梁
覃锦端
王月兵
周杰
闻建霞
刘聪
毛菲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Meichuang Technology Co ltd
Original Assignee
Hangzhou Meichuang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Meichuang Technology Co ltd filed Critical Hangzhou Meichuang Technology Co ltd
Priority to CN202410056105.2A priority Critical patent/CN117574363B/en
Publication of CN117574363A publication Critical patent/CN117574363A/en
Application granted granted Critical
Publication of CN117574363B publication Critical patent/CN117574363B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the invention discloses a data security event detection method, a data security event detection device, computer equipment and a storage medium. The method comprises the following steps: acquiring a data asset and defining the data asset to obtain a first defining result; learning the expected normal event of the data asset to obtain a learning result; defining a data asset mutation event to obtain a second definition result; acquiring a data asset to be detected; detecting behavior events, active time events and network space position events of the data asset to be detected to obtain the event to be detected; determining whether the event to be detected has a mutation event or not so as to obtain a determination result; when the event to be detected has a mutation event in the determined result, alarming is carried out; and carrying out algorithm adjustment on the learning result and the second definition result. By implementing the method of the embodiment of the invention, the data and the data assets can be comprehensively protected, and the data security events can be timely detected and found and responded.

Description

Data security event detection method, device, computer equipment and storage medium
Technical Field
The present invention relates to data security, and more particularly, to a data security event detection method, apparatus, computer device, and storage medium.
Background
With the rapid development of technologies such as big data, internet of things and 5G communication and the advancement of the digital progress of society, a large amount of data is generated at any moment, and the security problem of data assets as data carriers is also increasing. In recent years, data security events such as data leakage and data luxo are frequent worldwide, the total amount of the leaked data reaches the trillion level, and the data luxo reaches hundreds of millions of dollars. The level of advancement of data asset protection approaches is not matched to the explosive growth of data security events, and the protection of data assets remains dependent upon conventional network security approaches. Traditional network security measures focus on network boundary protection, and focus on outside-in attack measures. When a hacker attacks the data asset and data after breaking the network security boundary, the conventional network security protection means cannot discover the abnormal operation of the attacker in time.
Therefore, there is a need to devise a new method to implement comprehensive protection of data and data assets, and to detect and discover data security events in time and respond.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a data security event detection method, a data security event detection device, computer equipment and a storage medium.
In order to achieve the above purpose, the present invention adopts the following technical scheme: the data security event detection method comprises the following steps:
acquiring a data asset and defining the data asset to obtain a first defining result;
learning the expected normal event of the data asset to the first defining result to obtain a learning result;
defining a data asset mutation event to obtain a second definition result;
acquiring a data asset to be detected;
Detecting behavior events, active time events and network space position events of the data assets to be detected to obtain events to be detected;
determining whether the event to be detected has a mutation event or not so as to obtain a determination result;
when the event to be detected has a mutation event in the determination result, alarming according to the determined mutation event to obtain an alarming result;
and carrying out algorithm adjustment on the learning result and the second definition result according to the accuracy of the alarm result so as to update the learning result and the second definition result.
The further technical scheme is as follows: the acquiring the data asset and defining the data asset to obtain a first defining result includes:
and acquiring the data asset by adopting a scanning or manual entry mode, and classifying and defining the data asset according to different types of basic information and associated information to obtain a first defining result.
The further technical scheme is as follows: the learning of the expected normal event of the data asset to the first defined result to obtain a learned result includes:
Mapping the first defining result into a probability space for learning so as to obtain expected probability;
and adding the event with the expected probability larger than the set value into an expected normal event to obtain a learning result.
The further technical scheme is as follows: the probability space is (S, F, P), where S is the sample space, the event space f= (F Pre-preparation +F Projection(s) )S,F Pre-preparation is the expected event space, F Projection(s) is the mutation event space, S represents the event result of the first defined result of all possible occurrences, and P is the probability function.
The further technical scheme is as follows: the defining a data asset mutation event to obtain a second definition result, comprising:
determining a data asset mutation event through the learning result to obtain a first result;
Determining a data asset mutation event by using the probability space to obtain a second result;
and carrying out a union on the first result and the second result to obtain a second definition result.
The further technical scheme is as follows: the detecting the behavior event, the active time event and the network space position event of the data asset to be detected to obtain the event to be detected comprises the following steps:
Extracting a behavior event space of the data asset from the event space, and determining a probability function of the behavior event space to obtain a behavior event;
Extracting an active time event space of the data asset from the event space, and determining a probability function of the active time event space to obtain an active time event;
extracting a network space position event space of the data asset from the event space, and determining a probability function of the network space position event space to obtain a network space position event;
combining the behavioral events, the active time events, and the network spatial location events.
The further technical scheme is as follows: the determining whether the event to be detected has a mutation event to obtain a determination result includes:
When the second definition result is not empty, determining whether an element belonging to the second definition result exists in the event to be detected, and if the element belonging to the second definition result exists in the event to be detected, determining an event corresponding to the element as a mutation event so as to obtain a determination result; and when the second definition result is empty, determining whether an element which does not belong to the learning result exists in the event to be detected, and if the element which does not belong to the learning result exists in the event to be detected, determining the event corresponding to the element as a mutation event so as to obtain a determination result.
The invention also provides a data security event detection device, which comprises:
the first defining unit is used for acquiring data assets and defining the data assets to obtain a first defining result;
the learning unit is used for learning the expected normal event of the data asset to the first definition result so as to obtain a learning result;
The second definition unit is used for defining the data asset mutation event to obtain a second definition result;
the to-be-detected asset acquisition unit is used for acquiring to-be-detected data assets;
The detection unit is used for detecting the behavior event, the active time event and the network space position event of the data asset to be detected so as to obtain the event to be detected;
the determining unit is used for determining whether the event to be detected has a mutation event or not so as to obtain a determination result;
the alarm unit is used for alarming according to the determined mutation event when the event to be detected has the mutation event in the determination result so as to obtain an alarm result;
and the adjusting unit is used for carrying out algorithm adjustment on the learning result and the second definition result according to the accuracy of the alarm result so as to update the learning result and the second definition result.
The invention also provides a computer device which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the method when executing the computer program.
The present invention also provides a storage medium storing a computer program which, when executed by a processor, implements the above method.
Compared with the prior art, the invention has the beneficial effects that: according to the invention, by utilizing a probability space auxiliary learning means, the events of behaviors, active time and network space positions in the data asset expectation are learned in advance, so that the unexpected mutation events can be defined and detected, a learning model can be continuously evolved through a small amount of manual intervention, and whether the mutation events exist or not is judged from three dimensions of daily behaviors, daily active time and daily network space positions of the data asset by taking the data asset expectation event definition and the data asset mutation event definition as a basis, thereby accurately judging the data security events, realizing comprehensive protection of data and data asset, and timely detecting and finding the data security events and responding.
The invention is further described below with reference to the drawings and specific embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an application scenario of a data security event detection method according to an embodiment of the present invention;
Fig. 2 is a flow chart of a data security event detection method according to an embodiment of the present invention;
FIG. 3 is a schematic sub-flowchart of a method for detecting a data security event according to an embodiment of the present invention;
FIG. 4 is a schematic sub-flowchart of a method for detecting a data security event according to an embodiment of the present invention;
FIG. 5 is a schematic sub-flowchart of a method for detecting a data security event according to an embodiment of the present invention;
FIG. 6 is a schematic block diagram of a data security event detection device according to an embodiment of the present invention;
FIG. 7 is a schematic block diagram of a learning unit of the data security event detection device according to an embodiment of the present invention;
FIG. 8 is a schematic block diagram of a second definition unit of the data security event detection device according to an embodiment of the present invention;
FIG. 9 is a schematic block diagram of a detection unit of a data security event detection device according to an embodiment of the present invention;
fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic application scenario diagram of a data security event detection method according to an embodiment of the present invention. Fig. 2 is a schematic flow chart of a data security event detection method according to an embodiment of the present invention. The data security event detection method is applied to the server. The server performs data interaction with the terminal, and through learning the events of behaviors, active time and network space positions in the data asset expectation in advance, the unexpected mutation event can be defined and detected, and through a small amount of manual intervention, the learning model can be continuously evolved, so that accurate data security event detection response can be realized.
Fig. 2 is a flowchart of a data security event detection method according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S180.
S110, acquiring a data asset and defining the data asset to obtain a first defining result.
In this embodiment, the first defining result refers to a result formed by dividing and classifying basic information and associated information corresponding to an account asset event, a terminal PC asset event, a server asset event, a database system asset event, an application asset event, a narrow data asset event, and a file asset event.
Specifically, various data assets exist in an organization, including but not limited to accounts, terminal PCs, servers, database systems, application programs, related data, files and the like, members in the organization are provided with organization accounts, the application programs are operated to perform daily production work after the terminal PCs log in the accounts, and generated process files, data and the like are stored in the servers and the database systems deployed on the servers.
In this embodiment, a scanning or manual entry manner is adopted to acquire a data asset, and the data asset is classified and defined according to different types of basic information and associated information, so as to obtain a first defining result.
The definition of the data asset needs to encompass all valuable objects within an organization including, but not limited to, devices, applications, software, data, files, accounts, and the like. The data asset definition is completed by the data asset inventory module through the modes of data asset automatic scanning, data asset owner input and the like, and the defined data asset information comprises four parts including a data asset identifier, a data asset name, a data asset owner and other information of the data asset.
Defining data assets in an organization through two modes of automatic data asset scanning and manual input, wherein the defined organization data assets are { account asset basic information }, { terminal PC asset basic information }, { server asset basic information }, { database system asset basic information, database system asset basic information }, { application asset basic information, application asset basic information }, { narrow definition data asset basic information, narrow definition data asset basic information }, { file asset basic information, file asset basic information }.
In this embodiment, the basic information is information of the asset itself, and the related information is information that the asset is related to other assets. Account asset basic information such as account name and account password, and associated information such as account upper and lower relationship information; terminal PC asset basic information such as Mac address information and ip address information of a terminal PC, and associated information such as terminal PC communication information; server asset basic information such as server system version information, associated information such as running service application information and installed software list information; application asset basic information such as application names, application installation positions, and associated information such as application deployment user information; database system asset basic information such as database ip and database certificate, and associated information such as business information using the database; the basic information of the narrow data asset such as the name of a data table and the field information of the data table, and the associated information such as the external key information of the data table; the file asset basic information includes file name, directory, and the related information includes file owner and terminal PC/server information.
S120, learning the expected normal event of the data asset to the first defining result to obtain a learning result.
In this embodiment, the learning result refers to a normal event in which the data asset is extracted by learning.
In one embodiment, referring to fig. 3, the step S120 may include steps S121 to S122.
S121, mapping the first determination result into a probability space for learning so as to obtain expected probability.
In the present embodiment, the expected probability refers to a probability of occurrence of an event in the first determination result.
The probability space is (S, F, P), wherein S is a sample space, the event space F= (F Pre-preparation +F Projection(s) ) epsilon S, F is an expected event space in advance, F is a mutation event space, S represents event results in all possible first determination results, and P is a probability function.
Specifically, during the learning period, there is a probability space (S, F, P), any event occurring in all data assets during the learning period will be included in the sample space S, S is { account asset event, terminal PC asset event, server asset event, database system asset event, application asset event, narrow data asset event, file asset event }, event space F is any subset of sample space S, and probability function P is used to calculate the occurrence probability of any event in event space F. At this point P (S) =p { account asset event, terminal PC asset event, server asset event, database system asset event, application asset event, narrow data asset event, file asset event } =1, when P (F) >0.9, F Pre-preparation =f. That is, after calculation by the probability function, a part of the event space F with probability greater than 0.9 is added to the expected event F Pre-preparation , where F Pre-preparation = { account asset expected event, terminal PC asset expected event, server asset expected event, database system asset expected event, application asset expected event, narrow data asset expected event, file asset expected event }.
S122, adding the event with the expected probability larger than a set value into an expected normal event to obtain a learning result.
In this embodiment, the set value is set to 0.9 in this setting, or may be set to another value according to the actual situation.
S130, defining a data asset mutation event to obtain a second definition result.
In this embodiment, the second definition result is the content of the data asset mutation event.
In one embodiment, referring to fig. 4, the step S130 may include steps S131 to S133.
S131, determining a data asset mutation event through a learning result to obtain a first result.
In this embodiment, the first result refers to a data asset mutation event determined by a learning result. Specifically, the data asset mutation event refers to an event that does not belong to an expected event or has an event occurrence probability of 0.1 or less after the learning period.
Specifically, from the learning result F Pre-preparation = { account asset expected event, terminal PC asset expected event, server asset expected event, database system asset expected event, application asset expected event, narrow data asset expected event, file asset expected event }, Q 1F-F Pre-preparation = F- { account asset expected event, terminal PC asset expected event, server asset expected event, database system asset expected event, application asset expected event, narrow data asset expected event, file asset expected event }; q 1F, is a data asset mutation event Q 1 is a data asset unexpected event, which is a data asset mutation event.
S132, determining a data asset mutation event by using the probability space so as to obtain a second result.
In this embodiment, the second result is a data asset mutation event determined using probability space.
When P (F) is less than or equal to 0.1, Q 2 =F is obtained. From the data asset event probability space (S, F, P) available, P (F) =p (F Pre-preparation )+P(F Projection(s) ) =1, since the expected event learning requires P (F Pre-preparation ) >0.9, then P (F Projection(s) ) +.0.1, i.e., the probability of a data asset event in event space F is less than or equal to 0.1, that is, a data asset mutation event. Therefore, a data asset mutation event can be defined, where the data asset mutation event Q2 is: q 2 E F, P (F) is less than or equal to 0.1.
S133, carrying out a union set on the first result and the second result to obtain a second definition result.
Specifically, after the two modes are defined, a data asset mutation event q=q 1+Q2 = { account asset mutation event, a terminal PC asset mutation event, a server asset mutation event, a database system asset mutation event, an application asset mutation event, a narrow data asset mutation event, a file asset mutation event }, can be obtained.
S140, acquiring the data asset to be detected.
In this embodiment, the data asset to be detected is an asset that is input through a terminal and that requires abrupt event monitoring.
And S150, detecting the behavior event, the active time event and the network space position event of the data asset to be detected to obtain the event to be detected.
In this embodiment, the events to be detected include behavioral events, active time events, network space location events of the data asset to be detected.
In one embodiment, referring to fig. 5, the step S150 may include steps S151 to S154.
S151, extracting a behavior event space of the data asset from the event space, and determining a probability function of the behavior event space to obtain a behavior event.
In this embodiment, the data asset behavior events, i.e. actions performed by the data asset, log-in and log-out of the account, request response of the software application, operation of the device, etc., all belong to the data asset behavior events
The data asset behavior event space F 1,F1 F is extracted from the event space F. At this point P 1 is a probability function for data asset behavior event space F 1, then there is P 1(F1) P (F) <1. The data asset mutation event Q is not null, with the current data asset behavior event f 1,f1F1.
S152, extracting an active time event space of the data asset from the event space, and determining a probability function of the active time event space to obtain an active time event.
In this embodiment, the active time event is a time period during which the data asset performs an action, a creation and modification time of a file, a startup and shutdown event of an operating system, and the like.
Specifically, the data asset active time event space F 2 is pulled from the event space F, where P 2 is a probability function of the data asset active time event space F 2, then there is P 2(F2) P (F) <1. The data asset mutation event Q is not null, with a current data asset active time event f 2,f2F2.
S153, extracting the network space position event space of the data asset from the event space, and determining a probability function of the network space position event space to obtain a network space position event.
In this embodiment, the network space location event refers to a location where a data asset is located in an organization network space topology, a communication between devices, a disk location where a file is stored, a login location of an account, and the like within a certain period of time.
In this embodiment, the data asset behavior event, that is, an action performed by a data asset, a log-in and log-out of an account, a request response of a software application, an operation of a device, etc., all belong to the data asset behavior event, for example, a certain device performs an operation of deleting a certain file;
In this embodiment, the active time event refers to a time period in which the data asset performs an action, creation and modification time of a file, a startup and shutdown event of an operating system, etc., for example, a certain terminal PC is in a startup state in an employee working period (9:00-18:00), and other periods are in a shutdown state;
in this embodiment, the network space location event refers to a location where a data asset is located in an organization network space topology, a communication between devices, a disk location where a file is stored, a login location of an account, and the like in a certain period of time, where a current login ip of an account is the location of the account in the network space.
S154, combining the behavior event, the active time event, and the network space location event.
S160, determining whether the event to be detected has a mutation event or not so as to obtain a determination result.
In this embodiment, the determination result refers to whether a mutation event exists in the time to be detected, specifically, which is the mutation event.
Specifically, when the second definition result is not null, determining whether an element belonging to the second definition result exists in the event to be detected, and if the element belonging to the second definition result exists in the event to be detected, determining an event corresponding to the element as a mutation event to obtain a determination result; and when the second definition result is empty, determining whether an element which does not belong to the learning result exists in the event to be detected, and if the element which does not belong to the learning result exists in the event to be detected, determining the event corresponding to the element as a mutation event so as to obtain a determination result.
Specifically, it is determined whether the event to be detected belongs to a mutation event, and first, there is P in the learning phase (F Pre-preparation )P1(F1)+P2(F2)+P3(F3). When a data asset event occurs, there is a current event f and the decision process is entered. When the data asset mutation event Q is not empty, f belongs to the mutation event if f epsilon Q, otherwise, f is judged to be an expected normal event. When the data asset mutation event Q is empty, if F epsilon F is preset, F belongs to an expected normal event, otherwise, F is judged to be a mutation event; if P (f) >0.9, f belongs to the expected normal event, otherwise f is judged to be the mutation event.
In this embodiment, first, in the learning phase, there is a total probability of occurrence of the data asset expected event equal to the sum of the probabilities of occurrence of the data asset behavior expected event, the data asset active time expected event, and the data asset network spatial location expected event, i.e., P (F Pre-preparation )P1(F1)+P2(F2)+P3(F3).
In this embodiment, it is determined whether the behavior event f 1, the active time event f 2, and the network space location event f 3 of the current data asset belong to a mutation event. If F 1 e Q, F 1 is a mutation event, after the event detection in the data asset behavior event space F 1 is completed, there is a data asset behavior mutation event F Projection(s) 1 = { account asset behavior mutation event, terminal PC asset behavior mutation event, server asset behavior mutation event, database system asset behavior mutation event, application asset behavior mutation event, narrow-sense data asset behavior mutation event, file asset behavior mutation event }; if F 2 e Q, F 2 is a mutation event, after the event detection in the data asset activity time event space F 2 is completed, there is a data asset activity time mutation event F Projection(s) 2 = { account asset activity time mutation event, a terminal PC asset activity time mutation event, a server asset activity time mutation event, a database system asset activity time mutation event, an application asset activity time mutation event, a narrow data asset activity time mutation event, a file asset activity time mutation event }; if F 3 e Q, F 3 is a mutation event, after the event detection in the data asset cyber-space position event space F 3 is completed, there is a data asset cyber-space position mutation event F Projection(s) 3 = { account cyber-space position mutation event, terminal PC cyber-space position mutation event, server cyber-space position mutation event, database system cyber-space position mutation event, application cyber-space position mutation event, narrow data cyber-space position mutation event, file cyber-space position mutation event }.
S170, when the event to be detected has a mutation event in the determination result, alarming according to the determined mutation event to obtain an alarming result.
In this embodiment, when f is a mutation event, a data security event alarm is triggered to inform the user that there is a data security risk in organizing the data asset, and the risk source is the mutation event f.
In this example, F Projection(s) F Projection(s) 1+F Projection(s) 2+F Projection(s) 3 = { account asset mutation event, terminal PC asset mutation event, server asset mutation event, database system asset mutation event, application asset mutation event, narrow data asset mutation event, file asset mutation event }, corresponding details are alerted according to the mutation event of different types of data assets according to their abnormal mutation on behavior, active time, network space location.
And S180, carrying out algorithm adjustment on the learning result and the second definition result according to the accuracy of the alarm result so as to update the learning result and the second definition result.
In this embodiment, after the data security event alarm occurs, the threshold of P (F Pre-preparation ) >0.9 and the composition of the data asset mutation event definition Q are manually adjusted (q=q 1+Q2,QQ1,QQ2,QQ1Q2.) through the analysis of false alarm and missing alarm conditions, and the above-mentioned step S120 is executed again, and the improvement is continued according to the subsequent alarm accuracy analysis.
Specifically, algorithms defining annoying expected events and abrupt events will be adjusted according to the alarm result accuracy. In this example, after the details of the alarm result are confirmed manually, it is found that there is a very small part of event probability function parameters P (F Pre-preparation ) defining the expected event, which are determined as the actual normal event, are down-regulated to 0.89, and after a new study, the corresponding false alarm event is resolved.
According to the data security event detection method, the events of behaviors, active time and network space positions in the data asset expectation are learned in advance by utilizing the probability space auxiliary learning means, so that unexpected mutation events can be defined and detected, a learning model can be continuously evolved by a small amount of manual intervention, whether mutation events exist or not is judged from three dimensions of daily behaviors, daily active time and daily network space positions of the data asset by taking the data asset expectation event definition and the data asset mutation event definition as a basis, and therefore the data security events are accurately judged, comprehensive protection of data and data assets is achieved, and the data security events are detected and responded in time.
Fig. 6 is a schematic block diagram of a data security event detection device 300 according to an embodiment of the present invention. As shown in fig. 6, the present invention further provides a data security event detection device 300 corresponding to the above data security event detection method. The data security event detection device 300 includes means for performing the data security event detection method described above, which may be configured in a server. Specifically, referring to fig. 6, the data security event detection apparatus 300 includes a first defining unit 301, a learning unit 302, a second defining unit 303, an asset to be detected acquiring unit 304, a detecting unit 305, a determining unit 306, an alarm unit 307, and an adjusting unit 308.
A first defining unit 301, configured to obtain a data asset, and define the data asset to obtain a first defining result; a learning unit 302, configured to learn an expected normal event of the data asset for the first defining result, so as to obtain a learning result; a second definition unit 303, configured to define the data asset mutation event to obtain a second definition result; a to-be-detected asset acquisition unit 304, configured to acquire a to-be-detected data asset; the detecting unit 305 is configured to detect a behavior event, an active time event, and a network space position event on the to-be-detected data asset, so as to obtain the to-be-detected event; a determining unit 306, configured to determine whether the event to be detected has a mutation event, so as to obtain a determination result; an alarm unit 307, configured to alarm according to the determined mutation event when the determination result is that the event to be detected has the mutation event, so as to obtain an alarm result; and the adjusting unit 308 is configured to perform algorithm adjustment on the learning result and the second definition result according to the accuracy of the alarm result, so as to update the learning result and the second definition result.
In an embodiment, the first determining unit 301 is configured to acquire a data asset by adopting a scanning or manual entry manner, and classify and define the data asset according to different types of basic information and associated information to obtain a first determination result.
In one embodiment, as shown in fig. 7, the learning unit 302 includes a probability learning subunit 3021 and a joining subunit 3022.
A probability learning subunit 3021, configured to map the first determination result into a probability space for learning, so as to obtain an expected probability; and the adding subunit 3022 is configured to add the event with the expected probability greater than the set value to an expected normal event, so as to obtain a learning result.
In one embodiment, as shown in fig. 8, the second definition unit 303 includes a first determination subunit 3031, a second determination subunit 3032, and a union subunit 3033.
A first determining subunit 3031, configured to determine, by the learning result, a data asset mutation event to obtain a first result; a second determining subunit 3032, configured to determine a data asset mutation event using the probability space to obtain a second result; and a union subunit 3033, configured to perform union on the first result and the second result to obtain a second defined result.
In one embodiment, as shown in fig. 9, the detecting unit 305 includes a first detecting subunit 3051, a second detecting subunit 3052, a third detecting subunit 3053, and a combining subunit 3054.
A first detection subunit 3051, configured to extract a behavior event space of the data asset from the event space, and determine a probability function of the behavior event space to obtain a behavior event; a second detection subunit 3052, configured to extract an active time event space of the data asset from the event space, and determine a probability function of the active time event space to obtain an active time event; a third detection subunit 3053, configured to extract a network space position event space of the data asset from the event space, and determine a probability function of the network space position event space, so as to obtain a network space position event; a combining subunit 3054 is configured to combine the behavior event, the active time event, and the network space location event.
In an embodiment, the determining unit 306 is configured to determine whether an element belonging to the second definition result exists in the event to be detected when the second definition result is not null, and if the element belonging to the second definition result exists in the event to be detected, determine an event corresponding to the element as a mutation event, so as to obtain a determination result; and when the second definition result is empty, determining whether an element which does not belong to the learning result exists in the event to be detected, and if the element which does not belong to the learning result exists in the event to be detected, determining the event corresponding to the element as a mutation event so as to obtain a determination result.
It should be noted that, as will be clearly understood by those skilled in the art, the specific implementation process of the data security event detection apparatus 300 and each unit may refer to the corresponding description in the foregoing method embodiment, and for convenience and brevity of description, the description is omitted here.
The data security event detection arrangement 300 described above may be implemented in the form of a computer program which is executable on a computer device as shown in fig. 10.
Referring to fig. 10, fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, where the server may be a stand-alone server or may be a server cluster formed by a plurality of servers.
With reference to FIG. 10, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer program 5032 includes program instructions that, when executed, cause the processor 502 to perform a data security event detection method.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of a computer program 5032 in the non-volatile storage medium 503, which computer program 5032, when executed by the processor 502, causes the processor 502 to perform a data security event detection method.
The network interface 505 is used for network communication with other devices. It will be appreciated by those skilled in the art that the structure shown in FIG. 10 is merely a block diagram of some of the structures associated with the present inventive arrangements and does not constitute a limitation of the computer device 500 to which the present inventive arrangements may be applied, and that a particular computer device 500 may include more or fewer components than shown, or may combine certain components, or may have a different arrangement of components.
Wherein the processor 502 is configured to execute a computer program 5032 stored in a memory to implement the steps of:
Acquiring a data asset and defining the data asset to obtain a first defining result; learning the expected normal event of the data asset to the first defining result to obtain a learning result; defining a data asset mutation event to obtain a second definition result; acquiring a data asset to be detected; detecting behavior events, active time events and network space position events of the data assets to be detected to obtain events to be detected; determining whether the event to be detected has a mutation event or not so as to obtain a determination result; when the event to be detected has a mutation event in the determination result, alarming according to the determined mutation event to obtain an alarming result; and carrying out algorithm adjustment on the learning result and the second definition result according to the accuracy of the alarm result so as to update the learning result and the second definition result.
In one embodiment, when the processor 502 implements the step of obtaining the data asset and defining the data asset to obtain the first defining result, the following steps are specifically implemented:
and acquiring the data asset by adopting a scanning or manual entry mode, and classifying and defining the data asset according to different types of basic information and associated information to obtain a first defining result.
In one embodiment, when the learning of the expected normal event of the data asset for the first defined result is performed by the processor 502 to obtain a learning result, the following steps are specifically implemented:
Mapping the first defining result into a probability space for learning so as to obtain expected probability; and adding the event with the expected probability larger than the set value into an expected normal event to obtain a learning result.
Wherein the probability space is (S, F, P), where S is a sample space, the event space f= (F Pre-preparation +F Projection(s) )S,F Pre-preparation is an expected event space, F Projection(s) is a mutation event space, S represents event results in all possible first determination results, and P is a probability function.
In one embodiment, when implementing the defining data asset mutation event to obtain the second defining result step, the processor 502 specifically implements the following steps:
Determining a data asset mutation event through the learning result to obtain a first result; determining a data asset mutation event by using the probability space to obtain a second result; and carrying out a union on the first result and the second result to obtain a second definition result.
In an embodiment, when the step of detecting the behavior event, the active time event, and the network space location event of the data asset to be detected to obtain the event to be detected is implemented by the processor 502, the following steps are specifically implemented:
Extracting a behavior event space of the data asset from the event space, and determining a probability function of the behavior event space to obtain a behavior event; extracting an active time event space of the data asset from the event space, and determining a probability function of the active time event space to obtain an active time event; extracting a network space position event space of the data asset from the event space, and determining a probability function of the network space position event space to obtain a network space position event; combining the behavioral events, the active time events, and the network spatial location events.
In an embodiment, when the step of determining whether the event to be detected has a mutation event is implemented by the processor 502 to obtain a determination result, the following steps are specifically implemented:
When the second definition result is not empty, determining whether an element belonging to the second definition result exists in the event to be detected, and if the element belonging to the second definition result exists in the event to be detected, determining an event corresponding to the element as a mutation event so as to obtain a determination result; and when the second definition result is empty, determining whether an element which does not belong to the learning result exists in the event to be detected, and if the element which does not belong to the learning result exists in the event to be detected, determining the event corresponding to the element as a mutation event so as to obtain a determination result.
It should be appreciated that in embodiments of the present application, the processor 502 may be a central processing unit (Central Processing Unit, CPU), the processor 502 may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL processors, DSPs), application SPECIFIC INTEGRATED Circuits (ASICs), off-the-shelf programmable gate arrays (Field-programmable GATE ARRAY, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those skilled in the art will appreciate that all or part of the flow in a method embodying the above described embodiments may be accomplished by computer programs instructing the relevant hardware. The computer program comprises program instructions, and the computer program can be stored in a storage medium, which is a computer readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer readable storage medium. The storage medium stores a computer program which, when executed by a processor, causes the processor to perform the steps of:
Acquiring a data asset and defining the data asset to obtain a first defining result; learning the expected normal event of the data asset to the first defining result to obtain a learning result; defining a data asset mutation event to obtain a second definition result; acquiring a data asset to be detected; detecting behavior events, active time events and network space position events of the data assets to be detected to obtain events to be detected; determining whether the event to be detected has a mutation event or not so as to obtain a determination result; when the event to be detected has a mutation event in the determination result, alarming according to the determined mutation event to obtain an alarming result; and carrying out algorithm adjustment on the learning result and the second definition result according to the accuracy of the alarm result so as to update the learning result and the second definition result.
In one embodiment, the processor, when executing the computer program to implement the acquiring data asset and defining the data asset to obtain the first defining result, specifically implements the following steps:
and acquiring the data asset by adopting a scanning or manual entry mode, and classifying and defining the data asset according to different types of basic information and associated information to obtain a first defining result.
In one embodiment, when the processor executes the computer program to implement the learning of the expected normal event of the data asset for the first defined result to obtain a learning result, the following steps are specifically implemented:
Mapping the first defining result into a probability space for learning so as to obtain expected probability; and adding the event with the expected probability larger than the set value into an expected normal event to obtain a learning result.
Wherein the probability space is (S, F, P), where S is a sample space, the event space f= (F Pre-preparation +F Projection(s) )S,F Pre-preparation is an expected event space, F Projection(s) is a mutation event space, S represents event results in all possible first determination results, and P is a probability function.
In one embodiment, the processor, when executing the computer program to implement the defining data asset mutation event to obtain the second defining result step, specifically implements the following steps:
Determining a data asset mutation event through the learning result to obtain a first result; determining a data asset mutation event by using the probability space to obtain a second result; and carrying out a union on the first result and the second result to obtain a second definition result.
In an embodiment, when the processor executes the computer program to implement the detection of the behavior event, the active time event, and the network space location event on the data asset to be detected, to obtain the event to be detected, the following steps are specifically implemented:
Extracting a behavior event space of the data asset from the event space, and determining a probability function of the behavior event space to obtain a behavior event; extracting an active time event space of the data asset from the event space, and determining a probability function of the active time event space to obtain an active time event; extracting a network space position event space of the data asset from the event space, and determining a probability function of the network space position event space to obtain a network space position event; combining the behavioral events, the active time events, and the network spatial location events.
In one embodiment, when the processor executes the computer program to implement the step of determining whether the event to be detected has a mutation event to obtain a determination result, the steps are specifically implemented as follows:
When the second definition result is not empty, determining whether an element belonging to the second definition result exists in the event to be detected, and if the element belonging to the second definition result exists in the event to be detected, determining an event corresponding to the element as a mutation event so as to obtain a determination result; and when the second definition result is empty, determining whether an element which does not belong to the learning result exists in the event to be detected, and if the element which does not belong to the learning result exists in the event to be detected, determining the event corresponding to the element as a mutation event so as to obtain a determination result.
The storage medium may be a U-disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, or other various computer-readable storage media that can store program codes.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be combined, divided and deleted according to actual needs. In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The integrated unit may be stored in a storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a terminal, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (8)

1. The data security event detection method is characterized by comprising the following steps:
acquiring a data asset and defining the data asset to obtain a first defining result;
learning the expected normal event of the data asset to the first defining result to obtain a learning result;
defining a data asset mutation event to obtain a second definition result;
acquiring a data asset to be detected;
Detecting behavior events, active time events and network space position events of the data assets to be detected to obtain events to be detected;
determining whether the event to be detected has a mutation event or not so as to obtain a determination result;
when the event to be detected has a mutation event in the determination result, alarming according to the determined mutation event to obtain an alarming result;
Carrying out algorithm adjustment on the learning result and the second definition result according to the accuracy of the alarm result so as to update the learning result and the second definition result;
The first defining result is a result formed by dividing and classifying basic information and associated information corresponding to account asset events, terminal PC asset events, server asset events, database system asset events, application asset events, narrow-definition data asset events and file asset events; the second definition result is the content of a data asset mutation event;
The learning of the expected normal event of the data asset to the first defined result to obtain a learned result includes:
Mapping the first defining result into a probability space for learning so as to obtain expected probability;
Adding the event with the expected probability larger than a set value into an expected normal event according to the event with the expected probability larger than the set value so as to obtain a learning result;
The probability space is (S, F, P), where S is the sample space, the event space f= (F Pre-preparation +F Projection(s) )S,F Pre-preparation is the expected event space, F Projection(s) is the mutation event space, S represents the event result of the first defined result of all possible occurrences, and P is the probability function.
2. The method of claim 1, wherein the acquiring the data asset and defining the data asset to obtain the first determination result comprises:
and acquiring the data asset by adopting a scanning or manual entry mode, and classifying and defining the data asset according to different types of basic information and associated information to obtain a first defining result.
3. The method of claim 1, wherein defining the data asset mutation event to obtain a second definition result comprises:
determining a data asset mutation event through the learning result to obtain a first result;
Determining a data asset mutation event by using the probability space to obtain a second result;
and carrying out a union on the first result and the second result to obtain a second definition result.
4. A data security event detection method according to claim 3, wherein said detecting the behavior event, the active time event, the network space location event of the data asset to be detected to obtain the event to be detected comprises:
Extracting a behavior event space of the data asset from the event space, and determining a probability function of the behavior event space to obtain a behavior event;
Extracting an active time event space of the data asset from the event space, and determining a probability function of the active time event space to obtain an active time event;
extracting a network space position event space of the data asset from the event space, and determining a probability function of the network space position event space to obtain a network space position event;
combining the behavioral events, the active time events, and the network spatial location events.
5. The method for detecting a data security event according to claim 4, wherein determining whether the event to be detected has a mutation event to obtain a determination result comprises:
When the second definition result is not empty, determining whether an element belonging to the second definition result exists in the event to be detected, and if the element belonging to the second definition result exists in the event to be detected, determining an event corresponding to the element as a mutation event so as to obtain a determination result; and when the second definition result is empty, determining whether an element which does not belong to the learning result exists in the event to be detected, and if the element which does not belong to the learning result exists in the event to be detected, determining the event corresponding to the element as a mutation event so as to obtain a determination result.
6. A data security event detection device, comprising:
the first defining unit is used for acquiring data assets and defining the data assets to obtain a first defining result;
the learning unit is used for learning the expected normal event of the data asset to the first definition result so as to obtain a learning result;
The second definition unit is used for defining the data asset mutation event to obtain a second definition result;
the to-be-detected asset acquisition unit is used for acquiring to-be-detected data assets;
The detection unit is used for detecting the behavior event, the active time event and the network space position event of the data asset to be detected so as to obtain the event to be detected;
the determining unit is used for determining whether the event to be detected has a mutation event or not so as to obtain a determination result;
the alarm unit is used for alarming according to the determined mutation event when the event to be detected has the mutation event in the determination result so as to obtain an alarm result;
the adjusting unit is used for carrying out algorithm adjustment on the learning result and the second definition result according to the accuracy of the alarm result so as to update the learning result and the second definition result;
The first defining result is a result formed by dividing and classifying basic information and associated information corresponding to account asset events, terminal PC asset events, server asset events, database system asset events, application asset events, narrow-definition data asset events and file asset events; the second definition result is the content of a data asset mutation event;
The learning of the expected normal event of the data asset to the first defined result to obtain a learned result includes:
Mapping the first defining result into a probability space for learning so as to obtain expected probability;
Adding the event with the expected probability larger than a set value into an expected normal event according to the event with the expected probability larger than the set value so as to obtain a learning result;
The probability space is (S, F, P), where S is the sample space, the event space f= (F Pre-preparation +F Projection(s) )S,F Pre-preparation is the expected event space, F Projection(s) is the mutation event space, S represents the event result of the first defined result of all possible occurrences, and P is the probability function.
7. A computer device, characterized in that it comprises a memory on which a computer program is stored and a processor which, when executing the computer program, implements the method according to any of claims 1-5.
8. A storage medium storing a computer program which, when executed by a processor, implements the method of any one of claims 1 to 5.
CN202410056105.2A 2024-01-15 2024-01-15 Data security event detection method, device, computer equipment and storage medium Active CN117574363B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410056105.2A CN117574363B (en) 2024-01-15 2024-01-15 Data security event detection method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410056105.2A CN117574363B (en) 2024-01-15 2024-01-15 Data security event detection method, device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN117574363A CN117574363A (en) 2024-02-20
CN117574363B true CN117574363B (en) 2024-04-16

Family

ID=89886556

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410056105.2A Active CN117574363B (en) 2024-01-15 2024-01-15 Data security event detection method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117574363B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109800278A (en) * 2018-12-29 2019-05-24 亚信科技(南京)有限公司 Data assets map application method, device, computer equipment and storage medium
CN112470131A (en) * 2018-07-20 2021-03-09 华为技术有限公司 Apparatus and method for detecting anomalies in a data set and computer program products corresponding thereto
CN115169445A (en) * 2022-06-24 2022-10-11 阿里巴巴(中国)有限公司 Energy model training method, data security detection method and system
CN116451215A (en) * 2022-01-06 2023-07-18 华为技术有限公司 Correlation analysis method and related equipment
CN116821750A (en) * 2023-05-30 2023-09-29 北京东方通网信科技有限公司 Data security risk monitoring traceability system based on artificial intelligence
CN117313141A (en) * 2023-09-06 2023-12-29 支付宝(杭州)信息技术有限公司 Abnormality detection method, abnormality detection device, abnormality detection equipment and readable storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9317829B2 (en) * 2012-11-08 2016-04-19 International Business Machines Corporation Diagnosing incidents for information technology service management

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112470131A (en) * 2018-07-20 2021-03-09 华为技术有限公司 Apparatus and method for detecting anomalies in a data set and computer program products corresponding thereto
CN109800278A (en) * 2018-12-29 2019-05-24 亚信科技(南京)有限公司 Data assets map application method, device, computer equipment and storage medium
CN116451215A (en) * 2022-01-06 2023-07-18 华为技术有限公司 Correlation analysis method and related equipment
CN115169445A (en) * 2022-06-24 2022-10-11 阿里巴巴(中国)有限公司 Energy model training method, data security detection method and system
CN116821750A (en) * 2023-05-30 2023-09-29 北京东方通网信科技有限公司 Data security risk monitoring traceability system based on artificial intelligence
CN117313141A (en) * 2023-09-06 2023-12-29 支付宝(杭州)信息技术有限公司 Abnormality detection method, abnormality detection device, abnormality detection equipment and readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A detection method of lost assets based on feature optimization and active-passive detection;Yan, J等;《 International Conference on Computer Application and Information Security (ICCAIS 2021)》;20221101;第12260卷;1226008 (9 pp.) *
数据驱动的网络安全风险事件预测技术研究;孔斌;吕遒健;吴峥嵘;;信息安全研究;20190605(06);23-33 *

Also Published As

Publication number Publication date
CN117574363A (en) 2024-02-20

Similar Documents

Publication Publication Date Title
US9832214B2 (en) Method and apparatus for classifying and combining computer attack information
CN108989150B (en) Login abnormity detection method and device
US9998484B1 (en) Classifying potentially malicious and benign software modules through similarity analysis
US11086983B2 (en) System and method for authenticating safe software
EP3264312A1 (en) Model-based computer attack analytics orchestration
US11880764B2 (en) Method, product, and system for detecting malicious network activity using a graph mixture density neural network
US20100169973A1 (en) System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions
JP2005339565A (en) Management of spyware and unwanted software through auto-start extensibility point
US11244043B2 (en) Aggregating anomaly scores from anomaly detectors
JP2010250502A (en) Device, method and program for detecting abnormal operation
CN109766694A (en) Program protocol white list linkage method and device of industrial control host
CN113392409B (en) Risk automated assessment and prediction method and terminal
WO2019173116A1 (en) System and method for restricting access to web resources
US11212298B2 (en) Automated onboarding of detections for security operations center monitoring
CN117574363B (en) Data security event detection method, device, computer equipment and storage medium
US11991053B2 (en) Endpoint-level SLA evaluation in managed networks
US11151250B1 (en) Evaluation of files for cybersecurity threats using global and local file information
CN113792291B (en) Host recognition method and device infected by domain generation algorithm malicious software
CN116132132A (en) Network asset management method, device, electronic equipment and medium
US11936513B2 (en) System and method for anomaly detection in a computer network
CN114969744A (en) Process interception method and system, electronic device and storage medium
RU2800739C1 (en) System and method for determining the level of danger of information security events
CN114816964B (en) Risk model construction method, risk detection device and computer equipment
US20240086271A1 (en) Organization segmentation for anomaly detection
US12026255B1 (en) Machine learning model adversarial attack monitoring

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant