CN118055149A - Data auditing method and system - Google Patents
Data auditing method and system Download PDFInfo
- Publication number
- CN118055149A CN118055149A CN202211430126.3A CN202211430126A CN118055149A CN 118055149 A CN118055149 A CN 118055149A CN 202211430126 A CN202211430126 A CN 202211430126A CN 118055149 A CN118055149 A CN 118055149A
- Authority
- CN
- China
- Prior art keywords
- data
- auditing
- cloud desktop
- operation record
- user operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000012550 audit Methods 0.000 claims abstract description 115
- 230000003993 interaction Effects 0.000 claims abstract description 88
- 238000001514 detection method Methods 0.000 claims description 62
- 230000004044 response Effects 0.000 claims description 50
- 238000006243 chemical reaction Methods 0.000 claims description 29
- 230000002159 abnormal effect Effects 0.000 claims description 22
- 238000005516 engineering process Methods 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 6
- 230000002452 interceptive effect Effects 0.000 abstract description 10
- 238000009877 rendering Methods 0.000 description 17
- 238000007405 data analysis Methods 0.000 description 13
- 238000012545 processing Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 238000007781 pre-processing Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 6
- 238000013500 data storage Methods 0.000 description 3
- 238000012015 optical character recognition Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a data auditing method and a system, wherein the data auditing system comprises the following steps: cloud desktop proxy server and data audit subsystem. The cloud desktop proxy server obtains the interaction data and generates user operation record data based on the interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server; and the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result. According to the invention, the interactive data can be obtained, the user operation record data is generated based on the interactive data, and the user operation record data is intelligently audited according to the security audit strategy to obtain the corresponding audit result, so that the data audit is not required to be carried out in a manual audit mode, the consumption of human resources can be effectively avoided, and the audit efficiency can be effectively improved.
Description
Technical Field
The invention relates to the technical field of data auditing, in particular to a data auditing method and system.
Background
With the demands of remote office and mobile office, the application range of cloud desktops is expanding.
The enterprise can build cloud desktop service inside the enterprise, so that staff can remotely log in the cloud desktop through the client, and remotely interact data with the cloud desktop server to realize remote office. The cloud desktop server can return corresponding bitmap data to the client after obtaining a user operation instruction sent by the client, the bitmap data can comprise image data, image rendering positions and other data, and the client can draw images based on the image data in the bitmap data and display the images at the corresponding positions in the interface.
Specifically, in the cloud desktop service, there is a data audit requirement for remote interaction data between a client and a cloud desktop server, so as to avoid data security problems such as theft and leakage of business data of enterprises.
However, the data audit is mainly completed by manually auditing the remote interaction data by staff, and when the data volume of the remote interaction data is large, the manual audit efficiency is low.
Disclosure of Invention
The invention provides a data auditing method and system, which are used for solving the defect of lower manual auditing efficiency when the data volume of remote interaction data is larger in the prior art, realizing intelligent auditing and improving the data auditing efficiency.
The invention provides a data auditing method, which is applied to a data auditing system, and the data auditing system comprises the following steps: the cloud desktop proxy server and the data auditing subsystem; the data auditing method comprises the following steps:
The cloud desktop proxy server obtains interaction data and generates user operation record data based on the interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server;
and the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
Optionally, the cloud desktop proxy server obtains interaction data, including:
the cloud desktop proxy server obtains bitmap response data returned by the cloud desktop server based on a user operation instruction, wherein the bitmap response data comprises bitmap data and operation identification data;
The generating user operation record data based on the interaction data comprises the following steps:
the cloud desktop proxy server obtains image data corresponding to the bitmap data; and determining the image data and the operation identification data as the user operation record data.
Optionally, when the data protocol of the bitmap response data is a remote connection protocol, the cloud desktop proxy server obtains image data corresponding to the bitmap data, including:
The cloud desktop proxy server performs data protocol conversion on the bitmap data to obtain converted bitmap data with a data protocol being a predefined data protocol; according to the predefined data protocol, analyzing the converted image data from the converted bitmap data;
The determining the image data and the operation identification data as the user operation record data includes:
The cloud desktop proxy server performs data protocol conversion on the operation identification data to obtain operation identification data after conversion of a data protocol into the predefined data protocol; and determining the converted image data and the converted operation identification data as the user operation record data.
Optionally, the cloud desktop proxy server performs data protocol conversion on the bitmap data to obtain converted bitmap data with a data protocol being a predefined data protocol, including:
the cloud desktop proxy server draws a display image with the image type being a predefined image type corresponding to the bitmap data by using an image drawing library; and generating the converted bitmap data corresponding to the display image according to the predefined data protocol.
Optionally, the data auditing subsystem audits the user operation record data according to a predefined security audit policy to obtain an audit result, including:
the data auditing subsystem recognizes text information corresponding to the image data by using an image-text recognition technology, and determines the text information and the operation identification data as recognized operation record data; according to a predefined keyword detection strategy, keyword detection is carried out on the identified operation record data; and determining the audit result based on the keyword detection result.
Optionally, the performing keyword detection on the identified operation record data according to a predefined keyword detection policy includes:
The data auditing subsystem determines keywords to be detected and detects whether the keywords exist in the text information;
The determining the audit result based on the keyword detection result comprises the following steps:
And under the condition that the keyword exists in the text information, determining the identified operation record data as abnormal data of a first alarm level.
Optionally, the operation identification data includes a user operation time; and performing keyword detection on the identified operation record data according to a predefined keyword detection strategy, wherein the keyword detection comprises the following steps:
The data auditing subsystem determines keywords to be detected; determining the occurrence frequency of the keywords in a predefined duration in the text information based on the user operation time;
the determining the audit result based on the keyword detection result comprises the following steps:
And under the condition that the occurrence frequency is not smaller than a preset frequency threshold value, determining the identified operation record data as abnormal data of a second alarm level.
Optionally, after the cloud desktop proxy server obtains bitmap response data returned by the cloud desktop server based on the user operation instruction, the data auditing method further includes:
the cloud desktop proxy server stores the bitmap response data according to a playback file storage format to obtain a video file; and sending the video file to a distributed file system for storage through a video monitoring system.
Optionally, before the data auditing subsystem audits the user operation record data according to a predefined security auditing policy to obtain an auditing result, the data auditing method further includes:
The cloud desktop proxy server sends the user operation record data to a message queue for storage;
The data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result, and the data auditing subsystem comprises the following steps:
and the data auditing subsystem obtains the user operation record data from the message queue, and audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
The invention also provides a data auditing system, which comprises: the cloud desktop proxy server and the data auditing subsystem; the cloud desktop proxy server comprises: the data audit subsystem comprises a first obtaining unit and a first generating unit, wherein the data audit subsystem comprises: a first audit unit; wherein:
The first obtaining unit is used for obtaining interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server;
The first generation unit is used for generating user operation record data based on the interaction data;
and the first audit unit is used for auditing the user operation record data according to a predefined security audit strategy to obtain an audit result.
Optionally, the first obtaining unit is configured to obtain bitmap response data returned by the cloud desktop server based on a user operation instruction, where the bitmap response data includes bitmap data and operation identification data;
The first generation unit includes: a second obtaining unit and a first determining unit;
the second obtaining unit is used for obtaining image data corresponding to the bitmap data;
the first determining unit is configured to determine the image data and the operation identification data as the user operation record data.
Optionally, the first audit unit includes: the device comprises an identification unit, a third determination unit, a first detection unit and a fourth determination unit;
The identification unit is used for identifying text information corresponding to the image data by using a picture-text identification technology;
The third determining unit is configured to determine the text information and the operation identification data as operation record data after identification;
the first detection unit is used for detecting keywords of the identified operation record data according to a predefined keyword detection strategy;
and the fourth determining unit is used for determining the audit result based on the keyword detection result.
The invention provides a data auditing method and a system, wherein the data auditing system comprises the following steps: cloud desktop proxy server and data audit subsystem. The cloud desktop proxy server obtains the interaction data and generates user operation record data based on the interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server; and the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result. According to the invention, the interactive data can be obtained, the user operation record data is generated based on the interactive data, and the user operation record data is intelligently audited according to the security audit strategy to obtain the corresponding audit result, so that the data audit is not required to be carried out in a manual audit mode, the consumption of human resources can be effectively avoided, and the audit efficiency can be effectively improved.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a data auditing method according to an embodiment of the present invention;
FIG. 2 is a second flow chart of a data auditing method according to an embodiment of the present invention;
Fig. 3 is a schematic structural diagram of a cloud desktop access architecture according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a video file storage architecture according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a data audit subsystem according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a data auditing system according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The data auditing method of the present invention is described below in connection with fig. 1-5.
As shown in fig. 1, the present invention proposes a first data auditing method, which may be applied to a data auditing system, where the data auditing system may include a cloud desktop proxy server and a data auditing subsystem; the data auditing method can comprise the following steps:
S101, a cloud desktop proxy server obtains interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server;
the cloud desktop proxy server may be a proxy server for implementing remote interaction between the client and the cloud desktop server.
Alternatively, the cloud desktop proxy server may be a proxy gateway, or may be another proxy server, which is not limited in this aspect of the present invention.
It should be noted that, a user may remotely log in the cloud desktop through the cloud desktop proxy server on the application client or the browser client, and interact with the cloud desktop proxy server through the cloud desktop proxy server to obtain a remote service provided by the cloud desktop server through the cloud desktop proxy server. The cloud desktop proxy server is an interaction proxy between the client and the cloud desktop server, so that data interaction between the client and the cloud desktop server is completed through the cloud desktop proxy server, and the cloud desktop proxy server can record and save interaction data sent by the client and the cloud desktop server.
Optionally, the interaction data may be data sent by the client to the cloud desktop server through the cloud desktop proxy server, such as an operation instruction input by a user;
Optionally, the interaction data may be data sent by the cloud desktop server to the client through the cloud desktop proxy server, such as data returned by the cloud desktop server in response to an operation instruction of the user;
optionally, the interaction data may include data sent by the client to the cloud desktop server through the cloud desktop proxy server, and data sent by the cloud desktop server to the client through the cloud desktop proxy server, for example, the interaction data may include data sent by the client and the cloud desktop server during interaction between the client and the cloud desktop server through the cloud desktop proxy server after the user inputs an operation instruction on the client.
Optionally, the interaction data may include data that the client and the cloud desktop server interact to complete a task (such as modifying a login password task);
Optionally, the interaction data may include data that the client and the cloud desktop server interact with to complete a plurality of tasks;
alternatively, the interaction data may include data that the client and the cloud desktop server interact within a certain period of time.
S102, the cloud desktop proxy server generates user operation record data based on the interaction data;
the user operation record data is data recorded with user operation. Specifically, the user operation record data may include data such as user information, user operation type, operation object, and operation time.
Specifically, the interaction data sent by the client to the cloud desktop server through the cloud desktop proxy server may be generated by a user performing a certain operation on the client, and at this time, the cloud desktop proxy server may generate user operation record data based on the interaction data sent by the client to record the user operation. Such as for example. When a user retrieves a certain file on the client, the client can generate a file retrieval instruction carrying the user identity and send the file retrieval instruction to the cloud desktop server through the cloud desktop proxy server, and at the moment, the cloud desktop proxy server can generate user operation record data based on the file retrieval instruction so as to record the retrieval operation of the user on the file.
Specifically, the interaction data sent by the cloud desktop proxy server to the client through the cloud desktop proxy server may be interaction data generated and returned in response to the user operation, and at this time, the cloud desktop proxy server may generate user operation record data based on the interaction data sent by the cloud desktop server to record the user operation. For example, a user sends a search instruction for a certain file to the cloud desktop server through the cloud desktop proxy server on the client, the cloud desktop server can respond to the search instruction to search out the corresponding file, search feedback data comprising the user identity and the file search result is generated, the search feedback data is returned through the cloud desktop proxy server, and at the moment, the cloud desktop proxy server can generate user operation record data based on the search feedback data to record file search operation of the user.
Optionally, after the cloud desktop proxy server obtains the interaction data, one or more pieces of user operation record data may be generated based on the interaction data.
Optionally, when the interaction data is a certain interaction data sent by the client or the server for a certain operation of the user, the cloud desktop proxy server may generate a corresponding piece of user operation record data based on the interaction data;
optionally, when the interaction data is interaction data sent by the client or the server in a certain period, the cloud desktop proxy server may generate one or more pieces of corresponding user operation record data based on the interaction data;
Optionally, when the interaction data includes interaction data that the client and the server interact with respect to a certain operation instruction of the user, the cloud desktop proxy server may generate a corresponding plurality of pieces of user operation record data based on the interaction data.
Specifically, the cloud desktop proxy server may store each piece of generated user operation record data in one user operation record log. At this point, subsequent data audits may be based on the user action log.
S103, the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
Specifically, the data auditing subsystem is a system that can be used for conducting security auditing on data.
The security audit policy can be formulated and defined by staff according to actual conditions, for example, whether non-illegal words such as keywords and sensitive words are included in the operation record data of the audit user or not; for another example, audit user operation record data is related to secret data; for another example, the audit user operation records whether the data relates to a violation type or an operation beyond the user's rights, such as maliciously deleting database data, accessing confidential files, revealing confidential data, and the like.
Specifically, the data auditing subsystem can audit whether the user operation record data belongs to illegal or abnormal data with safety risk according to a safety auditing strategy.
Specifically, the data auditing subsystem can conduct intelligent audit on one or more pieces of user operation record data according to a security auditing strategy, obtain corresponding auditing results, determine user operation record data with security risk, and warn corresponding personnel according to a preset warning mode, for example, send mail warning to the corresponding personnel according to a mail warning mode, so as to effectively prevent illegal operation and reduce harm of the illegal operation, and enhance access security and data security.
In the invention, through the steps S101, S102 and S103, the interactive data can be obtained, the user operation record data is generated based on the interactive data, and the intelligent audit is carried out on the user operation record data according to the security audit strategy to obtain the corresponding audit result, so that the data audit is not required to be carried out in a manual audit mode, the consumption of human resources can be effectively avoided, and the audit efficiency can be effectively improved.
It should be noted that, by the method shown in fig. 1, the present invention can generate user operation record data of one user or multiple users, and respectively perform data audit on the user operation record data of each user, so as to monitor the behavior of each user in the process of accessing service by using a remote desktop, and perform retrospective positioning on users with illegal operation or security risk operation, further prevent security risk from generating, and further enhance access security and data security.
The data auditing method provided by the invention is applied to a data auditing system, and the data auditing system comprises the following steps: cloud desktop proxy server and data audit subsystem. The cloud desktop proxy server obtains the interaction data and generates user operation record data based on the interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server; and the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result. According to the invention, the interactive data can be obtained, the user operation record data is generated based on the interactive data, and the user operation record data is intelligently audited according to the security audit strategy to obtain the corresponding audit result, so that the data audit is not required to be carried out in a manual audit mode, the consumption of human resources can be effectively avoided, and the audit efficiency can be effectively improved.
As shown in fig. 2, the present invention proposes a second data auditing method. The method may comprise the steps of:
S201, the cloud desktop proxy server obtains bitmap response data returned by the cloud desktop server based on a user operation instruction, wherein the bitmap response data comprises bitmap data and operation identification data;
The bitmap response data may be response data including bitmap data generated by the cloud desktop server for the user operation instruction. It can be understood that the bitmap response data is interaction data generated by the cloud desktop server in response to the user operation instruction and sent to the cloud desktop proxy server.
It should be noted that, the client may receive the bitmap data sent by the cloud desktop server, render a corresponding image on the remote desktop, and display the remote desktop for the user.
Specifically, the bitmap data may include image data and image position data. The client may determine a corresponding display location of the image location data in the client interface at which to render a corresponding image based on the image data.
Wherein the operation identification data may be related data for identifying a user operation. Optionally, the operation identification data may include user identity information, user ID, timestamp, and/or source IP, among others.
Specifically, after receiving the user operation instruction, the cloud desktop server may generate bitmap response data based on the user operation instruction, and send the bitmap response data to the cloud desktop proxy server.
It should be noted that, step S201 may be a specific embodiment of step S101.
S202, the cloud desktop proxy server obtains image data corresponding to bitmap data;
Specifically, the cloud desktop proxy server may directly obtain image data from the bitmap data after obtaining the bitmap data.
Specifically, the cloud desktop server may send bitmap response data to the cloud desktop proxy server according to a predefined data protocol, such as a remote connection protocol. At this time, the cloud desktop proxy server may parse the bitmap response data and the operation identification data from the bitmap response data according to a data protocol used by the cloud desktop server after obtaining the bitmap response data, and extract the corresponding image data from the bitmap data.
S203, the cloud desktop proxy server determines the image data and the operation identification data as user operation record data.
Specifically, after obtaining the image data, the cloud desktop proxy server may determine the image data and the operation identification data as user operation record data.
It should be noted that, the steps S202 and S203 may be a specific embodiment of the step S102.
S204, the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
It should be noted that the content of step S204 is identical to the content of step S103, and will not be described again.
Specifically, through the steps S201, S202, S203 and S204, the method and the device can generate the user operation record data based on the bitmap response data of the cloud desktop server, so that the generation of the user operation record data is effectively realized, and the reliability of auditing the user operation record data is effectively ensured.
The cloud desktop proxy server can obtain a plurality of bitmap response data returned by the cloud desktop server based on the user operation instruction, generate a plurality of corresponding user operation record data based on each bitmap response data respectively, and conduct data audit on each user operation record data, so that reliability and safety of data audit are further enhanced.
The data auditing method provided by the invention can generate the user operation record data based on the bitmap response data of the cloud desktop server, and effectively realize the generation of the user operation record data, thereby effectively ensuring the reliability of auditing the user operation record data.
Based on fig. 2, the present invention proposes a third data auditing method. In this method, when the data protocol of the bitmap response data is a remote connection protocol, step S202 may include steps S2021 and S2022, and step S203 may include steps S2031 and S2032; wherein:
s2021, the cloud desktop proxy server performs data protocol conversion on bitmap data to obtain converted bitmap data with a data protocol being a predefined data protocol;
the remote connection protocol may include a remote display protocol (Remote Display Protocol, RDP) and a virtual network console (Virtual Network Console, VNC) protocol, among others.
It should be noted that, when the data transmission protocol adopted by the cloud desktop server is complex, such as a remote desktop transmission protocol, data parsing is difficult and complex. At this time, the invention can self-define a data protocol, firstly, the cloud desktop server carries out data protocol conversion on bitmap data and operation identification data sent by the cloud desktop server according to the adopted data transmission protocol, and then corresponding image data is analyzed from the converted data, so as to reduce the complexity of data analysis and improve the efficiency and accuracy of data analysis.
The predefined data protocol can be customized by a technician according to actual situations, and can be used for converting bitmap data of a complex data protocol into data of a simple data protocol.
The converted bitmap data is the data generated after the data protocol conversion of the bitmap data.
Specifically, when receiving bitmap response data sent by the cloud desktop server according to a certain data transmission protocol, such as a remote desktop transmission protocol, the cloud desktop proxy server may perform data protocol conversion on the bitmap data according to a predefined data protocol, so as to obtain corresponding converted bitmap data.
Optionally, step S2021 may include:
the cloud desktop proxy server draws a display image with the image type being a predefined image type corresponding to bitmap data by using an image drawing library;
and the cloud desktop proxy server generates converted bitmap data corresponding to the display image according to a predefined data protocol.
Wherein the image drawing library is a library for drawing images. It should be noted that the image rendering library may render a display image of a predefined image type based on bitmap data of a remote connection protocol.
The predefined image type may be a portable network graphic (Portable Network Graphics, PNG) or other image types, which is not limited in the present invention.
The display image is an image drawn by the image drawing library based on bitmap data of a remote connection protocol.
Specifically, the cloud desktop proxy server can draw a corresponding display image through the image drawing library after receiving bitmap response data with a data protocol being a remote connection protocol; and then, the cloud desktop proxy server can generate converted bitmap data corresponding to the display image according to a predefined data protocol.
S2022, the cloud desktop proxy server analyzes the converted image data from the converted bitmap data according to a predefined data protocol;
The converted image data is the image data contained in the converted bitmap data.
S2031, a cloud desktop proxy server performs data protocol conversion on operation identification data to obtain converted operation identification data with a data protocol being a predefined data protocol;
The operation identification data after conversion is data generated after data protocol conversion is carried out on the operation identification data.
S2032, the cloud desktop proxy server determines the converted image data and the converted operation identification data as user operation record data.
Specifically, the cloud desktop proxy server may determine, after obtaining the converted image data and the converted operation identification data, the obtained converted image data and the converted operation identification data as user operation record data.
Optionally, as shown in the structural schematic diagram of a cloud desktop access architecture shown in fig. 3, the cloud desktop proxy server may include a portal rendering layer, a data parsing layer and a connection proxy layer, where the portal rendering layer may be respectively in communication connection with the data parsing layer and the client, and the connection proxy layer may be respectively in communication connection with the data parsing layer and the cloud desktop server;
The portal rendering layer can be used for receiving a user operation instruction sent by the client, sending the user operation instruction to the data analysis layer for conversion of a corresponding data protocol, and can also be used for receiving bitmap data, and rendering a corresponding image at a corresponding position of a client interface based on the bitmap data;
The data analysis layer can be used for receiving an operation instruction sent by the portal rendering layer, converting the operation instruction into a converted instruction of a remote connection protocol, sending the converted instruction of the remote connection protocol to the cloud desktop server through the connection proxy layer, and also receiving bitmap data and operation identification data sent by the connection proxy layer, carrying out data analysis on the bitmap data, extracting corresponding image data, and generating operation record data of a user based on the image data and the operation identification data;
The connection proxy layer may be configured to forward the converted instruction sent by the data analysis layer to the cloud desktop server, and may also be configured to receive bitmap response data with a data protocol sent by the cloud desktop server as a remote connection protocol, respectively perform data protocol conversion on bitmap data and operation identification data in the bitmap response data, and send the bitmap data and the operation identification data after protocol conversion to the data analysis layer.
Specifically, the connection agent layer can obtain bitmap response data of which the data protocol returned by the cloud desktop server based on the user operation instruction is a remote connection protocol; then, the connection proxy layer performs data protocol conversion on the bitmap data to obtain converted bitmap data with a data protocol being a predefined data protocol, performs data protocol conversion on the operation identification data to obtain converted operation identification data with the data protocol being the predefined data protocol, and sends the converted bitmap data and the converted operation identification data to the data analysis layer;
Optionally, the data protocol conversion is performed on the bitmap data by the connection proxy layer to obtain converted bitmap data with a data protocol being a predefined data protocol, which includes:
And the connection agent layer draws a display image with the image type being a predefined image type corresponding to the bitmap data by using the image drawing library, and generates converted bitmap data corresponding to the display image according to a predefined data protocol.
Specifically, the data parsing layer may parse the converted image data from the converted bitmap data according to a predefined data protocol, and determine the converted image data and the converted operation identification data as user operation record data.
Specifically, when the predefined image type is PNG, the connection proxy layer may draw a corresponding PNG picture using the image drawing library after receiving bitmap response data of which the data protocol is a remote connection protocol, and then generate converted bitmap data including an "img" type instruction and a "blob" type instruction, for example, first converted bitmap data:
“3.img,1.3,2.12,2.10,9.image/png,3.360,2.21;4.blob,1.3,4616.iVB ORw0K…jggg==”。
The first converted bitmap data consists of two instructions, which are divided by a semicolon, wherein the first instruction is an instruction with an operation type of img, and 6 parameters carried by the first instruction respectively represent streamline indexes, channel shielding, rendering layer indexes, picture types and screen abscissas and ordinates where rendered pictures are located. The following "blob" instruction is an important object of interest, which contains two parameters, the streamline index and the base64 value of the rendered png type picture, respectively. Specifically, the first converted bitmap data may be used to instruct the portal rendering layer to render an image corresponding to the base64 value at the screen coordinates (360, 21).
Specifically, the connection proxy layer may send the converted bitmap data to the data parsing layer; the data parsing layer may parse the converted bitmap data into corresponding converted image data according to a predefined data protocol, for example, the data parsing layer may parse the base64 value from the first converted bitmap data, where the base64 value is the converted image data.
And then, the data analysis layer can store the converted image data and the converted operation identification data in a corresponding format according to the JSON format so as to determine user operation record data. The converted operation identification data may include ID, user name, cloud desktop server IP, source IP, timestamp, and the like.
Specifically, the portal rendering layer may run in a Tomcat container, provide web services through corresponding container technologies, and enable a user to access an API that is open to the outside by entering url in a browser client. The portal rendering layer can be compiled by JavaScript codes, and can communicate with the connection proxy layer through the data analysis layer by utilizing websocket technology; the portal rendering layer can receive the bitmap data or the converted bitmap data sent by the data analysis layer, and draw and display the corresponding image data on the browser client by utilizing a drawing tool so as to display a graphical interface of the cloud desktop.
Specifically, the data parsing layer may perform socket connection with the connection proxy layer, read a read request from the portal rendering, and read a write request from the portal rendering. The data parsing layer may be equivalent to a back-end service, may be developed by a technician based on a computer language, may provide a method for quickly constructing a client for a developer, designs a method MyHTTPTunnelServlet (), receives all three requests including connection, reading and writing from the portal rendering layer, and calls corresponding processing methods connect (), read () and write () respectively for processing.
Specifically, the connection proxy layer may be equivalent to a server, and may perform remote interaction with the cloud desktop server. The connection proxy layer may be a native program developed by a technician using a computer language, receives a user connection request sent by the portal rendering layer through the data parsing layer in a daemon manner, and then remotely accesses the cloud desktop server using a remote connection protocol (e.g., VNC, RDP, etc.).
The data auditing method provided by the invention can customize a data protocol, firstly carries out data protocol conversion on bitmap data and operation identification data sent by a cloud desktop server by adopting the data transmission protocol, and then analyzes corresponding converted image data from the converted bitmap data so as to reduce data analysis complexity and improve data analysis efficiency and accuracy.
Based on fig. 2, the present invention proposes a fourth data auditing method, in which step S204 may include the steps of:
s2041, a data auditing subsystem identifies text information corresponding to the image data by using an image-text identification technology;
Among other things, the image-text recognition technique may be used to recognize text information contained in an image, such as optical character recognition (Optical Character Recognition, OCR).
Specifically, when the image data in the user operation record data is an image, the data auditing subsystem can directly perform image-text recognition on the image data in the user operation record data to recognize corresponding text information;
specifically, when the image data in the user operation record data is image coding data, the data auditing subsystem can restore the corresponding image according to the image data, and then perform image-text recognition on the restored image to recognize the corresponding text information.
S2042, the data auditing subsystem determines the text information and the operation identification data as recognized operation record data;
Specifically, the data auditing subsystem may determine, after identifying the text information corresponding to the image data, the text information and the operation record data as identified operation record data.
S2043, the data auditing subsystem detects keywords of the identified operation record data according to a predefined keyword detection strategy;
The keyword detection policy may be a detection policy for detecting keyword information in the identified operation record data. For example, the keyword detection policy may be a detection policy for detecting whether a certain keyword exists in text information in the identified operation record data; for another example, the keyword detection policy may be a detection policy for detecting the number of keywords existing in text information in the identified operation record data; for another example, the keyword detection policy may be a detection policy for detecting the occurrence frequency of a certain keyword in the identified operation record data.
It should be noted that, the keyword detection policy may be formulated by a technician according to actual situations, which is not limited by the present invention.
It can be understood that the invention can obtain the corresponding keyword detection result after keyword detection is performed on the identified operation record data.
S2044, the data auditing subsystem determines auditing results based on the keyword detection results.
Specifically, the data auditing subsystem can obtain corresponding keyword detection results after keyword detection is performed on the identified operation record data, and determine auditing results based on the keyword detection results.
Optionally, in other data auditing methods proposed in the present invention, step S2043 may include S311 and S312, and step S2044 may include S313; wherein:
S311, the data auditing subsystem determines keywords to be detected;
It should be noted that, the keywords may be determined by a worker according to actual situations, and the present invention is not limited to specific content of the keywords.
S312, the data auditing subsystem detects whether keywords exist in the text information;
Specifically, the data auditing subsystem can perform keyword detection on the text in the identified operation record data, and detect whether keywords exist in the text information.
S313, under the condition that the data auditing subsystem detects that keywords exist in the text information, the identified operation record data is determined to be abnormal data of the first alarm level.
Wherein the first alert level may be an alert level of a certain level. It should be noted that the first alarm level may be an alarm level determined by a technician according to actual situations.
Specifically, when it is detected that a keyword exists in the text information, the data auditing subsystem may determine the identified operation record data as abnormal data with the alarm level being the first alarm level. At this time, the data auditing subsystem can give a corresponding alarm to the identified operation record data, prompt the staff to process the identified operation record data, and locate the problem user, the machine IP and the specific operation behavior.
Alternatively, the keywords to be detected may include a plurality of keywords. At this time, the data auditing subsystem may detect whether at least one keyword of the plurality of keywords exists in the text information, and when determining that the text information exists at least one keyword of the plurality of keywords, the data auditing subsystem may determine the identified operation record data as abnormal data with the alarm level being the first alarm level, and perform corresponding alarm processing.
Optionally, in the case that it is determined that no keyword exists in the text information, the data auditing subsystem may determine the identified operation record data as normal data, without performing an alarm.
Optionally, in the other data auditing method provided by the invention, the operation identification data includes user operation time; at this time, step S2043 may include S411 and S412, and step S2044 may include S413; wherein:
S411, a data auditing subsystem determines keywords to be detected;
S412, the data auditing subsystem determines the occurrence frequency of the keywords in the text information within a predefined duration based on the operation time of the user;
Alternatively, the predefined time period may be a time period of a specified length of time, such as 5 seconds;
alternatively, the predefined time period may be a time period within a specified period, such as a time period from a first time to a second time.
Specifically, when the operation identification data includes a plurality of user operation moments and the text information includes user operation record texts corresponding to the plurality of user operation moments, the data auditing subsystem may detect, based on the user operation record texts corresponding to the user operation moments, a frequency of occurrence of a keyword in a predefined duration in each user operation record text, for example, detect, in each user operation record text, a frequency of occurrence of the keyword in every 5 seconds.
Specifically, when the number of the identified user operation record data is multiple, because each identified user operation record data includes the user operation time and the text information, the data auditing subsystem can detect the occurrence frequency of the keyword in the predefined duration in each identified user operation record data based on the text information corresponding to different user operation times.
S413, under the condition that the occurrence frequency is not smaller than a preset frequency threshold value, the data auditing subsystem determines the identified operation record data as abnormal data of the second alarm level.
The preset frequency threshold may be a threshold determined by a worker according to an actual situation, which is not limited in the present invention.
The second alarm level may be an alarm level of a certain level, and may be determined by a technician according to actual situations.
Specifically, when the occurrence frequency is not less than the preset frequency threshold, the data auditing subsystem may determine that the related identified operation record data are all abnormal data of the second alarm level. For example, when the data auditing subsystem determines the occurrence frequency based on the first identified operation record data and the second identified operation record data, and the occurrence frequency is not less than a preset frequency threshold, the data auditing subsystem may determine the first identified operation record data and the second identified operation record data as abnormal data of the second alarm level.
Specifically, when the occurrence frequency is smaller than the preset frequency threshold, the data auditing subsystem can determine that the related identified operation record data are all normal data.
Alternatively, the keywords to be audited may be target keywords, which may include one or more keywords. At this time, the data auditing subsystem may detect the occurrence frequency of the target keyword in the identified operation record data within a predefined duration, and determine whether the relevant identified operation record data is abnormal data according to the occurrence frequency. At this time, the frequency of occurrence of the target keyword within the predefined time period may be a ratio of the number of occurrences of the target keyword within the predefined time period to the predefined time period. For example, when the target keyword includes the first keyword and the second keyword, the frequency of occurrence of the target keyword within the predefined time period may be a sum value of the number of occurrences of the first keyword and the second keyword within the predefined time period, and a ratio of the sum value to the predefined time period.
It should be noted that, the violation operation and detection strategies may include various kinds, as shown in the following table 1:
TABLE 1 keyword detection rules table
Wherein, R1, R2 and R3 are different levels of alarm levels, the alarm level of R1 is highest, R2 times, and R3 is lowest.
Specifically, detection of each violation in table 1 may be implemented by a keyword detection policy. For example, for the violation operation of frequent connection login, the preset frequency threshold value can be set to be 5 by taking keywords such as login, connection and the like as keywords to enter a keyword detection strategy; at this time, if it is detected that the keyword is present in the certain number of recognized operation record data with the occurrence frequency of not less than 5 within the predefined time period, it may be determined that the certain number of recognized operation record data is abnormal data of the second alarm level.
If a certain illegal operation is hit in the keyword detection process, corresponding alarm processing can be performed according to the alarm level corresponding to the illegal operation.
The invention can realize the security audit strategy through the keyword detection strategy, determine whether the identified operation record data is abnormal data, and carry out corresponding alarm processing according to the abnormal data, thereby effectively realizing the determination efficiency of the abnormal data, further guaranteeing the problem processing efficiency and reducing the harm caused by illegal operation.
According to the data auditing method provided by the invention, the safety auditing strategy can be realized through the keyword detection strategy, whether the identified operation record data is abnormal data or not is determined, corresponding alarm processing can be carried out according to the abnormal data, and the determining efficiency of the abnormal data is effectively realized, so that the problem processing efficiency is ensured, and the harm caused by illegal operation is reduced.
Based on fig. 2, the present invention proposes a fifth data auditing method, which may further include, after step S201:
The cloud desktop proxy server stores bitmap response data according to a playback file storage format to obtain a video file;
And the cloud desktop proxy server sends the video file to a distributed file system for storage through a video monitoring system.
The video file may be a playback file in a video format, which is generated by storing bitmap response data in a playback file storage format. It should be noted that the video file may be used to record the operation of the user, and when the user is located and the illegal operation occurs, the video file may be played to perform investigation and tracing evidence, so as to enhance the reliability of data audit.
Specifically, the cloud desktop proxy server can analyze bitmap response data returned by the cloud desktop server and store the bitmap response data into a playback file with a file format being a video format.
Specifically, when the cloud desktop proxy server includes a portal rendering layer, a data parsing layer and a connection proxy layer, the connection proxy layer may generate a corresponding playback file based on the received bitmap response data.
Alternatively, as shown in fig. 4, the video listening system may be a log collection system Flume. The jume can transmit the playback file to a distributed file system that can provide a video data storage service for storage when listening to the playback file on the cloud desktop proxy server.
The cloud desktop proxy server sends the generated video files to the distributed file system for storage through the video monitoring system, so that the storage pressure of the cloud desktop proxy server can be reduced, and the data auditing efficiency of the cloud desktop proxy server is ensured.
According to the data auditing method provided by the invention, the cloud desktop proxy server can generate the video file based on the bitmap response data, record the user operation in a video mode, play the video file to conduct investigation and tracing evidence collection when certain user is located to have illegal operation, and enhance the reliability of data auditing; and the cloud desktop proxy server sends the generated video file to the distributed file system for storage through the video monitoring system, so that the storage pressure of the cloud desktop proxy server can be reduced, and the data auditing efficiency of the cloud desktop proxy server is ensured.
Based on fig. 1, the present invention proposes a sixth data auditing method, and before step S103, the method may further include:
the cloud desktop proxy server sends the user operation record data to a message queue for storage;
at this time, step S103 may include:
the data auditing subsystem obtains the user operation record data from the message queue, and audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
Specifically, the cloud desktop proxy server may send the user operation record data to the message queue for saving after generating the user operation record data.
Optionally, the cloud desktop proxy server may send the generated user operation record data to the message queue for saving after generating N pieces of user operation record data, or at intervals, or when the data amount of the generated user operation record data reaches a threshold value.
Specifically, the data auditing subsystem may subscribe to the message queue, determine that one or more pieces of new user operation record data enter the message queue, obtain the new user operation record data from the message queue, and then audit the new user operation record data.
After the cloud desktop proxy server generates the user operation record data, the user operation record data is sent to the message queue for storage, so that the data storage pressure of the cloud desktop proxy server can be reduced, and the data auditing efficiency of the cloud desktop proxy server is ensured.
As shown in fig. 5, in other data auditing methods proposed by the present invention, a data auditing subsystem may include an input source component, a preprocessing component, a security audit component, a save component, and an alarm component.
The input source component may subscribe to Topic in the message queue in advance, which is used for recording user operation record data, and create a consumer instance to poll the message under the Topic. When a new message, i.e. new user operation record data, is monitored, the message can be pulled therefrom and transmitted to the preprocessing component.
The preprocessing component can be used for preprocessing data, and can be mainly used for preprocessing user operation record data sent by the input source component. Specifically, the preprocessing component can remove blank spaces, special characters and stop words from the user operation record data, extract text information from the image data, generate identified operation record data, and send the identified operation record data to the security audit component for audit processing;
Wherein the number of security audit components may be multiple. Each security audit component can carry out data audit on the identified operation record data sent by the preprocessing component according to a security audit policy, determine abnormal data and trigger the alarm component to carry out real-time mail alarm;
The security audit component may store the exception data and corresponding trigger rules to the storage component. The storage component may be in the background of a database.
According to the data auditing method provided by the invention, the cloud desktop proxy server can send the user operation record data to the message queue for storage after generating the user operation record data, so that the data auditing subsystem can obtain the user operation record data from the message queue, the data storage pressure of the cloud desktop proxy server is reduced, and the data auditing efficiency of the cloud desktop proxy server is ensured.
The data auditing system provided by the invention is described below, and the data auditing system described below and the data auditing method described above can be referred to correspondingly.
As shown in fig. 6, the present invention proposes a data auditing system, including: cloud desktop proxy server 610 and data auditing subsystem 620; cloud desktop proxy server 610 includes: the first obtaining unit 611 and the first generating unit 612, the data auditing subsystem 620 includes: a first audit unit 621; wherein:
A first obtaining unit 611 for obtaining interaction data; the interaction data is data that the cloud desktop server and the client interact through the cloud desktop proxy server 610;
a first generation unit 612 for generating user operation record data based on the interaction data;
the first audit unit 621 is configured to audit the user operation record data according to a predefined security audit policy to obtain an audit result.
It should be noted that, the specific processing procedures of the first obtaining unit 611, the first generating unit 612, and the first review unit 621 and the beneficial effects thereof may refer to the related descriptions of steps S101, S102, and S103 in fig. 1, and are not repeated herein.
Optionally, the first obtaining unit 611 is configured to obtain bitmap response data returned by the cloud desktop server based on the user operation instruction, where the bitmap response data includes bitmap data and operation identification data;
The first generation unit 612 includes: a second obtaining unit and a first determining unit;
A second obtaining unit configured to obtain image data corresponding to the bitmap data;
And a first determining unit configured to determine the image data and the operation identification data as user operation record data.
Optionally, when the data protocol of the bitmap response data is a remote connection protocol, the second obtaining unit includes: a first conversion unit and a first analysis unit;
The first conversion unit is used for carrying out data protocol conversion on the bitmap data so as to obtain converted bitmap data with a data protocol being a predefined data protocol;
A first parsing unit for parsing the converted image data from the converted bitmap data according to a predefined data protocol;
A first determination unit including: a second conversion unit and a second determination unit; wherein:
the second conversion unit is used for carrying out data protocol conversion on the operation identification data so as to obtain converted operation identification data with a data protocol being a predefined data protocol;
and a second determining unit configured to determine the converted image data and the converted operation identification data as user operation record data.
Optionally, the first conversion unit includes: a drawing unit and a second generating unit;
The drawing unit is used for drawing a display image with the image type being a predefined image type corresponding to the bitmap data by utilizing the image drawing library;
And the second generating unit is used for generating converted bitmap data corresponding to the display image according to a predefined data protocol.
Optionally, the first audit unit 621 includes: the device comprises an identification unit, a third determination unit, a first detection unit and a fourth determination unit;
The identification unit is used for identifying text information corresponding to the image data by using a picture and text identification technology;
a third determining unit configured to determine the text information and the operation identification data as recognized operation record data;
the first detection unit is used for carrying out keyword detection on the identified operation record data according to a predefined keyword detection strategy;
And a fourth determining unit for determining an audit result based on the keyword detection result.
Optionally, the first detection unit includes: a fifth determination unit and a second detection unit;
A fifth determining unit configured to determine a keyword to be detected;
The second detection unit is used for detecting whether keywords exist in the text information;
and a fourth determining unit configured to determine the recognized operation record data as abnormal data of the first alert level in the case where the keyword is detected to exist in the text information.
Optionally, the operation identification data includes a user operation time; a first detection unit comprising: a sixth determination unit and a seventh determination unit;
A sixth determining unit configured to determine a keyword to be detected;
a seventh determining unit, configured to determine, in the text information, a frequency of occurrence of the keyword within a predefined duration based on a user operation time;
And a fourth determining unit configured to determine the identified operation record data as abnormal data of the second alarm level in a case where it is determined that the occurrence frequency is not less than the preset frequency threshold.
Optionally, the cloud desktop proxy server 610 further includes: a first storage unit and a second storage unit;
A first storage unit, configured to store, after the cloud desktop proxy server 610 obtains bitmap response data returned by the cloud desktop server based on the user operation instruction, the bitmap response data in a playback file storage format to obtain a video file;
and the second storage unit is used for sending the video file to the distributed file system for storage through the video monitoring system.
Optionally, the cloud desktop proxy server 610 further includes: a third storage unit;
the third storage unit is used for sending the user operation record data to the message queue for storage;
The first audit unit 621 includes: a third obtaining unit and a second auditing unit;
a third obtaining unit for obtaining user operation record data from the message queue;
And the second audit unit is used for auditing the user operation record data according to a predefined security audit policy to obtain an audit result.
The data auditing system provided by the invention can comprise a cloud desktop proxy server 610 and a data auditing subsystem 620. The cloud desktop proxy server 610 obtains the interaction data, and generates user operation record data based on the interaction data; the interaction data is data that the cloud desktop server and the client interact through the cloud desktop proxy server 610; the data auditing subsystem 620 audits the user operation record data according to a predefined security audit policy to obtain an audit result. According to the invention, the interactive data can be obtained, the user operation record data is generated based on the interactive data, and the user operation record data is intelligently audited according to the security audit strategy to obtain the corresponding audit result, so that the data audit is not required to be carried out in a manual audit mode, the consumption of human resources can be effectively avoided, and the audit efficiency can be effectively improved.
Fig. 7 illustrates a physical schematic diagram of an electronic device, as shown in fig. 7, which may include: processor 710, communication interface (Communications Interface) 720, memory 730, and communication bus 740, wherein processor 710, communication interface 720, memory 730 communicate with each other via communication bus 740. Processor 710 may invoke logic instructions in memory 730 to perform a data auditing method that is applied to a data auditing system that includes: the cloud desktop proxy server and the data auditing subsystem; the method comprises the following steps:
The cloud desktop proxy server obtains the interaction data and generates user operation record data based on the interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server;
And the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
Further, the logic instructions in the memory 730 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product including a computer program, the computer program being storable on a non-transitory computer readable storage medium, the computer program, when executed by a processor, being capable of executing the data auditing method provided by the methods described above, the method being applied to a data auditing system, the data auditing system comprising: the cloud desktop proxy server and the data auditing subsystem; the method comprises the following steps:
The cloud desktop proxy server obtains the interaction data and generates user operation record data based on the interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server;
And the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform a data auditing method provided by the above methods, the method being applied to a data auditing system, the data auditing system comprising: the cloud desktop proxy server and the data auditing subsystem; the method comprises the following steps:
The cloud desktop proxy server obtains the interaction data and generates user operation record data based on the interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server;
And the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (12)
1. A data auditing method, wherein the data auditing method is applied to a data auditing system, the data auditing system comprising: the cloud desktop proxy server and the data auditing subsystem; the data auditing method comprises the following steps:
The cloud desktop proxy server obtains interaction data and generates user operation record data based on the interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server;
and the data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
2. The data auditing method according to claim 1, wherein the cloud desktop proxy server obtains interaction data, comprising:
the cloud desktop proxy server obtains bitmap response data returned by the cloud desktop server based on a user operation instruction, wherein the bitmap response data comprises bitmap data and operation identification data;
The generating user operation record data based on the interaction data comprises the following steps:
the cloud desktop proxy server obtains image data corresponding to the bitmap data; and determining the image data and the operation identification data as the user operation record data.
3. The data auditing method according to claim 2, wherein when the data protocol of the bitmap response data is a remote connection protocol, the cloud desktop proxy server obtains image data corresponding to the bitmap data, comprising:
The cloud desktop proxy server performs data protocol conversion on the bitmap data to obtain converted bitmap data with a data protocol being a predefined data protocol; according to the predefined data protocol, analyzing the converted image data from the converted bitmap data;
The determining the image data and the operation identification data as the user operation record data includes:
The cloud desktop proxy server performs data protocol conversion on the operation identification data to obtain operation identification data after conversion of a data protocol into the predefined data protocol; and determining the converted image data and the converted operation identification data as the user operation record data.
4. A data auditing method according to claim 3, in which the cloud desktop proxy server performs data protocol conversion on the bitmap data to obtain converted bitmap data having a data protocol that is a predefined data protocol, comprising:
the cloud desktop proxy server draws a display image with the image type being a predefined image type corresponding to the bitmap data by using an image drawing library; and generating the converted bitmap data corresponding to the display image according to the predefined data protocol.
5. The data auditing method of claim 2, wherein the data auditing subsystem audits the user operation record data to obtain an audit result according to a predefined security audit policy, comprising:
the data auditing subsystem recognizes text information corresponding to the image data by using an image-text recognition technology, and determines the text information and the operation identification data as recognized operation record data; according to a predefined keyword detection strategy, keyword detection is carried out on the identified operation record data; and determining the audit result based on the keyword detection result.
6. The data auditing method according to claim 5, wherein the keyword detection of the identified operation record data according to a predefined keyword detection policy comprises:
The data auditing subsystem determines keywords to be detected and detects whether the keywords exist in the text information;
The determining the audit result based on the keyword detection result comprises the following steps:
And under the condition that the keyword exists in the text information, determining the identified operation record data as abnormal data of a first alarm level.
7. The data auditing method according to claim 5, wherein the operation identification data includes a user operation time; and performing keyword detection on the identified operation record data according to a predefined keyword detection strategy, wherein the keyword detection comprises the following steps:
The data auditing subsystem determines keywords to be detected; determining the occurrence frequency of the keywords in a predefined duration in the text information based on the user operation time;
the determining the audit result based on the keyword detection result comprises the following steps:
And under the condition that the occurrence frequency is not smaller than a preset frequency threshold value, determining the identified operation record data as abnormal data of a second alarm level.
8. The data auditing method according to claim 2, characterized in that after the cloud desktop proxy server obtains bitmap response data returned by the cloud desktop server based on user operation instructions, the data auditing method further comprises:
the cloud desktop proxy server stores the bitmap response data according to a playback file storage format to obtain a video file; and sending the video file to a distributed file system for storage through a video monitoring system.
9. The data auditing method of claim 1, wherein before the data auditing subsystem audits the user operation record data according to a predefined security audit policy to obtain an audit result, the data auditing method further comprises:
The cloud desktop proxy server sends the user operation record data to a message queue for storage;
The data auditing subsystem audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result, and the data auditing subsystem comprises the following steps:
and the data auditing subsystem obtains the user operation record data from the message queue, and audits the user operation record data according to a predefined security auditing strategy to obtain an auditing result.
10. A data auditing system, comprising: the cloud desktop proxy server and the data auditing subsystem; the cloud desktop proxy server comprises: the data audit subsystem comprises a first obtaining unit and a first generating unit, wherein the data audit subsystem comprises: a first audit unit; wherein:
The first obtaining unit is used for obtaining interaction data; the interaction data are data of interaction between the cloud desktop server and the client through the cloud desktop proxy server;
The first generation unit is used for generating user operation record data based on the interaction data;
and the first audit unit is used for auditing the user operation record data according to a predefined security audit strategy to obtain an audit result.
11. The data auditing system according to claim 10, wherein the first obtaining unit is configured to obtain bitmap response data returned by the cloud desktop server based on a user operation instruction, the bitmap response data including bitmap data and operation identification data;
The first generation unit includes: a second obtaining unit and a first determining unit;
the second obtaining unit is used for obtaining image data corresponding to the bitmap data;
the first determining unit is configured to determine the image data and the operation identification data as the user operation record data.
12. The data auditing system of claim 11, wherein the first audit unit comprises: the device comprises an identification unit, a third determination unit, a first detection unit and a fourth determination unit;
The identification unit is used for identifying text information corresponding to the image data by using a picture-text identification technology;
The third determining unit is configured to determine the text information and the operation identification data as operation record data after identification;
the first detection unit is used for detecting keywords of the identified operation record data according to a predefined keyword detection strategy;
and the fourth determining unit is used for determining the audit result based on the keyword detection result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211430126.3A CN118055149A (en) | 2022-11-15 | 2022-11-15 | Data auditing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211430126.3A CN118055149A (en) | 2022-11-15 | 2022-11-15 | Data auditing method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118055149A true CN118055149A (en) | 2024-05-17 |
Family
ID=91050680
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211430126.3A Pending CN118055149A (en) | 2022-11-15 | 2022-11-15 | Data auditing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118055149A (en) |
-
2022
- 2022-11-15 CN CN202211430126.3A patent/CN118055149A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9300672B2 (en) | Managing user access to query results | |
| US9703675B2 (en) | Structured logging and instrumentation framework | |
| US11222183B2 (en) | Creation of component templates based on semantically similar content | |
| US20210263924A1 (en) | Machine learning detection of database injection attacks | |
| US20120260263A1 (en) | Method, system and program for data delivering using chatbot | |
| US10652255B2 (en) | Forensic analysis | |
| US11601453B2 (en) | Methods and systems for establishing semantic equivalence in access sequences using sentence embeddings | |
| CN107085549B (en) | Method and device for generating fault information | |
| CN113568626A (en) | Dynamic packaging method, application package starting method, device and electronic equipment | |
| CN110163013A (en) | A kind of method and apparatus detecting sensitive information | |
| CN111127057B (en) | Multi-dimensional user portrait recovery method | |
| CN118055149A (en) | Data auditing method and system | |
| CN113791860B (en) | Information conversion method, device and storage medium | |
| CN116126808A (en) | Behavior log recording method, device, computer equipment and storage medium | |
| CN114265759A (en) | Tracing method and system after data information leakage and electronic equipment | |
| CN113382268B (en) | Live broadcast anomaly analysis method, live broadcast anomaly analysis device, computer equipment and storage medium | |
| US20220075492A1 (en) | Detecting paste and other types of user activities in computer environment | |
| CN114301713A (en) | Risk access detection model training method, risk access detection method and risk access detection device | |
| CN113765924A (en) | Safety monitoring method, terminal and equipment based on cross-server access of user | |
| CN113569083A (en) | Intelligent sound box local end digital evidence obtaining system and method based on data traceability model | |
| CN115396128A (en) | Malicious traffic detection method and device, storage medium and electronic equipment | |
| CN112257100A (en) | Method and device for detecting sensitive data protection effect and storage medium | |
| CN112003833A (en) | Abnormal behavior detection method and device | |
| CN111598159B (en) | Training method, device, equipment and storage medium of machine learning model | |
| KR20130121710A (en) | Information using record generation system using network packet and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |