CN114401126A

Movatterモバイル変換

Info

Publication number: CN114401126A
Application number: CN202111652066.5A
Authority: CN
Inventors: 田波; 张涛涛; 车力军
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2021-12-30
Filing date: 2021-12-30
Publication date: 2022-04-26
Anticipated expiration: 2041-12-30
Also published as: CN114401126B

Abstract

The application provides an interface safety monitoring method and device, wherein the method comprises the following steps: the sensitivity evaluation is carried out on the flow data transmitted when the interface is accessed from two dimensions of a sensitive field and a target receiving party of the flow data, so that the sensitivity of the flow data is obtained. Then, aiming at each access of the interface, the risk value of the current access is evaluated according to the sensitivity of the flow data transmitted by the interface in the access process and the source IP address of the access interface, and when the risk value is higher than a threshold value, early warning is carried out.

Description

Interface safety monitoring method and device

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for monitoring interface security.

Background

With the promulgation and enforcement of the network security law, the data security law (draft) and the personal information protection law (draft), the protection of personal privacy data has risen to the legal level. In the big data era, data becomes a new production element, the value of the data is gradually highlighted, and the protection of the data is more and more important.

However, advances in digitization have driven the application and flow of data within the industry to become more widespread and frequent. Data flow uses more and more scenes, and each business system provides convenient service for other business systems or external partners through an open Application Programming Interface (API) interface.

In the existing method for monitoring interface security, an external request from an external system is received, and whether the access is normal or not is determined according to the relationship between the flow of the external request and the access flow threshold. It can be seen that, the existing scheme is only to monitor interface security based on access volume, as the circulation of data in each scene becomes more and more open, the access threat to the interface is no longer limited to one dimension of the access volume, and may also include multiple dimensions such as the sensitivity of accessing data itself, and the existing monitoring scheme is not suitable for current interface security monitoring. Therefore, how to monitor the security of the interface in the data circulation process becomes an urgent problem to be solved.

Disclosure of Invention

The application provides an interface safety monitoring method and device, which are used for effectively and safely monitoring interfaces between service systems.

In a first aspect, an embodiment of the present application provides an interface security monitoring method, which may be performed by an interface security monitoring apparatus, where the interface may be, for example, a software interface between service systems, or another type of interface.

The method comprises the following steps: determining the source IP address of the access interface through a flow analysis technology; determining the sensitivity of the flow data accessing the interface at this time according to the sensitive field included in the flow data transmitted by the interface and/or the information of the target receiver of the flow data; determining the risk value of the source IP address for the current access according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address; and if the risk value is greater than a set threshold value, positioning the access source of the interface to the source IP address, and performing early warning.

According to the technical scheme, the sensitivity evaluation can be performed on the traffic data transmitted when the interface is accessed from two dimensions of the sensitive field included in the traffic data and the target receiving party of the traffic data, so that the sensitivity of the traffic data is obtained. Then, aiming at each access of the interface, the risk value of the current access is evaluated according to the sensitivity of the flow data transmitted by the interface in the access process and the source IP address of the access interface, and when the risk value is higher than a threshold value, early warning is carried out.

In one possible design, determining the sensitivity of the traffic data accessed to the interface at this time according to the sensitive field included in the traffic data transmitted by the interface at this time and the receiver of the traffic data includes: determining the sensitivity of each data packet in the flow data accessing the interface at this time according to the sensitive field included in the flow data accessing the interface at this time and/or the information of the receiver of the flow data; and determining the sum of the sensitivities of all data packets in the flow data as the sensitivity of the flow data accessing the interface at the time.

In one possible design, determining a sensitivity of each packet in the traffic data for this access to the interface includes: if the data packet is uplink data and the device where the interface is located is the data producer of the data packet, the sensitivity alpha of the data packet is alpha₂*α₃(ii) a Wherein α 2 is a data field sensitivity of the data packet, and α 3 is a sensitivity of an intended recipient of the data packet.

In one possible design, all fields included in the data packet includeThe set formed by all the fields marked as sensitive fields at present is a set A, and the set formed by all the fields marked as non-sensitive fields at present is a set B; if the set B, α 2 is 0; if the set B is not an empty set, then

Wherein N is_tIs the total number of fields, N, included in the data packet_bAnd taking the number of the elements in the set B, i is the element identifier in the set A, j is the element identifier in the set B, and P (i | j) is the probability that the ith element in the set A is also a sensitive field on the premise that the jth element in the set B is a sensitive field.

In one possible design, a sensitivity of an intended recipient of the data packet corresponds to a security level of the intended recipient.

In one possible design, determining a sensitivity of each packet in the traffic data for this access to the interface includes: if the data packet is uplink data and the device where the interface is located is a data forwarding node of the data packet, the sensitivity α of the data packet is α₄*α₅(ii) a Wherein α 4 is a sensitivity of a source IP address of the packet, and α 5 is a sensitivity of a destination IP address of the packet.

In one possible design, the sensitivity α 4 of the source IP address of the data packet is determined according to the device type, device configuration and transmission channel of the source IP address, and α₄＝(I1*I2)^I3(ii) a Wherein, the I1 is a type sensitivity corresponding to the device type of the device where the source IP address is located; the I2 is a device configuration score of the device where the source IP address is located; the I3 is a security score of a transmission channel between the device where the interface is located and the device where the source IP address is located.

In one possible design, the sensitivity α 5 of the destination IP address of the data packet is determined according to the device type, device configuration and transmission channel of the destination IP address, and α₅＝(I4*I5)^I6(ii) a Wherein, theI4 is the type sensitivity corresponding to the equipment type of the equipment where the target IP address is located; the I5 is a device configuration score of the device where the target IP address is located; the I6 is a security score of a transmission channel between the device where the interface is located and the device where the target IP address is located.

In one possible design, determining a sensitivity of each packet in the traffic data for this access to the interface includes: if the data packet is downlink data and the device where the interface is located is the target receiver of the data packet, the sensitivity α of the data packet is (I7 × I8)^I9(ii) a The I7 is a type sensitivity corresponding to the device type of the device where the interface is located; the I8 is a device configuration score of a device where a source IP address of the data packet is located; the I9 is a security score of a transmission channel between the device where the source IP address of the packet is located and the device where the interface is located.

In a second aspect, embodiments of the present application provide an interface security monitoring apparatus, which may include a module/unit for performing any one of the possible design methods of the first aspect. These modules/units may be implemented by hardware, or by hardware executing corresponding software.

Illustratively, the apparatus may include a communication module and a processing module; wherein:

the communication module is used for acquiring the flow data of the access interface;

the processing module is used for determining the source IP address of the access interface through a flow analysis technology; determining the sensitivity of the flow data accessing the interface at this time according to the sensitive field included in the flow data transmitted by the interface and/or the information of the target receiver of the flow data; determining the risk value of the source IP address for the current access according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address; and if the risk value is greater than a set threshold value, positioning the access source of the interface to the source IP address, and performing early warning.

In one possible design, the processing module is specifically configured to: determining the sensitivity of each data packet in the flow data accessing the interface at this time according to the sensitive field included in the flow data accessing the interface at this time and/or the information of the receiver of the flow data; and determining the sum of the sensitivities of all data packets in the flow data as the sensitivity of the flow data accessing the interface at the time.

In one possible design, the processing module is specifically configured to determine the sensitivity of each packet in the traffic data that is currently accessing the interface by: for each data packet in the flow data accessing the interface at this time, if the data packet is uplink data and the device where the interface is located is the data producer of the data packet, the sensitivity α of the data packet is α₂*α₃(ii) a Wherein α 2 is a data field sensitivity of the data packet, and α 3 is a sensitivity of an intended recipient of the data packet.

In one possible design, the processing module is specifically configured to determine the data field sensitivity α 2 of the data packet by: a set formed by all fields marked as sensitive fields at present in all fields included in the data packet is a set A, and a set formed by all fields marked as non-sensitive fields at present is a set B; if the set B, α 2 is 0; if the set B is not an empty set, then

In one possible design, the sensitivity α 3 of the intended recipient of the data packet corresponds to the security level of the intended recipient.

In one possible design, the processing module is specifically configured to pass throughDetermining the sensitivity of each data packet in the traffic data of the current access interface according to the formula: for each data packet in the flow data accessing the interface this time, if the data packet is uplink data and the device where the interface is located is a data forwarding node of the data packet, the sensitivity α of the data packet is α₄*α₅(ii) a Wherein α 4 is a sensitivity of a source IP address of the packet, and α 5 is a sensitivity of a destination IP address of the packet.

In one possible design, the sensitivity α 5 of the destination IP address of the data packet is determined according to the device type, device configuration and transmission channel of the destination IP address, and α₅＝(I4*I5)^I6(ii) a Wherein, the I4 is a type sensitivity corresponding to the device type of the device where the target IP address is located; the I5 is a device configuration score of the device where the target IP address is located; the I6 is a security score of a transmission channel between the device where the interface is located and the device where the target IP address is located.

In one possible design, the processing module is specifically configured to determine the sensitivity of each packet in the traffic data that is currently accessing the interface by: for each data packet in the traffic data accessing the interface this time, if the data packet is downlink data and the device where the interface is located is the target receiver of the data packet, the sensitivity α of the data packet is (I7 × I8)^I9(ii) a The I7 is a type sensitivity corresponding to the device type of the device where the interface is located; the I8 is a device configuration score of a device where a source IP address of the data packet is located; i9 isAnd the safety degree score of a transmission channel between the equipment where the source IP address of the data packet is located and the equipment where the interface is located.

In a third aspect, an embodiment of the present application further provides a computer device, including:

a memory for storing program instructions;

a processor for calling the program instructions stored in said memory and for executing the method as described in the various possible designs of the first aspect according to the obtained program instructions.

In a fourth aspect, the present application further provides a computer-readable storage medium, in which computer-readable instructions are stored, and when the computer-readable instructions are read and executed by a computer, the method described in any one of the possible designs of the first aspect is implemented.

In a fifth aspect, this application further provides a computer program product including computer readable instructions that, when executed by a processor, cause the method described in any one of the possible designs of the first aspect to be implemented.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.

Fig. 1 is a schematic flowchart of an interface security monitoring method according to an embodiment of the present disclosure;

fig. 2 is a schematic diagram of a technical architecture provided in an embodiment of the present application;

fig. 3 is a schematic diagram of an interface security monitoring apparatus according to an embodiment of the present disclosure;

fig. 4 is a schematic diagram of a computer device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In the embodiments of the present application, a plurality means two or more. The terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance, nor order.

The application provides an interface security monitoring method based on a traffic analysis technology, and sensitivity evaluation is carried out on two dimensions of security of a sensitive field and a receiver included in each piece of data in traffic, so that the sensitivity of the data is finally formed. And for each access of the interface, evaluating the risk value of the current access according to all sensitivities related to the access port and the IP of the current visitor, and giving an early warning when the risk value is higher than a threshold value.

Fig. 1 illustrates an interface security monitoring method provided in an embodiment of the present application, where the method may be performed by a corresponding interface security monitoring apparatus, and the apparatus may be a data exchange device in a network or a separate computing device, which is not limited. As shown in fig. 1, the method includes:

step 101, determining the access source IP address of the access interface through a traffic analysis technology.

The source IP address here is the IP address of the previous hop.

Specifically, the traffic log may be analyzed by a traffic analysis technique to determine a source IP address of each access of the interface.

Step 102, determining the sensitivity of the traffic data accessing the interface at this time according to the sensitive field included in the traffic data transmitted by the interface and/or the information of the target receiver of the traffic data.

Specifically, the sensitivity of each data packet in the traffic data accessing the interface at this time may be determined according to the sensitive field included in the traffic data accessing the interface at this time and/or the information of the receiver of the traffic data; then, the sum of the sensitivities of the data packets in the traffic data is determined as the sensitivity of the traffic data accessing the interface at this time.

The traffic data in this step may include uplink data and downlink data through the interface, and the following describes the method for determining the sensitivity of the data packet in these two cases.

First, uplink data.

The uplink data refers to data transmitted to other devices by the device (for convenience of description, hereinafter, abbreviated as device X) where the interface is located.

The uplink data is divided into 2 types, one type is data generated by the device X, that is, a source of data transmission, that is, the device X is a data producer and not a data forwarding node. The other is data that is forwarded to another device after the device X receives data sent by another node, that is, the device X is only a data forwarding node.

If the device X is a data producer, the sensitivity α of the uplink data may be determined according to both the condition of the sensitive field included in the data packet and the condition of the intended recipient.

Since different receivers have different mastered background knowledge, the same data has different comprehension degrees, which further results in that the sensitivity of the same data to some data receivers is not high, but for other data receivers, after the data is interpreted based on the background knowledge, the true meaning of the data can be known, and then the data is sensitive to the data. For example, encrypted data is not sensitive to common data receivers because it does not know the decryption method, and if a correct data receiver or a receiver stealing the decryption method decrypts the data based on the known decryption method to obtain sensitive data, the encrypted data is sensitive to the receivers.

Specifically, in this case, the sensitivity α ═ α₂*α₃。

Wherein α 2 is the data field sensitivity of the data packet, and α 3 is the sensitivity of the target recipient of the data packet.

(1) The data field sensitivity α 2.

When the data producer produces the data, the data producer marks whether each field is sensitive or not so as to carry out security monitoring on the data subsequently. Based on this, the procedure can be subdivided as follows:

1) confirming all fields of the data to obtain the total number of the fields N_t。

2) All fields are divided into 2 sets, one set consisting of fields not currently labeled as sensitive fields, i.e., fields labeled as non-sensitive fields, and the other set consisting of fields currently labeled as sensitive fields. For convenience of description, a set composed of fields not currently labeled as sensitive fields is referred to as a set a, and a set composed of fields currently labeled as sensitive fields is referred to as a set B.

3) If the set B is an empty set, α 2 is determined to be 0.

4) If the set B is not an empty set, determining

Wherein N is_bAnd the number of the elements in the set B is represented by i, the element identifier in the set A is represented by j, the element identifier in the set B is represented by P (i | j), and the probability that the ith element in the set A is also a sensitive field is represented by P (i | j) on the premise that the jth element in the set B is a sensitive field.

In the present application, the value of P (i | j) can be obtained by a large amount of sample data. The sample data may be existing data, data acquired from different channels, or data provided by a user.

In particular, the method comprises the following steps of,

wherein, P (ij) contains the ith element and the jth element, and the ith element and the jth element are sensitive fieldsSample data quantity/total sample data quantity containing the ith element and the jth element at the same time. P (j) ═ the number of sample data containing the jth element, which is a sensitive field/the total number of sample data containing the jth element.

(2) Sensitivity of the intended recipient α 3.

The target receiving party refers to an object that the data producer wants to send data. For example, device X sends an operation instruction to the server, and then device X is the data producer and the server is the intended recipient.

The sensitivity α 3 of the intended recipient of the data packet corresponds to the security level of the intended recipient. α 3 is a positive integer, and a larger value indicates a higher security level. Specifically, the value range of α 3 may be configured, such as 1 to 5, or 1 to 10.

Optionally, since the data producer is most familiar with the sending object, the data producer may evaluate the security level of the target recipient to obtain an evaluation result, which is α 3.

In the present application, the data producer may be a user or a device. If the data producer is the equipment, the equipment can determine the target IP address when sending the data, so that the security level of the target receiver can be determined according to the target IP address; or, when sending data, the device may determine a sending path, and thus, may determine a security level of the target recipient according to the path, for example, sending through a Virtual Private Network (VPN), where the security level is relatively high, and sending through an IP link, the security level is relatively low, and the like. The specific security level determination method can be obtained through a pre-configured corresponding relationship.

If the device X is a data forwarding node, the sensitivity α of the uplink data may be determined according to both the source IP address and the destination IP address of the data packet.

The source IP address is used to characterize where the data packet is transmitted to device X, and the destination IP address is used to characterize where the data packet is to be sent from device X.

In particular, this situationIn the following, the sensitivity α ═ α₄*α₅。

Wherein α 4 is the sensitivity of the source IP address of the data packet, and α 5 is the sensitivity of the destination IP address of the data packet.

(1) Sensitivity alpha of source IP address₄。

α₄Is determined according to the device type, device configuration and transmission channel of the source IP address.

In particular, alpha₄＝(I1*I2)^I3。

The I1 is a type sensitivity corresponding to the device type of the device where the source IP address is located, the type sensitivity may be obtained according to a preset correspondence table of device types and sensitivities, and each sensitivity in the correspondence table may be determined based on the possibility of the device being attacked and the consequences of the attack. For example, the server is attacked more seriously than the hub, so the server has a larger I1 than hub has an I1, and this correspondence is an empirical value.

I2 is a device configuration score of the device where the source IP address is located, where the device configuration score may be a security score determined by security control software of the device where the source IP address is located, and may be obtained by device X sending a data request message to the device where the source IP address is located.

I3 is the security score of the transmission channel between device X and the device at which the source IP address is located. For example, if the device at which the source IP address is located is connected to device X via a VPN, I3 may be 1; if the connection between the device at which the source IP address is located and device X is through the internet, I3 may be 0.6.

(2) Sensitivity alpha of destination IP address₅。

α₅And a₄Similarly, the determination is jointly performed according to the device type, the device configuration and the transmission channel of the device where the destination IP address is located.

In particular, alpha₅＝(I4*I5)^I6。

Wherein, I4 is the type sensitivity corresponding to the device type of the device where the target IP address is located, and the type sensitivity can be obtained according to a preset mapping table of the device type and the sensitivity.

I5 is a device configuration score of the device where the target IP address is located, where the device configuration score is obtained by a security score determined by the device security control software where the target IP is located, and by the device X sending a data request message to the device where the target IP address is located.

I6 is the security score of the transmission channel between device X and the device at which the target IP address is located. For example, I6 may be 1 if device X is connected to the destination IP via a VPN, and I6 may be 0.6 if device X is connected to the device at the destination IP address via the internet.

And II, downlink data.

The downlink data refers to data which is received by the device X and is sent by other devices, that is, the device X is an intended receiver of the data.

Sensitivity α ═ of downstream data (I7 × I8)^I9。

Wherein, I7 is the type sensitivity corresponding to the device type of the device X, and the type sensitivity can be obtained according to a preset correspondence table between the device type and the sensitivity. Each sensitivity in the correspondence table may be determined based on the likelihood of the device being attacked and the consequences of the attack. For example, the server is attacked more seriously than the hub, so the server has a higher I7 value than the hub has with an I7 value, and the correspondence is an empirical value.

I8 is a device configuration score of the device where the source IP address of the packet is located, which can be obtained by the device X sending a data request message to the device where the source IP address is located, and the device configuration score can be determined by the security control software of the device where the source IP address is located.

I9 is the security score of the transmission channel between the device at which the source IP address of the packet is located and device X. For example, I9 may be 1 if the device at the source IP address is connected to device X via a VPN, and I9 may be 0.6 if the device at the source IP address is connected to device X via the internet.

And 103, determining the risk value of the source IP address for the current access according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address.

Specifically, the security of the source IP address for this access can be determined through an existing network attack detection scheme (also referred to as a security detection scheme), that is, how high the probability is that the source IP address is a network attack. The existing network attack detection scheme can be adopted here, and is not described in detail.

And then, determining the risk value of the source IP address for the access according to the sensitivity of the flow data of the interface and the determined security of the source IP address for the access. The risk value of the source IP for the access behavior at this time can be sensitivity/security of the source IP for the access at this time.

For example, the possibility of out of band (OOB) attack is detected by passing a packet through TCP/IP protocol to the interface (generally 137, 138, and 139), or the possibility of denial of service (DoS) attack is detected. And the sensitivity of the flow data transmitted by the interface reflects the security level of the interface, and if the sensitivity is higher and the security of the access of the source IP address is lower, the access risk can be determined to be higher.

And step 104, if the risk value is greater than the set threshold value, positioning the access source of the interface to the source IP address, and performing early warning.

During early warning, the source IP address with a higher risk value is prompted, and the data related to the interface access can be processed, such as the data is forbidden to be accessed.

In conclusion, the application has the following advantages and effects compared with the prior art:

the application provides an interface safety monitoring method based on a flow analysis technology, and sensitivity evaluation is carried out on two dimensions of a sensitive field included in each data packet in flow data and the safety of a target receiver, so that the sensitivity of the data is finally formed. And for each access of the interface, evaluating the risk value of the current access according to all sensitivities involved in accessing the interface and the IP address of the current visitor, and giving an early warning when the risk value is higher than a threshold value.

Sensitivity evaluation is carried out from two dimensions of the sensitive field included by the data packet and the safety of the target receiving party, namely, the sensitivity is evaluated from the data and the behavior, so that the comprehensiveness of the sensitivity evaluation can be ensured, and the accuracy of the evaluation result is improved.

For each access of the interface, the risk value of the current access is evaluated according to all the sensitivities related to the access interface and the IP address of the current visitor, so that the interface safety monitoring is not based on the single characteristic of the access behavior simply, but the multi-party characteristics of the port and the visitor are considered comprehensively, the comprehensiveness of the risk evaluation can be ensured, and the accuracy of the evaluation result is improved.

The technical scheme of the application can be realized in a Browser/Server (B/S) structure mode, and the background service is designed in a distributed independent service architecture. The back-end services communicate with each other through a Restful interface and a Remote Procedure Call (RPC). The development is carried out based on multiple languages, including Java, C/C + +, JavaScript, HTML and other languages. By the isolation between the servers, the low-coupling design effect is achieved, and the complexity is reduced.

As shown in fig. 2, the technical solution is mainly divided into four layers: the monitoring platform & open layer, safety function layer, foundation platform layer, front end probe. The monitoring station and the open layer are responsible for receiving input of a user and presenting output to the user through various functions; the safety capability layer provides interface data for the front end and issues a scanning task and a desensitization task; the basic platform layer executes the main flow of the proposal to realize the safety monitoring of the interface; the front-end probe is responsible for interaction with a data source (database), such as database connection, data fetching and data insertion. The layers are described below:

monitoring station & open floor: and realizing the functions of a common form interface and a chart display by using Echarts, jquery and JS technologies, and storing the data storage aspect into the Mysql database in a JDBC mode.

Safety capability layer: and a Java and Springboot micro-service technology is adopted to provide interface data for the front end and issue a scanning task and a desensitization task.

A base platform layer: the main flow of the proposal is executed by Java to realize the safety monitoring of the interface.

Front end probe: the JDBC technique, metamodel, is used to interact with a data source (database), such as database connection, data fetching, and data insertion.

Based on the same inventive concept, the application also provides an interface safety monitoring device, which is used for realizing the interface safety monitoring method in the method embodiment.

As shown in fig. 3, the apparatus 300 includes: a communication module 310 and a processing module 320.

The communication module 310 is configured to obtain traffic data of the access interface;

the processing module 320 is configured to determine, through a traffic analysis technique, a source IP address of the current access interface; determining the sensitivity of the flow data accessing the interface at this time according to the sensitive field included in the flow data transmitted by the interface and/or the information of the target receiver of the flow data; determining the risk value of the source IP address for the current access according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address; and if the risk value is greater than a set threshold value, positioning the access source of the interface to the source IP address, and performing early warning.

In one possible design, the processing module 320 is specifically configured to: determining the sensitivity of each data packet in the flow data accessing the interface at this time according to the sensitive field included in the flow data accessing the interface at this time and/or the information of the receiver of the flow data; and determining the sum of the sensitivities of all data packets in the flow data as the sensitivity of the flow data accessing the interface at the time.

In one possible design, the processing module 320 is specifically configured to determine the sensitivity of each packet in the traffic data of the interface accessed this time by: aiming at each data packet in the flow data accessing the interface at this time, if the data packet is uplink data, and the equipment where the interface is located is the data packetThe data producer of the data packet, the sensitivity alpha of the data packet is alpha₂*α₃(ii) a Wherein α 2 is a data field sensitivity of the data packet, and α 3 is a sensitivity of an intended recipient of the data packet.

In one possible design, the processing module 320 is specifically configured to determine the data field sensitivity α 2 of the data packet by: a set formed by all fields marked as sensitive fields at present in all fields included in the data packet is a set A, and a set formed by all fields marked as non-sensitive fields at present is a set B; if the set B, α 2 is 0; if the set B is not an empty set, then

In one possible design, the processing module 320 is specifically configured to determine the sensitivity of each packet in the traffic data of the interface accessed this time by: for each data packet in the flow data accessing the interface this time, if the data packet is uplink data and the device where the interface is located is a data forwarding node of the data packet, the sensitivity α of the data packet is α₄*α₅(ii) a Wherein α 4 is a sensitivity of a source IP address of the packet, and α 5 is a sensitivity of a destination IP address of the packet.

In one possible design, the processing module 320 is specifically configured to determine the sensitivity of each packet in the traffic data of the interface accessed this time by: for each data packet in the traffic data accessing the interface this time, if the data packet is downlink data and the device where the interface is located is the target receiver of the data packet, the sensitivity α of the data packet is (I7 × I8)^I9(ii) a The I7 is a type sensitivity corresponding to the device type of the device where the interface is located; the I8 is a device configuration score of a device where a source IP address of the data packet is located; the I9 is a security score of a transmission channel between the device where the source IP address of the packet is located and the device where the interface is located.

Based on the same technical concept, the embodiment of the present application further provides a computer device, as shown in fig. 4, including at least oneprocessor 401 and amemory 402 connected to the at least one processor, where a specific connection medium between theprocessor 401 and thememory 402 is not limited in this embodiment, and theprocessor 401 and thememory 402 are connected through a bus in fig. 4 as an example. The bus may be divided into an address bus, a data bus, a control bus, etc.

In this embodiment, thememory 402 stores instructions executable by the at least oneprocessor 401, and the at least oneprocessor 401 may implement the steps of the secret sharing method by executing the instructions stored in thememory 402.

Theprocessor 401 is a control center of the computer device, and may connect various parts of the computer device by using various interfaces and lines, and perform resource setting by executing or executing instructions stored in thememory 402 and calling data stored in thememory 402. Optionally, theprocessor 401 may include one or more processing units, and theprocessor 401 may integrate an application processor and a modem processor, wherein the application processor mainly handles an operating system, a user interface, an application program, and the like, and the modem processor mainly handles wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 801. In some embodiments,processor 401 andmemory 402 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.

Theprocessor 401 may be a general-purpose processor, such as a Central Processing Unit (CPU), a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, and may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present Application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.

Memory 402, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. TheMemory 402 may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charge Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. Thememory 402 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. Thememory 402 in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.

Based on the same technical concept, embodiments of the present application further provide a computer-readable storage medium, where computer-readable instructions are stored, and when the computer reads and executes the computer-readable instructions, the method in the foregoing method embodiments is implemented.

Based on the same technical concept, the embodiment of the present application further provides a computer program product, which includes computer readable instructions, and when the computer readable instructions are executed by a processor, the method in the above method embodiment is implemented.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. An interface security monitoring method, the method comprising:

determining the source IP address of the access interface through a flow analysis technology;

determining the sensitivity of the flow data accessing the interface at this time according to the sensitive field included in the flow data transmitted by the interface and/or the information of the target receiver of the flow data;

determining the risk value of the source IP address for the current access according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address;

and if the risk value is greater than a set threshold value, positioning the access source of the interface to the source IP address, and performing early warning.

2. The method of claim 1, wherein determining the sensitivity of the traffic data accessed to the interface at the time according to the sensitive field included in the traffic data transmitted by the interface at the time and the receiver of the traffic data comprises:

determining the sensitivity of each data packet in the flow data accessing the interface at this time according to the sensitive field included in the flow data accessing the interface at this time and/or the information of the receiver of the flow data;

and determining the sum of the sensitivities of all data packets in the flow data as the sensitivity of the flow data accessing the interface at the time.

3. The method of claim 2, wherein determining the sensitivity of each packet in the traffic data for this access to the interface comprises:

if the data packet is uplink data and the device where the interface is located is the data producer of the data packet, the sensitivity alpha of the data packet is alpha₂*α₃；

Wherein α 2 is a data field sensitivity of the data packet, and α 3 is a sensitivity of an intended recipient of the data packet.

4. The method according to claim 3, wherein the set of all fields included in the data packet that are currently labeled as sensitive fields is set A, and the set of all fields that are currently labeled as non-sensitive fields is set B;

if the set B, α 2 is 0;

if the set B is not an empty set, then

5. The method of claim 3, wherein the sensitivity α 3 of the intended recipient of the data packet corresponds to a security level of the intended recipient.

6. The method of claim 2, wherein determining the sensitivity of each packet in the traffic data for this access to the interface comprises:

if the data packet is uplink data and the device where the interface is located is a data forwarding node of the data packet, the sensitivity α of the data packet is α₄*α₅；

Wherein α 4 is a sensitivity of a source IP address of the packet, and α 5 is a sensitivity of a destination IP address of the packet.

7. The method according to claim 6, wherein the sensitivity α 4 of the source IP address of the data packet is determined according to the device type, device configuration and transmission channel of the source IP address, and α₄＝(I1*I2)^I3；

Wherein, the I1 is a type sensitivity corresponding to the device type of the device where the source IP address is located;

the I2 is a device configuration score of the device where the source IP address is located;

the I3 is a security score of a transmission channel between the device where the interface is located and the device where the source IP address is located.

8. The method according to claim 6, wherein the sensitivity α 5 of the destination IP address of the data packet is determined according to the device type, device configuration and transmission channel of the destination IP address, and α₅＝(I4*I5)^I6；

Wherein, the I4 is a type sensitivity corresponding to the device type of the device where the target IP address is located;

the I5 is a device configuration score of the device where the target IP address is located;

the I6 is a security score of a transmission channel between the device where the interface is located and the device where the target IP address is located.

9. The method of claim 2, wherein determining the sensitivity of each packet in the traffic data for this access to the interface comprises:

if the data packet is downlink data and the device where the interface is located is the target receiver of the data packet, the sensitivity α of the data packet is (I7 × I8)^I9；

The I7 is a type sensitivity corresponding to the device type of the device where the interface is located;

the I8 is a device configuration score of a device where a source IP address of the data packet is located;

the I9 is a security score of a transmission channel between the device where the source IP address of the packet is located and the device where the interface is located.

10. An interface security monitoring device, comprising:

11. A computer device, comprising:

a memory for storing program instructions;

a processor for calling program instructions stored in said memory and for executing the method of any one of claims 1 to 9 in accordance with the obtained program instructions.

12. A computer-readable storage medium comprising computer-readable instructions which, when read and executed by a computer, cause the method of any one of claims 1 to 9 to be carried out.

13. A computer program product comprising computer readable instructions which, when executed by a processor, cause the method of any of claims 1 to 9 to be carried out.