Detailed Description
The embodiment of the application solves the technical problems that the traditional method mainly relies on preset rules and authorities to limit the access of users to system resources and cannot adapt to the change of user behaviors in actual environments, and the traditional anomaly detection method generally needs a large amount of training data and complex models to detect anomalies, so that the data anomaly detection is difficult.
Having described the basic principles of the present application, various non-limiting embodiments of the present application will now be described in detail with reference to the accompanying drawings.
Example 1
As shown in fig. 1, an embodiment of the present application provides a dynamic access control method based on intelligent analysis of user behavior, where the method includes:
establishing a calibration grade set of a service platform, wherein the calibration grade set is a calibration grade division set which is established by evaluating according to the port access data grade of each access sub-port of the service platform;
and collecting port access data of each access sub-port of the service platform, wherein the data comprises information such as access frequency, access time, access mode and the like of users on different ports. Based on the collected access data, each access sub-port is subjected to grade evaluation, the evaluation can be comprehensively considered according to factors such as access frequency, access rule, security risk and the like, and each access sub-port is allocated with a corresponding grade through the evaluation of the factors so as to reflect the importance and the risk degree. The levels of all access sub-ports form a calibrated level dividing set, the set reflects the level condition of each access sub-port of the service platform and is used for representing the importance and the access control requirement of the access sub-ports, and the calibrated level dividing set is used as the basis for subsequently configuring the private account level and the sensitive access factor of the user account and is used for realizing dynamic access control.
Configuring private account grades of user accounts, wherein the private account grades are evaluated by taking corresponding grades of the calibrated grade sets as basic grades and account characteristics of the user accounts as additional grades, and configuring sensitive access factors based on the private account grades;
according to the established calibration level set, the level of each access sub-port is mapped to the basic level of the user account, wherein the basic level refers to the initial level of the account, and depends on the level of the access sub-port accessed by the user, so that the level of the user account can be ensured to correspond to the calibration level of the service platform, and the importance and the access control requirement of the user account are reflected. And carrying out additional grade evaluation on the account by combining account characteristics of the user account, wherein the account characteristics comprise information such as user roles, user rights, user behaviors, account history records and the like, and giving the account a corresponding additional grade by comprehensively evaluating the characteristics so as to supplement an evaluation result of the basic grade.
And combining the basic level and the additional level to obtain the private account level of the user account, wherein the level reflects the overall access authority of the user account and is a comprehensive evaluation result based on the calibration level set and the account characteristics. According to the private account level of the user account, configuring sensitive access factors, wherein the sensitive access factors comprise access frequency limit, access time limit, authority verification and other settings, and are used for determining additional conditions required to be met or additional control measures to be executed when a user accesses sensitive resources, and according to different private account levels, the sensitive access factors are appropriately adjusted and configured, for example, for accounts with higher levels, additional identity verification steps or approval flows are required to access the sensitive resources so as to realize dynamic access control and ensure safe access to the sensitive resources.
Crawling historical access data under the user account, and establishing a static feature database and a dynamic feature database of the user account based on the historical access data, wherein the static feature database and the dynamic feature database are provided with identifiers of trust;
historical access data is obtained from user account records through channels such as web crawlers, and the historical access data comprises information such as login records, operation logs, access time, access resources and the like. Based on the crawled historical access data, static features of the user account are extracted, wherein the static features refer to relatively stable and infrequently changing attributes such as user roles, authority levels, organization attributions and the like, the features are stored in a static feature database, and an identifier of trust degree is set for each feature to represent the credibility of the feature.
Based on the historical access data as well, dynamic characteristics of the user account are extracted, wherein the dynamic characteristics refer to time-varying attributes such as access frequency, access behavior mode, access equipment and the like, the characteristics are stored in a dynamic characteristic database, and an identifier of trust degree is set for each characteristic to represent the credibility of the characteristic.
By establishing a static feature database and a dynamic feature database, the feature information of the user account can be more comprehensively recorded, and the identification of the trust degree can help judge the trust degree of the feature, so that a reference basis is provided for subsequent analysis and decision.
Further, the historical access data under the user account is crawled, and a static feature database and a dynamic feature database of the user account are established based on the historical access data, wherein the static feature database and the dynamic feature database are provided with identifiers of trust, and the method further comprises:
extracting the historical access data, carrying out data self-adaptive clustering of the same processing task on the historical access data, and determining a self-adaptive clustering center;
performing task data centralized analysis of corresponding tasks through the self-adaptive clustering center, and determining a data stability factor through a centralized analysis result;
carrying out characterization analysis on the total data of the same processing task, and determining a data characterization factor;
and establishing a static feature database and a dynamic feature database of the user account by the self-adaptive clustering center, generating the trust degree of a corresponding database by the data stability factor and the data characterization factor, and executing corresponding database identification.
The self-adaptive clustering algorithm suitable for processing heterogeneous data is used for clustering the historical access data, and the algorithm can automatically adjust parameters and calculation modes in the clustering process according to the characteristics of the data so as to ensure that a clustering result is more accurate. By way of example, a density-based clustering algorithm DBSCAN algorithm is adopted, the DBSCAN algorithm can cluster according to the density of data points, outliers can be automatically identified, and parameters of the self-adaptive clustering algorithm are set through field knowledge, experience or experiment, such as parameters of a specified neighborhood radius, a minimum sample number and the like in the DBSCAN algorithm. The historical access data is clustered using a configured clustering algorithm that assigns data points to different clusters based on the density and similarity of the data, each cluster representing a set of data points with similar characteristics.
According to the completed clustering calculation result, an adaptive clustering center is determined, the clustering center is the mass center in each clustering cluster, and samples closest to other samples in the clusters in each cluster can be selected as the clustering center, so that potential modes and relevance in historical access data can be determined.
And carrying out centralized analysis on the task data set by using the self-adaptive clustering center as a reference, specifically comparing and matching each sample in the task data set with the self-adaptive clustering center to obtain similarity between the samples, and generating centralized analysis results according to the matching degree, wherein the results comprise information such as the distance between each sample and the nearest clustering center, similarity metric values and the like, and a smaller distance or a higher similarity metric value indicates that the sample is closer to the self-adaptive clustering center, and otherwise indicates that the sample is farther away.
Based on the centralized analysis result, determining a stability factor of the data, wherein the stability factor reflects the consistency of the data in a clustering space, the stability degree of the data is measured by calculating the average distance between each sample and the nearest clustering center or the variance of similarity measurement, the smaller variance indicates that the data is more stable, and the larger variance indicates that the data is more unstable.
And collecting data total information related to the same processing task, including data set size, sample number, feature dimension and the like. According to task requirements and data characteristics, proper data characterization factors are selected, and the factors can reflect important characteristics of the total data, such as data scale, data density, data distribution and the like. For selected data characterization factors, selecting an appropriate analysis index to characterize the data, e.g., for data size, using the number of samples or the data set size as characterization index; for data density, using average distance or cluster coefficient as characterization index; for data distribution, statistical indexes such as a histogram, a box diagram, skewness, kurtosis and the like are used for describing the distribution situation of the data.
And calculating and counting the total data according to the selected data characterization factors and the corresponding analysis indexes to obtain various characterization results about the total data. From the results of the characterization analysis, the most representative data characterization factors are determined, which effectively describe and distinguish the characteristic differences between the different data volumes.
Using the self-adaptive clustering centers determined before, taking each self-adaptive clustering center as a static feature vector, and storing the static feature vector in a static feature database, wherein the feature vectors can describe the static attribute of a user account; based on the real-time access behavior of the user, matching the data with the self-adaptive clustering center, expressing the matching result as dynamic feature vectors, and storing the dynamic feature vectors in a dynamic feature database.
For a static feature database, the stability of the feature is measured by using a data stability factor, for example, the change rate or fluctuation degree of each feature in different time periods is calculated, and a lower change rate or fluctuation degree represents higher stability, so that the feature can be regarded as higher trust degree; for the dynamic feature database, the data stability factor and the data characterization factor are considered at the same time, the consistency and the importance of the data are evaluated by calculating the similarity or the distance between the dynamic feature vector and the self-adaptive clustering center, and the higher similarity or the smaller distance represents the higher consistency and the importance, so that the dynamic feature vector can be regarded as higher trust.
The static feature database and the dynamic feature database are identified according to the calculated trust level, and the trust level of the databases can be represented by means of symbols, labels or scores, for example, the databases with high trust level are marked as 'trusted', or different trust levels are represented by means of digital scores.
Through the steps, the user account data can be managed and utilized, and a foundation is provided for subsequent tasks such as user verification, personalized recommendation and the like.
Setting independent data anomaly coefficients for the data in the static feature database and the dynamic feature database by the sensitive access factors;
for each feature library, defining a suitable anomaly detection index, for example, for a static feature database, outlier analysis or statistical methods can be used to evaluate the degree of anomaly of the feature; for dynamic feature databases, techniques such as sequence pattern mining or behavioral analysis may be used to detect abnormal behavior. Independent data anomaly coefficients are set for each feature based on defined anomaly detection metrics, which may be a threshold or a range for determining when to mark certain feature data as anomalies, lower anomaly coefficients representing more stringent anomaly determination conditions and higher anomaly coefficients representing more relaxed conditions.
And (3) carrying out anomaly detection and marking on the data in the static characteristic database and the dynamic characteristic database by using the set anomaly coefficients, and determining which data are regarded as anomalies by comparing the actual value of each characteristic with the set anomaly coefficients, wherein the anomaly data can be marked, recorded or triggered to carry out subsequent processing and investigation.
By setting independent data anomaly coefficients, the severity of anomaly decisions can be flexibly controlled according to the importance and sensitivity of different features, which helps to discover potential anomalies and data leaks, and take appropriate security measures to protect user accounts and sensitive resources.
The login data acquisition of the user account is executed by a data acquisition tool, a login data set is established, and the abnormal verification of the login data set is carried out through the independent data abnormal coefficient, so that an abnormal verification result is generated;
by selecting appropriate data acquisition tools, such as Cisco's netflow monitor, octopus collector, etc., a large amount of network user data can be obtained by these tools. Using the selected data collection tool, collecting login data of the user account, wherein the login data comprises login time, login equipment, login place, login success or failure information and the like. The collected login data is organized into a login data set, and the data is preprocessed as needed, for example, invalid or duplicate records are removed, and time stamp formatting is performed.
For each feature in the login data set, such as login time, login equipment and the like, according to the abnormality detection index defined previously and the set independent data abnormality coefficient, an abnormality judgment condition is set for each feature, for each login record, the characteristic value is compared with the abnormality coefficient of the corresponding feature, and if a certain characteristic value exceeds the set abnormality coefficient threshold, the login record is marked as abnormal.
Based on the results of the anomaly verification, an anomaly verification report is generated and all log records marked as anomalous are recorded, which report may contain details of the anomalous log, such as anomaly characteristics, time stamps, associated user accounts, etc., which help identify potential log-in anomalous behavior.
And after the abnormal verification result is compensated through the trust degree, carrying out accumulated trigger analysis on the compensation result, and carrying out dynamic access control on the user account through the accumulated trigger analysis result.
According to the trust level identification set for each feature before, the abnormal verification result is compensated, the trust level reflects the credibility of the feature data, and the severity of abnormal judgment can be adjusted by combining the trust level with the abnormal verification result so as to judge whether a record is marked as abnormal or not more accurately. And carrying out accumulated trigger analysis on the compensated abnormal verification result, wherein the analysis is used for determining trigger conditions and behavior rules so as to determine when to start dynamic access control measures, and the detection capability and response accuracy of the system to abnormal behaviors can be improved by considering the accumulated condition of a plurality of abnormal events.
Based on the cumulative trigger analysis, cumulative trigger analysis results are generated, wherein the results comprise information such as trigger rules, evaluation of trigger conditions, classification of abnormal behaviors and the like, and the analysis results are used for guiding subsequent dynamic access control decisions. Based on the accumulated trigger analysis results, dynamic access control of the user account is implemented, including taking corresponding security measures and decisions, such as requiring additional authentication, enforcing rights limits, logging, or triggering alarms, etc.
By using the trust level to compensate the abnormal verification result and performing accumulated trigger analysis, the abnormal behavior can be more accurately identified, and finer decisions can be made in the aspect of dynamic access control, which is helpful for improving the security and defensive capability of the system and protecting user accounts and sensitive resources from potential threats.
Further, the method further comprises:
establishing an anomaly analysis network by taking the static feature database and the dynamic feature database as basic data and taking independent data anomaly coefficients as construction constraints, wherein the anomaly analysis network consists of N feature discrimination sub-networks, a compensation sub-network and an accumulation analysis sub-network;
inputting the login data set into the anomaly analysis network, and carrying out initial anomaly analysis on the login data set through the N feature discrimination sub-networks to generate the anomaly verification result;
and after the abnormal verification result is input into the compensation sub-network for compensation, synchronizing the compensation result to the accumulated analysis sub-network, and outputting an accumulated trigger analysis result through the accumulated analysis sub-network.
The static characteristic database and the dynamic characteristic database are used as basic data, and the databases contain the static characteristic and the dynamic characteristic data of the user account.
According to the independent data anomaly coefficients, N feature discrimination sub-networks are constructed, each feature discrimination sub-network judges whether the feature is abnormal according to the independent data anomaly coefficients, and a threshold value or other judging methods can be used for determining the abnormal state and the non-abnormal state; for the characteristics judged to be abnormal, constructing a corresponding compensation sub-network, wherein the compensation sub-network is used for compensating the influence of the abnormal characteristics through other normal characteristics, and a specific compensation method can be flexibly selected according to actual conditions, such as interpolation, regression and the like; all the characteristic judging sub-networks are connected with the compensating sub-network to construct an accumulated analysis sub-network, and the accumulated analysis sub-network comprehensively considers the abnormal condition and the compensating condition of each characteristic and further analyzes and processes according to actual requirements.
Through the process, an anomaly analysis network based on the static feature database and the dynamic feature database is established, and the network consists of N feature discrimination sub-networks, a compensation sub-network and an accumulation analysis sub-network, so that the anomaly condition in the user account data can be detected and processed, and the quality and the credibility of the data can be improved.
The method comprises the steps of taking a login data set as input data, comprising login information of a user and related characteristic data, extracting characteristics required for exception analysis from the login data set, comprising login time, IP address, equipment type and the like, inputting the extracted characteristics into N characteristic judging sub-networks, evaluating whether the characteristics are abnormal or not according to independent data exception coefficients by each characteristic judging sub-network, generating an exception verification result of the login data set according to output of the characteristic judging sub-network, wherein the result can be a binary flag, for example, 0 represents normal, 1 represents exception, score or other forms, and the like, so as to facilitate subsequent processing and decision.
The abnormal verification result generated in the previous step is used as input, the abnormal situation needing to be compensated is identified according to the abnormal mark or score in the abnormal verification result, the abnormal situation needing to be compensated is input into a compensation sub-network, the compensation sub-network compensates abnormal characteristics by utilizing other normal characteristic data so as to restore abnormal values as far as possible, and the compensation result output by the compensation sub-network is synchronized into an accumulation analysis sub-network, so that the accumulation analysis sub-network can comprehensively consider the compensated characteristic data to further analyze and process, and the accumulation analysis sub-network outputs accumulated trigger analysis results according to the set rules based on the compensated characteristic data, wherein the accumulated trigger analysis results comprise information such as the abnormal degree after comprehensive evaluation, the relevant risk level and the like.
Thus, the severity of the abnormal situation can be more accurately estimated, and a more reliable basis is provided for subsequent processing and decision making.
Further, the method further comprises:
when the accumulated trigger analysis is carried out through the accumulated analysis sub-network, separating a static abnormal result and a dynamic abnormal result in the compensation result;
performing static accumulation evaluation through the static abnormal result, and judging whether to execute activation state conversion or not through the static accumulation evaluation result;
If the activation state transformation is executed, carrying out dynamic accumulated evaluation on the dynamic abnormal result according to the activation state transformation result;
and generating an accumulated trigger analysis result according to the static accumulated evaluation result and the dynamic accumulated evaluation result.
Providing the compensation result as input to an accumulation analysis sub-network, in the accumulation analysis sub-network, carrying out static anomaly analysis on the compensated static characteristic data, and judging whether the static characteristic is abnormal or not based on an independent data anomaly coefficient; in the cumulative analysis sub-network, dynamic anomaly analysis is performed on the compensated dynamic characteristic data, and whether the dynamic characteristic is abnormal or not is evaluated based on the independent data anomaly coefficient. The static abnormal part and the dynamic abnormal part are separated from the abnormal result output by the accumulated analysis sub-network, so that the characteristics of static and dynamic abnormality in account data can be better understood, and more accurate abnormality judgment and subsequent processing are facilitated.
And collecting separated static abnormal results, wherein the results reflect the abnormal condition of the account in the aspect of static characteristics, carrying out accumulated evaluation on the collected static abnormal results, and adopting different methods such as weighted summation, statistics frequency and the like to determine a proper evaluation mode according to actual requirements, wherein the static accumulated evaluation considers a plurality of static abnormal characteristics, and comprehensively considers the integral static abnormal condition of the account.
Based on the result of the static cumulative evaluation, a determination is made as to whether to execute the active state transition, which may be based on a preset threshold, and when the result of the static cumulative evaluation exceeds the threshold, the active state transition is triggered, otherwise the current state is maintained.
Based on the foregoing determination, if an activation state transformation is required to be performed, corresponding operations, such as resetting a password, enhancing authentication, restricting account authority, etc., are performed to improve the security of the account.
After the activation state transformation is executed, dynamic abnormal results are collected again, dynamic accumulated evaluation is carried out on the collected dynamic abnormal results, similar to static accumulated evaluation, different methods can be adopted to comprehensively consider abnormal conditions of accounts in the aspect of dynamic characteristics, and a plurality of dynamic abnormal characteristics can be comprehensively evaluated in a weighting summation mode, a statistics frequency mode and the like. Therefore, the dynamic abnormal condition of the account can be further comprehensively analyzed on the basis of considering the overall static abnormal condition of the account, so that the security of the account is more comprehensively evaluated, and corresponding measures are taken to protect account information and reduce risks.
And comprehensively considering the static accumulated evaluation result and the dynamic accumulated evaluation result, setting weights of the static accumulated evaluation result and the dynamic accumulated evaluation result according to actual demands, and carrying out operations such as weighted summation, logic operation and the like on the two evaluation results according to the weight values so as to obtain a comprehensive evaluation result. Based on the comprehensive evaluation results, a cumulative trigger analysis result is generated, and the result can be binary, such as triggered, not triggered, or multi-level, such as low risk, medium risk, high risk, and classification result, depending on specific application situations and requirements.
Based on the accumulated trigger analysis results, subsequent decisions may be made, e.g., if the analysis results indicate that the account is at high risk, further security measures such as locking the account, notifying the user, etc., may be taken, if the analysis results indicate that the account does not trigger any anomalies, the current state may be maintained.
Further, the method further comprises:
when the dynamic characteristics in the N characteristic judging sub-networks execute initial exception analysis of the login data set, acquiring downloading frequency of file downloading dynamics and reading basic attributes of the file;
determining a first outlier by the download frequency and the base attribute;
acquiring the stay time of the user account in the resource file, and determining a second abnormal value based on the file attribute and the stay time of the resource file;
and generating the abnormal verification result according to the first abnormal value and the second abnormal value.
And extracting dynamic characteristics related to file downloading operation, including a time stamp, a user identifier, a file name and the like, by logging in related records in the data set, and counting the downloading frequency of each user or each file according to the extracted dynamic characteristics to obtain downloading frequency information. For each download operation, the basic attributes of the corresponding file, including file size, creation date, modification date, etc., are read according to the path or name of the file, which can be further used for subsequent analysis and anomaly detection.
And calculating average downloading frequency or setting a threshold value according to the obtained downloading frequency information to determine the range of normal downloading behavior, and if the downloading frequency of a certain file exceeds the range, indicating that the file is abnormal. For each file, whether an anomaly exists is determined by comparing its base attributes with typical values of normal files, e.g., if the file size is far outside the size range of normal files, or the creation date of the file is significantly different from other like files, it may be indicative of the existence of an anomaly.
The analysis results of the downloading frequency and the basic attribute are comprehensively considered, the degree of abnormality of the downloading frequency and the basic attribute can be comprehensively considered by using methods such as weighted summation, logic operation and the like according to specific requirements and actual conditions, a comprehensive abnormal value is obtained, and the abnormal evaluation values of the plurality of resource files arranged in front are selected as first abnormal values based on the comprehensive abnormal evaluation values.
Access records of the user account to the resource file are obtained from corresponding logs or records, and the records comprise information such as file names, access time stamps, user identifications and the like.
According to the access record of the user account in the resource files, calculating the stay time of each resource file, wherein the stay time can be obtained by calculating the difference between the access start time and the access end time. For each resource file, its corresponding file attributes, such as file size, creation date, modification date, etc., are obtained. For each file attribute, a normal range of file attributes may be constructed based on sample data or empirical knowledge of normal behavior, e.g., a threshold of file size may be defined, or a creation date of a file may be compared to typical values of other similar files.
And combining the file attribute abnormality degree and the stay time abnormality degree to obtain a comprehensive abnormality evaluation value, and taking the abnormality evaluation values of the files with the highest abnormality degree as second abnormality values based on the comprehensive abnormality evaluation value.
The results of the first outlier and the second outlier are integrated into a set, each outlier having a corresponding identity. According to the actual requirements and specific conditions, a standard of an abnormal threshold value is determined, wherein the threshold value is obtained based on experience, a statistical method and the like and is used for judging whether the range of normal behaviors is exceeded or not.
For each abnormal value, verifying the abnormal value according to an abnormal threshold value, and marking the abnormal value as abnormal if a certain abnormal value exceeds a set threshold value; otherwise, it is marked as normal. Thus, an abnormal verification result is generated, and potential abnormal conditions can be identified and processed in an assisted mode, and the safety and stability of the system and the data are ensured.
Further, the method further comprises:
judging whether the accumulated trigger analysis result meets a preset constraint threshold;
triggering an auxiliary authentication instruction if the preset constraint threshold is met;
performing associated account tracing of the login data set according to the auxiliary authentication instruction;
Sending the accumulated trigger analysis result to the associated account;
and judging the abnormal behavior of the user account according to the feedback result of the associated account.
The preset constraint threshold is defined according to specific constraint requirements, and the threshold can be determined based on experience and business requirements. Comparing the accumulated trigger analysis result with a preset constraint threshold, and if the analysis result exceeds the constraint threshold, considering that the constraint is satisfied and taking certain specific measures; otherwise, if the analysis result does not exceed the constraint threshold, the constraint is not satisfied, and normal operation can be continued.
If the accumulated trigger analysis result meets a preset constraint threshold, triggering an auxiliary authentication instruction to perform additional identity verification so as to enhance the safety of the system and protect the information of the user.
Associated account tracing of the login dataset is performed according to the secondary authentication instructions to trace and identify which user triggered the task. In particular, the secondary authentication instructions provide some form of identification, such as a user ID, a device ID, a session identification, etc., that is used to associate a particular operation with a particular user or device. And using the provided identification information, inquiring in the login data set to search the related login records. By analyzing the login data set, the identity of the auxiliary authentication instruction is matched and associated with the login record, so that it can be determined which user triggered the auxiliary authentication instruction when performing the task. And recording the tracing result of the associated account, including the identity of the auxiliary authentication instruction, the associated login record, the user information and the like, so that a tracing history record can be established, and subsequent tracking analysis and audit can be performed.
The contact way of the associated account is obtained, a proper communication channel is selected to send the accumulated trigger analysis result, the accumulated trigger analysis result can be sent through an email, a short message, an application program notice and the like, and the selected communication channel is used to send the accumulated trigger analysis result to the associated account.
And analyzing the replied content and mode according to the feedback of the associated account, and judging whether the user account has abnormal conditions or not.
Further, the method further comprises:
generating a user label according to the accumulated trigger analysis result;
and carrying out the user account identification through the user tag, and carrying out subsequent dynamic access control management of the user account according to a user account identification result.
A set of tag rules is defined for mapping the cumulative trigger analysis results to corresponding user tags, which rules may be defined based on business needs and domain knowledge, e.g., different tags are set to represent risk levels of accounts, such as low, medium, high. And processing the accumulated trigger analysis result according to the defined label rule to generate a corresponding user label.
Each user account is assigned a corresponding account identifier based on the generated user tag, which is a unique identifier for uniquely identifying the user account. Dynamic access control management policies are implemented using the user account identification as a basis, the policies determining access rights of users to system resources based on the user labels. Illustratively, users are classified into different permission levels according to user tags, and corresponding access permissions are defined for each level, e.g., high risk users may face stricter access restrictions and additional authentication requirements, while low risk users enjoy greater flexibility and convenience.
Through the steps, dynamic access control management based on the user tag can be realized, so that the safety, the reliability and the user experience of the system are improved.
In summary, the dynamic access control method and system based on intelligent analysis of user behavior provided by the embodiment of the application have the following technical effects:
1. by establishing a static feature database and a dynamic feature database of the user account and setting a trust level identification, the access authority of the user can be dynamically estimated according to the historical access data and the current access behavior of the user, so that more accurate and flexible access control is realized;
2. by setting the independent data anomaly coefficient and combining the login data acquisition executed by the data acquisition tool, the login data set can be subjected to anomaly verification, and the verification method does not depend on a large amount of training data, so that the anomaly behavior of a user can be effectively detected;
3. by compensating and accumulating the trigger analysis on the abnormal verification result, the dynamic access control effect of the user account can be further improved, the false alarm rate and the missing report rate are reduced, and the safety and the reliability of the system are improved.
In summary, the dynamic access control method based on intelligent analysis of user behavior solves the problems of insufficient static access control, difficult data anomaly detection, reliability of user identity verification and the like in the prior art through the technical means of dynamic access control, anomaly verification, accumulated trigger analysis and the like, and achieves more accurate and flexible access control effect.
Example two
Based on the same inventive concept as the dynamic access control method based on intelligent analysis of user behavior in the foregoing embodiment, as shown in fig. 2, the present application provides a dynamic access control system based on intelligent analysis of user behavior, the system comprising:
the calibration level establishing module 10 is used for establishing a calibration level set of the service platform, wherein the calibration level set is a calibration level division set which is evaluated and established according to the port access data level of each access sub-port of the service platform;
the access factor configuration module 20 is configured to configure a private account level of the user account, wherein the private account level is formed by taking a corresponding level of the calibration level set as a basic level and taking account characteristics of the user account as an additional level for evaluation, and a sensitive access factor is configured based on the private account level;
the database establishing module 30 is configured to crawl historical access data under the user account, and establish a static feature database and a dynamic feature database of the user account based on the historical access data, where the static feature database and the dynamic feature database are provided with identifiers of trust;
An anomaly coefficient setting module 40, where the anomaly coefficient setting module 40 is configured to set independent data anomaly coefficients for the static feature database and the dynamic feature database with the sensitive access factor;
the login data acquisition module 50 is used for executing login data acquisition of the user account by using a data acquisition tool, establishing a login data set, performing abnormal verification of the login data set through the independent data abnormal coefficient, and generating an abnormal verification result;
the cumulative trigger analysis module 60 is configured to perform cumulative trigger analysis on the compensation result after the abnormal verification result is compensated by the cumulative trigger analysis module 60 through the confidence level, and perform dynamic access control on the user account through the cumulative trigger analysis result.
Further, the system also comprises a database identification module for executing the following operation steps:
extracting the historical access data, carrying out data self-adaptive clustering of the same processing task on the historical access data, and determining a self-adaptive clustering center;
performing task data centralized analysis of corresponding tasks through the self-adaptive clustering center, and determining a data stability factor through a centralized analysis result;
Carrying out characterization analysis on the total data of the same processing task, and determining a data characterization factor;
and establishing a static feature database and a dynamic feature database of the user account by the self-adaptive clustering center, generating the trust degree of a corresponding database by the data stability factor and the data characterization factor, and executing corresponding database identification.
Further, the system further comprises a cumulative trigger analysis result output module for executing the following operation steps:
establishing an anomaly analysis network by taking the static feature database and the dynamic feature database as basic data and taking independent data anomaly coefficients as construction constraints, wherein the anomaly analysis network consists of N feature discrimination sub-networks, a compensation sub-network and an accumulation analysis sub-network;
inputting the login data set into the anomaly analysis network, and carrying out initial anomaly analysis on the login data set through the N feature discrimination sub-networks to generate the anomaly verification result;
and after the abnormal verification result is input into the compensation sub-network for compensation, synchronizing the compensation result to the accumulated analysis sub-network, and outputting an accumulated trigger analysis result through the accumulated analysis sub-network.
Further, the system further comprises a cumulative trigger analysis result generation module for executing the following operation steps:
when the accumulated trigger analysis is carried out through the accumulated analysis sub-network, separating a static abnormal result and a dynamic abnormal result in the compensation result;
performing static accumulation evaluation through the static abnormal result, and judging whether to execute activation state conversion or not through the static accumulation evaluation result;
if the activation state transformation is executed, carrying out dynamic accumulated evaluation on the dynamic abnormal result according to the activation state transformation result;
and generating an accumulated trigger analysis result according to the static accumulated evaluation result and the dynamic accumulated evaluation result.
Further, the system further comprises an abnormal verification result generation module for executing the following operation steps:
when the dynamic characteristics in the N characteristic judging sub-networks execute initial exception analysis of the login data set, acquiring downloading frequency of file downloading dynamics and reading basic attributes of the file;
determining a first outlier by the download frequency and the base attribute;
acquiring the stay time of the user account in the resource file, and determining a second abnormal value based on the file attribute and the stay time of the resource file;
And generating the abnormal verification result according to the first abnormal value and the second abnormal value.
Further, the system further comprises a behavior anomaly discrimination module for executing the following operation steps:
judging whether the accumulated trigger analysis result meets a preset constraint threshold;
triggering an auxiliary authentication instruction if the preset constraint threshold is met;
performing associated account tracing of the login data set according to the auxiliary authentication instruction;
sending the accumulated trigger analysis result to the associated account;
and judging the abnormal behavior of the user account according to the feedback result of the associated account.
Further, the system also comprises a dynamic access control management module for executing the following operation steps:
generating a user label according to the accumulated trigger analysis result;
and carrying out the user account identification through the user tag, and carrying out subsequent dynamic access control management of the user account according to a user account identification result.
The foregoing detailed description of the dynamic access control method based on intelligent analysis of user behavior will clearly be known to those skilled in the art, and the device disclosed in this embodiment is relatively simple to describe because it corresponds to the method disclosed in the embodiment, and the relevant points refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.