CN115664743A

CN115664743A - Behavior detection method and device

Info

Publication number: CN115664743A
Application number: CN202211268787.0A
Authority: CN
Inventors: 陈怡航; 张园超
Original assignee: Zhejiang eCommerce Bank Co Ltd
Current assignee: Zhejiang eCommerce Bank Co Ltd
Priority date: 2022-10-17
Filing date: 2022-10-17
Publication date: 2023-01-31

Abstract

The embodiment of the specification provides a behavior detection method and a device, wherein the behavior detection method comprises the following steps: acquiring flow data to be detected corresponding to a target service; determining a user identifier and access data associated with the user identifier in the flow data to be detected; performing hash operation on the access data to obtain an access hash value corresponding to the user identifier; determining access behavior information of the user identifier based on the behavior detection strategy of the target service and the access hash value; wherein the behavior detection policy is associated with a horizontal override behavior detection dimension.

Description

Behavior detection method and device

Technical Field

The embodiment of the specification relates to the technical field of computers, in particular to a behavior detection method and device.

Background

With the development of internet technology, more and more businesses are becoming online to bring more convenient services to users through online businesses. Along with the development of the online service, the horizontal unauthorized vulnerability becomes a ubiquitous problem of an internet site, so that the online service cannot be normally developed, the sensitive data of the user can be leaked in large batch, and the normal operation of the online service can be influenced to a great extent. In the prior art, for the problem of horizontal override bugs, most of the methods adopt maintenance measures after the occurrence of override behaviors, namely, after the occurrence of the horizontal override behaviors, the maintenance measures are processed by using repair measures preset in a station so as to avoid the leakage of more data; however, this processing method has a certain hysteresis and cannot stop the loss in time, so an effective solution is needed to solve the above problems.

Disclosure of Invention

In view of this, the embodiments of the present specification provide a behavior detection method. One or more embodiments of the present specification also relate to a behavior detection apparatus, a computing device, a computer-readable storage medium, and a computer program, so as to solve the technical deficiencies of the prior art.

According to a first aspect of embodiments herein, there is provided a behavior detection method, including:

acquiring flow data to be detected corresponding to a target service;

determining a user identifier and access data associated with the user identifier in the flow data to be detected;

performing hash operation on the access data to obtain an access hash value corresponding to the user identifier;

determining access behavior information of the user identifier based on the behavior detection strategy of the target service and the access hash value; wherein the behavior detection policy is associated with a horizontal override behavior detection dimension.

According to a second aspect of embodiments herein, there is provided a behavior detection apparatus including:

the data acquisition module is configured to acquire flow data to be detected corresponding to the target service;

the determining identification module is configured to determine a user identification in the flow data to be detected and access data associated with the user identification;

the hash operation module is configured to perform hash operation on the access data to obtain an access hash value corresponding to the user identifier;

a determination information module configured to determine access behavior information of the user identifier based on a behavior detection policy of the target service and the access hash value; wherein the behavior detection policy is associated with a horizontal override behavior detection dimension.

According to a third aspect of embodiments herein, there is provided a computing device comprising:

a memory and a processor;

the memory is for storing computer-executable instructions which, when executed by the processor, implement the steps of the behavior detection method described above.

According to a fourth aspect of embodiments herein, there is provided a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the behavior detection method described above.

According to a fifth aspect of embodiments herein, there is provided a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the steps of the behavior detection method described above.

In order to sense the unauthorized behavior in advance and protect the unauthorized behavior, the behavior detection method provided by the present specification may determine the user identifier and the access data associated with the user identifier in the traffic data to be detected after acquiring the traffic data to be detected corresponding to the target service, and then perform hash operation on the access data to obtain the access hash value corresponding to the user identifier. And then, by combining the behavior detection strategy and the access hash value of the target service, the determination of the access behavior information of the user identifier is completed before the private resources are fed back aiming at the access data, so that the effects of perceiving the unauthorized behavior and protecting in advance can be achieved, and the loss caused by data leakage is avoided.

Drawings

Fig. 1 is a schematic structural diagram of a behavior detection method provided in an embodiment of the present specification;

FIG. 2 is a flow diagram of a behavior detection method provided by one embodiment of the present description;

FIG. 3 is a flow diagram of another behavior detection method provided by one embodiment of the present description;

fig. 4 is a schematic structural diagram of a behavior detection device according to an embodiment of the present disclosure;

fig. 5 is a block diagram of a computing device according to an embodiment of the present disclosure.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present specification. This description may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, as those skilled in the art will be able to make and use the present disclosure without departing from the spirit and scope of the present disclosure.

The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any and all possible combinations of one or more of the associated listed items.

It should be understood that although the terms first, second, etc. may be used herein in one or more embodiments to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first can also be referred to as a second and, similarly, a second can also be referred to as a first without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at" \8230; "or" when 8230; \8230; "or" in response to a determination ", depending on the context.

First, the noun terms referred to in one or more embodiments of the present specification are explained.

Hash is the process of converting an input of arbitrary length (also called a pre-mapped pre-image) into an output of fixed length, the output being a Hash value, by a hashing algorithm. This transformation is a kind of compression mapping, i.e. the space of hash values is usually much smaller than the space of inputs, different inputs may hash to the same output, so it is not possible to determine a unique input value from a hash value. In short, it is a function of compressing a message of an arbitrary length to a message digest of a certain fixed length.

Horizontal override: refers to an override between peer users, and refers to an attacker trying to access a user resource that has the same rights as the attacker. For example, user a and user B belong to the same level of roles, have the same permission level, and can obtain their own private data (data a and data B), but if the system only verifies the roles of accessing data, and does not subdivide or verify the data, so that user a can access data (data B) of user B, then the behavior of user a accessing data B is called horizontal unauthorized access.

In the present specification, a behavior detection method is provided, and the present specification relates to a behavior detection apparatus, a computing device, a computer-readable storage medium, and a computer program, which are described in detail one by one in the following examples.

Referring to a schematic diagram shown in fig. 1, in order to sense an unauthorized behavior in advance and protect the unauthorized behavior, after flow data to be detected corresponding to a target service is acquired, a user identifier and access data associated with the user identifier are determined in the flow data to be detected, and then hash operation is performed on the access data to obtain an access hash value corresponding to the user identifier. And then, by combining the behavior detection strategy and the access hash value of the target service, the determination of the access behavior information of the user identifier is completed before the private resources are fed back aiming at the access data, so that the effects of perceiving the unauthorized behavior and protecting in advance can be achieved, and the loss caused by data leakage is avoided.

Fig. 2 shows a flowchart of a behavior detection method according to an embodiment of the present disclosure, which specifically includes the following steps.

Step S202: and acquiring flow data to be detected corresponding to the target service.

The behavior detection method provided by the present specification is applied to a behavior detection process of a website, and is applied to a server to which the website belongs, the server performs horizontal unauthorized behavior detection according to traffic data acquired in real time, and can be fused in time after the detection is completed, or an account of a user with an abnormal behavior is sealed, and the like.

Specifically, the target service is a service capable of performing operations such as resource access, reading, and/or downloading by using a website, and the resources involved in the operations such as access, reading, and/or downloading at least include a private resource corresponding to each user. I.e., the targeted service may involve access, reading and/or downloading of private resources for each user, which may result in horizontal unauthorized behavior between users. Correspondingly, the flow data to be detected specifically refers to real-time flow corresponding to the target service at the current moment, and is used for determining whether horizontal override behaviors among users exist or not by analyzing the real-time flow subsequently.

It should be noted that the behavior detection method provided in this specification is executed at the server in a real-time detection manner, and is used to perform detection analysis on flow data to be detected at any time, so as to implement perception and protection for determining an unauthorized behavior in time, and avoid data and resources leakage at the server.

Further, considering that the coverage dimensionality of the traffic data related to the target service is large, and each dimensionality does not relate to sensitive data, and if the global traffic of the target service is detected, more computing resources and time are consumed, therefore, in order to efficiently and accurately detect abnormal behavior, the dimensionality of the associated sensitive data can be determined by combining the historical traffic data of the target service, and the traffic data before each detection is filtered on the basis of the dimensionality, in this embodiment, the specific implementation manner is as follows:

acquiring historical flow data of the target service; determining resource access data of associated user resources in the historical traffic data, and generating reference access information based on the resource access data; acquiring initial flow data corresponding to the target service; and screening out flow data associated with the reference access information from the initial flow data to serve as the flow data to be detected.

Specifically, the historical traffic data specifically refers to traffic data corresponding to the target service at any time interval before current detection, and is used for analyzing access data of the associated user private resources; correspondingly, the user resource is a private resource of the corresponding user, and the resource content includes but is not limited to images, characters, audio, transaction information and the like; correspondingly, the resource access data specifically refers to access data of resources related to the user in the historical traffic data, and the resource access data is composed of url, parameters and parameter values, and can access the private resources of the user through the resource access data. Correspondingly, the reference access information specifically refers to marking information generated for the resource access data, and is used for marking description information of the associated user private resource in the traffic, and the access data of the associated user private resource can be determined in the traffic data through the reference access information, so that detection and confirmation of the unauthorized behavior can be completed by combining the access data subsequently. Correspondingly, the initial traffic data specifically refers to the full real-time traffic corresponding to the target service at the current time.

Based on this, in order to screen out the reference access information of data leakage caused by horizontal unauthorized behavior in a large amount of flow data, historical flow data of a target service can be obtained first, and then resource access data of a relevant user resource is determined in the historical flow data, that is, flow data related to a user private resource is screened out from the historical flow data to be used as resource access data; benchmark access information can then be generated in conjunction with the resource access data to ascertain which of the traffic data is associated with the user's private resource.

After the reference access information is determined, if initial flow data, namely real-time flow, of the associated target service is obtained, the initial flow data can be filtered according to the reference access information, so that the flow data of the associated reference access information is obtained and is used as flow data to be detected, and the current horizontal unauthorized behavior can be detected.

During specific implementation, http flow within a period of history time can be acquired, an ID corresponding to each user can be acquired through a session identifier in a cookie of an http request, and a url, all parameter names and parameter values in the request are spliced and then subjected to hash operation, so that a unique hash value corresponding to each user ID can be obtained; based on the characteristics, it can be shown that url, all parameter names and parameter values before hash operation are access data corresponding to the user to which the ID belongs to access the private resource if each hash value corresponds to only one user ID. That is, if each hash value in all historical traffic of a url uniquely corresponds to a user ID, it is determined that the resource requested by the url is a private resource corresponding to the user.

On the basis, when the url of the associated private resource of the user is marked in the http traffic in the historical time, the access data associated with the user ID or the private resource can be selected, and the url of the associated private resource is determined by combining the access data. After the real-time flow is obtained, the flow for accessing the private resources of the user can be determined in the real-time flow based on the marked url, so that the subsequent analysis of the horizontal override behavior is facilitated.

It should be noted that the determination of the reference access information may be completed at any time before the initial traffic data is acquired, and this embodiment is not limited in any way here.

In summary, the benchmark access information is sorted out by combining the historical traffic data, the access data of the private resources of the associated users can be accurately screened out in the real-time traffic based on the benchmark access information in the subsequent unauthorized behavior detection process, and the horizontal unauthorized behavior is detected based on the access data, so that the processed data volume can be effectively reduced, the unauthorized behavior detection can be completed in a shorter time, and the omission problem is avoided.

And S204, determining a user identifier and access data associated with the user identifier in the flow data to be detected.

Specifically, after the flow data to be detected of the associated target service is obtained, further, considering that the flow data to be detected includes a large number of access requests and feedback contents, in order to complete the detection of whether each user has the horizontal override behavior, the user identifier of each user and the access data associated with each user identifier may be determined in the flow to be detected, so that it is convenient to complete the detection of whether each user has the horizontal override behavior by subsequently combining the access data and the access identifier.

The user identification specifically refers to a unique identification which is possessed by a user participating in the target service and is used for representing the user identity; correspondingly, the access data specifically means url data, parameter name data, parameter value data and the like corresponding to each user identifier, and the user identifier and the user data have relevance, which means all access data related to each user identifier; under normal conditions, each user identification corresponds to one access data; if a certain user has horizontal unauthorized behavior, the user can access private resources by using the identifications of other users, and at the moment, a plurality of user identifications correspond to one piece of access data, so that the occurrence of the unauthorized behavior can be judged.

Further, when determining the user identifier and the access data associated therewith, considering that the content is a basis for determining whether the user has a horizontal override behavior, it is necessary to ensure accurate association between the user identifier and the access data, and therefore, the method may be implemented in combination with a session identifier and an analysis manner, where in this embodiment, the specific implementation manner is as in step S2042 to step S2044.

Step S2042, extracting session identification from the user information file corresponding to the flow data to be detected, and determining the user identification corresponding to the session identification.

Step S2044, analyzing the flow data to be detected, and generating the access data associated with the user identifier according to an analysis result.

Specifically, the user information file is a file corresponding to a real-time traffic data request cookie in the traffic data to be detected, and is used for storing a user identifier of a user; correspondingly, the session identifier specifically refers to an identifier stored in the cookie file, and the session identifier and the user identifier have a one-to-one correspondence relationship.

Based on this, after the flow data to be detected is obtained, a user information file corresponding to the flow data to be detected can be determined, and then a session identifier is determined in the user information file, so that the user identifier corresponding to each user in all the users related to the flow data to be detected is determined according to the session identifier; meanwhile, in order to detect the horizontal unauthorized behavior of the user corresponding to each user identifier, the flow data to be detected can be analyzed, so that the access data associated with each user identifier is determined according to the analysis result, and the subsequent use is facilitated.

It should be noted that the user identifier obtained at this time has a correlation with the access data, and represents that a certain user uses the current user identifier, and reads the private resource corresponding to the user identifier through the relevant parameter corresponding to the access data, and this behavior may be completed by the user to which the user identifier belongs, or completed by other users using the user identifier of the user, so that it is necessary to perform relevant detection processing operations after obtaining the access data associated with the user identifier.

In summary, the user identifier and the access data are obtained by combining the flow data to be detected, and the user identifier and the access data can be associated in the data analysis stage, so that the detection of the horizontal unauthorized behavior can be conveniently completed subsequently according to the association between the user identifier and the access data, and the detection precision is ensured.

Furthermore, when analyzing the flow data to be detected to determine the access data, the access data is actually composed by combining data with different dimensions in the access data, and in this embodiment, the specific implementation manner is as follows:

analyzing the flow data to be detected to obtain an access address, access parameter information and an access parameter value associated with the user identifier; and splicing the access address, the access parameter information and the access parameter value to obtain the access data associated with the user identifier.

Specifically, the access address specifically refers to an address used when private resource access is performed in real-time traffic, namely url; correspondingly, the access parameter information specifically refers to names of related parameters in the request in the real-time flow; the access parameter value is the value of each relevant parameter; correspondingly, the access address, the access parameter information and the access parameter value are spliced, specifically, the related information of the access address, the access parameter information and the access parameter value is spliced together, the splicing form may be end-to-end splicing, and the like, and this embodiment is not limited herein.

Based on this, after the user identifier is obtained, when the user private resource is considered to be accessed, the private data corresponding to each user identifier can be read only by combining the user identifier and the corresponding access data, so that the flow data to be detected is analyzed, the access address, the access parameter information and the access parameter value associated with the user identifier can be obtained, the information is the basis for accessing the private resource, and at this time, the access address, the access parameter information and the access parameter value can be spliced, so that the access data associated with the user identifier can be obtained according to the splicing result and used subsequently.

Along the use example, after the content of the url of the associated mark is determined based on the collected real-time flow, the ID corresponding to the user A can be obtained as ID _ A, and the user A private resource is accessed by using the url A, wherein the ID _ A is required to be accessed when the user A private resource is accessed by using the url A; the ID corresponding to the user B is ID _ B, and the user B private resource is accessed by using the url B, wherein the ID _ B is required to be used when the user B private resource is accessed by using the url B; the ID corresponding to the user C is ID _ C, and the private resource of the user A is accessed by using the url A, wherein the ID _ A is required to be accessed when the private resource of the user A is accessed by using the url A; after the partial data are obtained, the partial data can be used for detecting the subsequent unauthorized behavior aiming at each user.

In sum, by combining the multi-dimensional data to form the access data, higher accuracy can be ensured when the horizontal unauthorized behavior detection is carried out, so that the response can be quickly and accurately made, the data leakage is avoided, and the loss is further reduced.

Step S206, performing hash operation on the access data to obtain an access hash value corresponding to the user identifier.

Specifically, after the access data associated with the user identifier is obtained, in order to improve the detection speed and accuracy of the horizontal unauthorized behavior, hash operation may be performed on the access data associated with the user identifier, so as to obtain an access hash value corresponding to each user identifier, and subsequently, the access behavior information of each user identifier may be determined by combining a behavior detection policy and an access hash value preset by the target service, so that management and control may be performed as needed, and data leakage is avoided.

Step S208, determining the access behavior information of the user identifier based on the behavior detection strategy of the target service and the access hash value; wherein the behavior detection policy is associated with a horizontal override behavior detection dimension.

Specifically, after the access hash value corresponding to the user identifier is obtained, further, considering that different modes need to be combined to perform detection of the horizontal unauthorized behavior under different service scenarios, a behavior detection policy associated with the target service may be determined first, and then the access hash value is incorporated, so that determination of the access behavior information of the user identifier is achieved, and thus all user identifiers related to the traffic to be detected are detected, that is, whether the horizontal unauthorized behavior exists at the current time can be determined, so as to take a countermeasure in time for a corresponding problem. Such as blocking an address, blocking an account, or closing access to a private resource, which is not limited in this embodiment. The behavior detection policy specifically refers to a policy set for different service scenarios, and the policy is controlled by computing resources and storage resources of the service provider, that is, the sufficiency of the storage resources and the computing resources of the service provider controls the behavior detection policy. Correspondingly, the access behavior information specifically refers to description information for determining whether the user associated with the user identifier has a horizontal override behavior; correspondingly, the horizontal override behavior detection dimension specifically refers to a dimension for performing horizontal override behavior detection on the user.

Further, when the service party to which the target service belongs meets the resource calling condition, it is indicated that the service party to which the target service belongs has sufficient computing resources and storage resources, at this time, in order to quickly complete the detection of the horizontal override behavior, an access information table may be established in advance, a mapping relationship between a historical access hash value and a historical user identifier is recorded in the access information table, and after a real-time flow is obtained, the access information table may be read to determine whether the mapping relationship is correct, in this embodiment, the specific implementation manner is as follows:

determining an access information table based on the behavior detection strategy of the target service; inquiring the access information table according to the access hash value, and determining the access behavior information of the user identifier according to an inquiry result; and the access information table records the mapping relation between the historical access hash value and the historical user identification.

Specifically, the resource calling condition is a condition called in the detection of the horizontal override behavior, and whether the resource that can be called in the current service scene can support the detection of the horizontal override behavior can be determined through the resource calling condition. Correspondingly, the access information table specifically refers to an information table for recording user identifiers and access hash values associated with users participating in the target service, and because the user identifier of each user is unique and the access data when accessing private data is unique, the corresponding access hash value is also unique, so that the mapping relation between the user identifier and the access hash value can be sorted out based on historical traffic data and stored in the access information table for querying the table during use, that is, whether the relation between the currently obtained access hash value and the user identifier is the relation stored in the access information table can be determined, and further, the horizontal unauthorized behavior can be determined. Correspondingly, the historical access hash value specifically refers to a hash value obtained after hash operation according to the historical access data.

Based on this, under the condition that the business party to which the target business belongs meets the resource calling condition, the storage and calculation resources of the business party are sufficient, so that the access information table can be established in advance by using the storage and calculation resources, and the mapping relation between the historical user identification and the historical access hash value is recorded. When the target service performs behavior detection, the access information table may be determined based on a behavior detection policy of the target service. The access hash value corresponds to the user identifier, the mapping relation between the historical access hash value and the historical user identifier is recorded in the access information table, and the content recorded in the access information table is accurate; therefore, the access information table can be queried based on the access hash value, and the access behavior information corresponding to the user identifier can be determined according to the query result. That is, the historical user identifier stored in the access information table can be determined according to the query result, and the behavior information of the user identifier can be determined by comparing the user identifiers corresponding to the historical user identifier access hash values.

It should be noted that the access information table needs to be established in advance, and the mapping relationships stored in the access information table are all accurate mapping relationships, so that the accuracy of the horizontal override behavior detection at any subsequent time can be ensured on the basis. In addition, considering that the users participating in the target service may be updated at any time, the access information table may also be updated along with the updating of the users, so as to ensure that all the users participating in the target service can be covered during each detection.

In summary, in order to ensure the detection accuracy and efficiency under the condition that the service party has sufficient resources, the access information table may be combined to determine the access behavior information, so that a large number of user identifiers can be detected in a short time, so as to ensure that the service party corresponding to the target service can make a quick solution decision for the horizontal unauthorized behavior.

Furthermore, when determining the access behavior information, the access behavior information is actually determined based on the comparison between the user identifier stored in the access information table and the user identifier corresponding to the access hash value, and in this embodiment, the specific implementation manner is as follows:

determining an associated user identifier according to the query result, and determining normal access information as access behavior information of the user identifier under the condition that the associated user identifier is the same as the user identifier; or,

determining an associated user identifier according to a query result, and determining access abnormal information as access behavior information of the user identifier under the condition that the associated user identifier is different from the user identifier; or,

and under the condition that the access information table is determined to have no associated user identification according to the query result, generating a target mapping relation based on the user identification and the access hash value, and recording the target mapping relation to the access information table.

On the first hand, under the condition that the access information table is inquired to determine the associated user identifier, and the associated user identifier is the same as the user identifier, the user identifier corresponding to the access data at the moment is shown, namely the identifier corresponding to the user accessing the private resource, and further the user identifier is shown to have no unauthorized behavior, so that the access normal information can be used as the access behavior information corresponding to the user identifier.

In a second aspect, when the access information table is queried to determine the associated user identifier, and the associated user identifier is different from the user identifier, it is described that the user identifier corresponding to the access data at this time is not an identifier corresponding to a user accessing a private resource, and further it is described that other users access the user identifier corresponding to the private resource, and it is described that a level unauthorized behavior exists in the user using the user identifier at this time.

In a third aspect, under the condition that the access information table is inquired and the associated user identifier is determined to be absent, the current access data and the user identifier corresponding to the current access data are described, the user to which the current access data belongs participates in the target service for the first time, and in this condition, the user corresponding to the user identifier is unlikely to have a level override behavior, so that a target mapping relation can be created based on the access hash value and the user identifier, the target mapping relation is written into the access information table, and the information of a new user is stored in the access information table for subsequent use.

Along the above example, by setting url to url: com/testa =123& = B = abc, hash operation is performed on urlA by adopting a sha256 algorithm to obtain a hash character string a corresponding to urlA, and similarly, hash operation is performed on urlB to obtain a hash character string B corresponding to urlB.

Further, a pre-established access information table is inquired based on the hash character strings A and B, the user identification corresponding to the hash character string A in the historical flow is determined to be ID _ A according to the inquiry result, the user identification corresponding to the hash character string B in the historical flow is determined to be ID _ B according to the inquiry result, the inquired user identification is compared with the user identification corresponding to the access data in the real-time flow, and the user A and the user B are both determined to be normally accessed to the private resources according to the comparison result. And the ID _ C corresponding to the user C is inconsistent with the ID inquired based on the hash value corresponding to the urlA, and the unauthorized behavior of the user C existing level is determined.

In addition, under the condition that the user identification is not obtained according to the hash character string query table, the fact that the relevant mapping relation of the user does not exist in the current table is indicated, therefore, a new mapping relation can be formed on the basis of the hash character string and the user identification corresponding to the access data, and the new mapping relation is written into the table, so that the use in the subsequent processing stage is facilitated.

In practical application, after the user identifier with the level override behavior is determined, considering that the detection behavior occurs before the private resource is fed back based on the request, the user identifier with the override behavior can be sealed or the target service can be temporarily shut down, so as to avoid data leakage caused by successful access of the private resource.

In order to sense the unauthorized behavior in advance and protect the unauthorized behavior, the behavior detection method provided by the present specification may determine the user identifier and the access data associated with the user identifier in the traffic data to be detected after acquiring the traffic data to be detected corresponding to the target service, and then perform hash operation on the access data to obtain the access hash value corresponding to the user identifier. And then, by combining the behavior detection strategy of the target service and the access hash value, the determination of the access behavior information of the user identifier is completed before the private resource is fed back aiming at the access data, so that the effects of perceiving the unauthorized behavior and protecting in advance can be achieved, and the loss caused by data leakage is avoided.

Corresponding to the above embodiments, the present specification further provides another behavior detection method, and fig. 3 shows a flowchart of another behavior detection method provided according to an embodiment of the present specification, which specifically includes the following steps.

Step S302, flow data to be detected corresponding to the target service is obtained.

Specifically, the target service is a service capable of performing operations such as resource access, reading, and/or downloading by using a website, and resources involved in the operations such as access, reading, and/or downloading at least include private resources corresponding to each user. I.e., the targeted service may involve access, reading and/or downloading of private resources for each user, which may result in horizontal unauthorized behavior between users. Correspondingly, the flow data to be detected specifically refers to real-time flow corresponding to the target service at the current moment, and is used for determining whether horizontal override behaviors among users occur or not through analyzing the real-time flow.

Step S304, determining a user identifier in the flow data to be detected and access data associated with the user identifier.

The user identification specifically refers to a unique identification which is possessed by a user participating in the target service and is used for representing the user identity; correspondingly, the access data specifically comprises url data, parameter name data, parameter value data and the like corresponding to each user identifier, and the relevance of the user identifiers and the user data refers to all access data associated with each user identifier; under normal conditions, each user identification corresponds to one access data; if a certain user has a horizontal unauthorized behavior, the user can access private resources by using the identifications of other users, and at the moment, a plurality of user identifications correspond to one access data, so that the unauthorized behavior can be judged to occur.

Step S306, performing hash operation on the access data to obtain an access hash value corresponding to the user identifier.

It should be noted that another behavior detection method provided in this embodiment corresponds to the behavior detection method provided in the above embodiment, wherein the descriptions of step S302 to step S306 can refer to the same or corresponding descriptions in the above embodiment, and are not described in detail herein. In addition, the same descriptions as those provided in the above embodiments can also be referred to the above embodiments, and the present embodiment is not limited in any way herein.

Step S308, under the condition that the business party to which the target business belongs does not meet the resource calling condition, determining the number of the user identifications corresponding to the access hash value in a preset time interval according to the flow data to be detected.

Specifically, after the access hash value corresponding to the user identifier is obtained, further, in consideration of the fact that different modes need to be combined to detect the horizontal override behavior in different service scenarios, the behavior detection policy associated with the target service can be determined first, and then the access hash value is incorporated, so that the access behavior information of the user identifier is determined, all the user identifiers related to the traffic to be detected are detected, that is, whether the horizontal override behavior exists at the current time can be determined, and a countermeasure can be taken in time for a corresponding problem. Such as blocking an address, blocking an account, or closing access to a private resource, which is not limited in this embodiment.

Based on this, under the condition that the resource calling condition is not satisfied, the number of the user identifications corresponding to the access hash value in the preset time interval can be determined according to the flow data to be detected, and then the access behavior information is determined according to the number of the user identifications. The preset time interval specifically refers to time of the number identified by the user, and the length of the time interval may be set according to an actual application scenario, for example, 5 minutes, 10 minutes, and the like.

That is to say, under the condition that the service party to which the target service belongs does not satisfy the resource calling condition, it is described that the computing resource and the storage resource that the service party to which the target service belongs are insufficient, and at this time, if a part of the storage resource and the computing resource are re-called for detecting the horizontal override behavior, resource calling pressure of the service party may be caused, so that, for the condition that the condition is not satisfied, the detection may be implemented by adopting a manner of counting the corresponding relationship between the access hash value and the number of the user identifiers after obtaining the access hash value corresponding to the user identifier. That is, when there is a horizontal unauthorized behavior, the same access data may correspond to at least two user identifiers for accessing private resources of different users, which indicates that there is a malicious operation of the user, so that the mechanism can be used to perform unauthorized behavior detection.

Further, in the process of determining the number of the user identifiers, in consideration of that the user identifiers are associated with the access data, and the access data is subjected to hash operation to obtain an access hash value, so that statistics of the number of the user identifiers can be completed based on the access data, in this embodiment, a specific implementation manner is as follows:

determining an access user identifier corresponding to the access data in a preset time interval according to the flow data to be detected; and counting the identification number corresponding to the access user identification as the user identification number corresponding to the access hash value.

Based on this, the to-be-detected flow data comprises all flows in a preset time period, so that the access user identification corresponding to the access data in a preset time interval can be determined by analyzing the to-be-detected data flow; usually, each access data should correspond to one access user identifier, because each user only accesses the private resources through the own user identifier, and if the access user does not access the private resources, the unauthorized behavior may exist. Therefore, the number of the identifiers corresponding to the access user identifiers can be counted, and since the access hash value is obtained by hash calculation of the access data, the number of the user identifiers corresponding to the access hash value can be determined according to the identifier data, so that subsequent quantity comparison is facilitated, and whether the unauthorized behavior exists or not is determined.

For example, the ID corresponding to the user a is ID _ a, and the user a private resource is accessed by using urlA, wherein the ID _ a is required to be used when the user a private resource is accessed by using urlA; the ID corresponding to the user B is ID _ B, and the user B private resource is accessed by using the url B, wherein the ID _ B is required to be accessed when the user B private resource is accessed by using the url B; and the ID corresponding to the user C is ID _ C, and the private resource of the user A is accessed by using the url A, wherein the ID _ A is required to be accessed by using the url A to access the private resource of the user A.

By para-urlA is url: com/testa =123& = B = abc, hash operation is performed on urlA by adopting a sha256 algorithm to obtain a hash character string a corresponding to the urlA, similarly, hash operation is performed on urlB to obtain a hash character string B corresponding to the urlB, and at this time, it can be determined that in real-time flow, the hash character string a corresponds to the ID _ a and the ID _ C, and the hash character string B corresponds to the ID _ B.

Furthermore, by counting the access user identifiers corresponding to each access datum within 10 minutes, it is determined that urlA corresponds to ID _ a and ID _ C, urlB corresponds to ID _ B, and then it is determined that the number of the user identifiers corresponding to the hash character string a is 2, and it is determined that the number of the user identifiers corresponding to the hash character string B is 1, so as to facilitate the subsequent detection of the horizontal unauthorized behavior by combining the number of the user identifiers.

In conclusion, the number of the user identifications corresponding to the access hash value is determined by counting the user identification data of the access data, so that the horizontal unauthorized behavior analysis can be conveniently completed by analyzing the number of the user identifications in the preset time period in the follow-up process, and the accuracy of the unauthorized behavior analysis is ensured.

Step S310, detecting the number of the user identifications based on the behavior detection strategy, and determining the access behavior information of the user identifications according to the detection result.

Specifically, after the user identifier number is obtained, the user identifier number may be further detected based on a behavior detection policy, so as to analyze whether the number reaches an upper limit, and determine access behavior information of the user identifier according to a detection result. The access behavior information specifically refers to description information for determining whether a user associated with the user identifier has a horizontal override behavior;

further, when analyzing whether the user has a horizontal override behavior based on the number of the user identifiers, the method may be implemented by combining a preset number threshold and by comparing the number threshold, and in this embodiment, the specific implementation manner is as follows:

determining access abnormal information as access behavior information of the user identification under the condition that the number of the user identifications is larger than a preset number threshold value based on the behavior detection strategy; or determining normal access information as the access behavior information of the user identifier when the number of the user identifiers is determined to be less than or equal to a preset number threshold value based on the behavior detection strategy.

In specific implementation, the preset number threshold may be set according to an actual application scenario, for example, a numerical value such as 1,2, and the like, and this embodiment is not limited herein.

On the first hand, when the number of the user identifiers is determined to be larger than the preset number threshold based on the behavior detection strategy, it is indicated that the horizontal override behavior exists at this time, and in order to avoid loss, the access abnormal information can be used as the access behavior information of the user identifiers.

In the second aspect, when the number of the user identifiers is determined to be less than or equal to the preset number threshold based on the behavior detection policy, it is indicated that the horizontal override behavior does not exist at this time, and therefore, the access normal information can be used as the access behavior information corresponding to the user identifiers.

According to the above example, the number of the user identifications corresponding to the hash character string A is determined to be 2 according to the statistical result, the number of the user identifications corresponding to the hash character string B is determined to be 1, the preset number threshold value is 1, the number of the user identifications corresponding to the hash character string A is determined to be 2 and larger than 1 through comparison, and then the horizontal unauthorized behavior is determined to exist.

In conclusion, the access behavior information is determined by comparing the quantity threshold, so that the detection of the horizontal override behavior can be finished in a short time, the detection precision is improved, and the consumption of computing resources can be reduced.

In addition, considering that there may be a risk of low detection accuracy through one detection, and a business side also needs to determine whether a horizontal override behavior occurs, so as to reduce loss, after the access behavior information is determined, whether the override behavior is successful or not may be detected, in this embodiment, a specific implementation manner is as follows:

obtaining an access feedback result of each access user identifier corresponding to the access data; performing hash operation on the access feedback result of each access user identifier respectively to obtain a feedback hash value corresponding to each access user identifier; and comparing the feedback hash value corresponding to each access user identifier, and determining the abnormal behavior result of the user identifier according to the comparison result.

Specifically, the access feedback result specifically refers to content fed back to the access user identifier with respect to the access data, and includes but is not limited to private resources, information, and the like associated with the access user identifier. Correspondingly, the feedback hash value specifically refers to a hash value obtained by performing hash operation on the feedback result, and the hash operation may be performed in the same manner as the hash operation on the access data, which is not limited in this embodiment. Accordingly, the abnormal behavior result specifically refers to a result of determining whether the unauthorized behavior has been successful.

Based on this, in order to avoid causing excessive loss, after determining that the horizontal override behavior exists, the access feedback result corresponding to each access user identifier of the access data can be obtained. And then, carrying out hash operation on the access feedback result to obtain a feedback hash value corresponding to each access user identifier, and comparing the feedback hash values among the access user identifiers to determine an abnormal behavior result corresponding to the user identifier. The result includes success or not. Indicating whether horizontal override behavior was successful.

Along the above example, after it is determined that the hash character string a corresponds to the ID _ a and the ID _ C, the hash operation may be performed on the private resource fed back based on the ID _ a to obtain the hash character string A1, and the hash operation may be performed on the private resource fed back by the ID _ C to obtain the hash character string C1, where if the hash character string A1 and the hash character string C1 are equal, it indicates that the horizontal unauthorized behavior is successful, and otherwise, it indicates that the horizontal unauthorized behavior is unsuccessful.

By adopting the mode of comparing the feedback hash value to detect the success and failure of the horizontal unauthorized behavior, the problem of private resource leakage can be further determined, so that response can be made in time to avoid excessive loss.

To sum up, in order to sense the unauthorized behavior in advance and make protection, after acquiring the traffic data to be detected corresponding to the target service, the user identifier and the access data associated with the user identifier may be determined in the traffic data to be detected, and then the access data may be subjected to hash operation to obtain the access hash value corresponding to the user identifier. And then, by combining the behavior detection strategy and the access hash value of the target service, the determination of the access behavior information of the user identifier is completed before the private resources are fed back aiming at the access data, so that the effects of perceiving the unauthorized behavior and protecting in advance can be achieved, and the loss caused by data leakage is avoided.

Corresponding to the above method embodiment, the present specification further provides an embodiment of a behavior detection device, and fig. 4 shows a schematic structural diagram of a behavior detection device provided in an embodiment of the present specification. As shown in fig. 4, the apparatus includes:

an obtaining data module 402 configured to obtain to-be-detected flow data corresponding to a target service;

an identification determining module 404 configured to determine a user identifier in the to-be-detected traffic data, and access data associated with the user identifier;

a hash operation module 406 configured to perform a hash operation on the access data to obtain an access hash value corresponding to the user identifier;

a determining information module 408 configured to determine access behavior information of the user identifier based on the behavior detection policy of the target service and the access hash value; wherein the behavior detection policy is associated with a horizontal override behavior detection dimension.

In an optional embodiment, the apparatus further comprises:

the generation information module is configured to acquire historical flow data of the target service; determining resource access data of associated user resources in the historical traffic data, and generating reference access information based on the resource access data;

accordingly, the obtain data module 402 is further configured to:

acquiring initial flow data corresponding to the target service; and screening out flow data associated with the reference access information from the initial flow data to serve as the flow data to be detected.

In an optional embodiment, the determining the identity module 404 is further configured to:

extracting a session identifier from a user information file corresponding to the flow data to be detected, and determining the user identifier corresponding to the session identifier; and analyzing the flow data to be detected, and generating the access data associated with the user identifier according to an analysis result.

In an optional embodiment, in a case that the service party to which the target service belongs satisfies the resource invocation condition, the determining information module 408 is further configured to:

In an optional embodiment, the determination information module 408 is further configured to:

determining an associated user identifier according to a query result, and determining normal access information as access behavior information of the user identifier under the condition that the associated user identifier is the same as the user identifier; or determining an associated user identifier according to the query result, and determining access abnormal information as access behavior information of the user identifier under the condition that the associated user identifier is different from the user identifier; or, under the condition that it is determined according to the query result that no associated user identifier exists in the access information table, generating a target mapping relation based on the user identifier and the access hash value, and recording the target mapping relation to the access information table.

In an optional embodiment, in a case that the service party to which the target service belongs does not satisfy the resource invocation condition, the determining information module 408 is further configured to:

determining the number of user identifications corresponding to the access hash value in a preset time interval according to the flow data to be detected; and detecting the number of the user identifications based on the behavior detection strategy, and determining the access behavior information of the user identifications according to the detection result.

determining an access user identifier corresponding to the access data in a preset time interval according to the flow data to be detected; and counting the identification number corresponding to the access user identification to be used as the user identification number corresponding to the access hash value.

In an optional embodiment, the apparatus further comprises:

the abnormal behavior detection module is configured to obtain an access feedback result of each access user identifier corresponding to the access data; performing hash operation on the access feedback result of each access user identifier respectively to obtain a feedback hash value corresponding to each access user identifier; and comparing the feedback hash value corresponding to each access user identifier, and determining the abnormal behavior result of the user identifier according to the comparison result.

In order to sense the unauthorized behavior in advance and protect the unauthorized behavior, the behavior detection device provided by the present specification may determine the user identifier and the access data associated with the user identifier in the traffic data to be detected after acquiring the traffic data to be detected corresponding to the target service, and then perform hash operation on the access data to obtain the access hash value corresponding to the user identifier. And then, by combining the behavior detection strategy and the access hash value of the target service, the determination of the access behavior information of the user identifier is completed before the private resources are fed back aiming at the access data, so that the effects of perceiving the unauthorized behavior and protecting in advance can be achieved, and the loss caused by data leakage is avoided.

The above is a schematic scheme of a behavior detection apparatus of the present embodiment. It should be noted that the technical solution of the behavior detection device and the technical solution of the behavior detection method belong to the same concept, and details that are not described in detail in the technical solution of the behavior detection device can be referred to the description of the technical solution of the behavior detection method.

FIG. 5 illustrates a block diagram of a computing device 500 provided in accordance with one embodiment of the present description. The components of the computing device 500 include, but are not limited to, a memory 510 and a processor 520. Processor 520 is coupled to memory 510 via bus 530, and database 550 is used to store data.

Computing device 500 also includes access device 540, access device 540 enabling computing device 500 to communicate via one or more networks 560. Examples of such networks include the Public Switched Telephone Network (PSTN), a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or a combination of communication networks such as the internet. The access device 540 may include one or more of any type of network interface, e.g., a Network Interface Card (NIC), wired or wireless, such as an IEEE802.11 Wireless Local Area Network (WLAN) wireless interface, a worldwide interoperability for microwave access (Wi-MAX) interface, an ethernet interface, a Universal Serial Bus (USB) interface, a cellular network interface, a bluetooth interface, a Near Field Communication (NFC) interface, and so forth.

In one embodiment of the present description, the above-described components of computing device 500, as well as other components not shown in FIG. 5, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device architecture shown in FIG. 5 is for purposes of example only and is not limiting as to the scope of the present description. Those skilled in the art may add or replace other components as desired.

Computing device 500 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smartphone), wearable computing device (e.g., smartwatch, smartglasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or PC. Computing device 500 may also be a mobile or stationary server.

Wherein the processor 520 is configured to execute computer-executable instructions that, when executed by the processor, implement the steps of the behavior detection method described above.

The above is an illustrative scheme of a computing device of the present embodiment. It should be noted that the technical solution of the computing device and the technical solution of the behavior detection method belong to the same concept, and details that are not described in detail in the technical solution of the computing device can be referred to the description of the technical solution of the behavior detection method.

An embodiment of the present specification further provides a computer-readable storage medium storing computer-executable instructions, which when executed by a processor, implement the steps of the behavior detection method described above.

The above is an illustrative scheme of a computer-readable storage medium of the present embodiment. It should be noted that the technical solution of the storage medium belongs to the same concept as the technical solution of the behavior detection method, and details that are not described in detail in the technical solution of the storage medium can be referred to the description of the technical solution of the behavior detection method.

An embodiment of the present specification further provides a computer program, wherein when the computer program is executed in a computer, the computer is caused to execute the steps of the behavior detection method.

The above is a schematic scheme of a computer program of the present embodiment. It should be noted that the technical solution of the computer program and the technical solution of the behavior detection method belong to the same concept, and details that are not described in detail in the technical solution of the computer program can be referred to the description of the technical solution of the behavior detection method.

The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

The computer instructions comprise computer program code which may be in the form of source code, object code, an executable file or some intermediate form, or the like. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM), random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.

It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts, but those skilled in the art should understand that the present embodiment is not limited by the described acts, because some steps may be performed in other sequences or simultaneously according to the present embodiment. Furthermore, those skilled in the art will appreciate that the embodiments described in this specification are presently preferred and that no acts or modules are required in the implementations of the disclosure.

In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to the related descriptions of other embodiments.

The preferred embodiments of the present specification disclosed above are intended only to aid in the description of the specification. Alternative embodiments are not exhaustive and do not limit the invention to the precise embodiments described. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the embodiments. The specification is limited only by the claims and their full scope and equivalents.

Claims

1. A behavior detection method, comprising:

acquiring flow data to be detected corresponding to a target service;

2. The method according to claim 1, wherein before the step of obtaining the flow data to be detected corresponding to the target service is executed, the method further comprises:

acquiring historical flow data of the target service;

determining resource access data of associated user resources in the historical traffic data, and generating reference access information based on the resource access data;

correspondingly, the acquiring of the flow data to be detected corresponding to the target service includes:

acquiring initial flow data corresponding to the target service;

and screening out flow data associated with the reference access information from the initial flow data to serve as the flow data to be detected.

3. The method of claim 1, the determining a user identification in the flow data to be detected, and the access data associated with the user identification, comprising:

extracting a session identifier from a user information file corresponding to the flow data to be detected, and determining the user identifier corresponding to the session identifier;

and analyzing the flow data to be detected, and generating the access data associated with the user identifier according to an analysis result.

4. The method of claim 3, wherein the analyzing the flow data to be detected and the generating the access data associated with the user identifier according to the analysis result comprises:

analyzing the flow data to be detected to obtain an access address, access parameter information and an access parameter value associated with the user identifier;

and splicing the access address, the access parameter information and the access parameter value to obtain the access data associated with the user identifier.

5. The method according to claim 1, wherein in a case that a service party to which the target service belongs satisfies a resource invocation condition, the determining access behavior information of the user identifier based on the behavior detection policy of the target service and the access hash value includes:

determining an access information table based on the behavior detection strategy of the target service;

inquiring the access information table according to the access hash value, and determining the access behavior information of the user identifier according to an inquiry result;

and the access information table records the mapping relation between the historical access hash value and the historical user identification.

6. The method of claim 5, the determining access behavior information for the user identification from the query result, comprising:

7. The method according to claim 1, wherein in a case that a service party to which the target service belongs does not satisfy a resource invocation condition, the determining access behavior information of the user identifier based on the behavior detection policy of the target service and the access hash value includes:

determining the number of user identifications corresponding to the access hash value in a preset time interval according to the flow data to be detected;

and detecting the number of the user identifications based on the behavior detection strategy, and determining the access behavior information of the user identifications according to the detection result.

8. The method according to claim 7, wherein the determining, according to the flow data to be detected, the number of the user identifiers corresponding to the access hash value within a preset time interval includes:

determining an access user identifier corresponding to the access data in a preset time interval according to the flow data to be detected;

and counting the identification number corresponding to the access user identification as the user identification number corresponding to the access hash value.

9. The method of claim 8, wherein the detecting the number of the user identifiers based on the behavior detection policy and determining the access behavior information of the user identifiers according to the detection result comprise:

determining access abnormal information as access behavior information of the user identification under the condition that the number of the user identifications is larger than a preset number threshold value based on the behavior detection strategy; or,

and determining normal access information as the access behavior information of the user identifier under the condition that the number of the user identifiers is determined to be less than or equal to a preset number threshold value based on the behavior detection strategy.

10. The method of claim 9, after the step of determining access anomaly information as access behavior information of the user identifier is performed, further comprising:

obtaining an access feedback result of each access user identifier corresponding to the access data;

performing hash operation on the access feedback result of each access user identifier respectively to obtain a feedback hash value corresponding to each access user identifier;

and comparing the feedback hash value corresponding to each access user identifier, and determining the abnormal behavior result of the user identifier according to the comparison result.

11. A behavior detection device comprising:

12. A computing device, comprising:

a memory and a processor;

the memory is for storing computer-executable instructions, and the processor is for executing the computer-executable instructions, which when executed by the processor, implement the steps of the method of any one of claims 1 to 10.

13. A computer-readable storage medium storing computer-executable instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 10.