[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN109005156A - The shared determination method and device of account - Google Patents

The shared determination method and device of account Download PDF

Info

Publication number
CN109005156A
CN109005156A CN201810732670.0A CN201810732670A CN109005156A CN 109005156 A CN109005156 A CN 109005156A CN 201810732670 A CN201810732670 A CN 201810732670A CN 109005156 A CN109005156 A CN 109005156A
Authority
CN
China
Prior art keywords
account
address
owner
access
effective information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810732670.0A
Other languages
Chinese (zh)
Other versions
CN109005156B (en
Inventor
李彦豪
安丙春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Taikang Insurance Group Co Ltd
Original Assignee
Taikang Insurance Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Taikang Insurance Group Co Ltd filed Critical Taikang Insurance Group Co Ltd
Priority to CN201810732670.0A priority Critical patent/CN109005156B/en
Publication of CN109005156A publication Critical patent/CN109005156A/en
Application granted granted Critical
Publication of CN109005156B publication Critical patent/CN109005156B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides a kind of determination method and device that account is shared.This method comprises: obtaining the journal file in time interval to be analyzed;According to journal file, determine the effective information accessed every time in time interval to be analyzed, effective information include: access at the beginning of, the end time of access, the internet protocol address of access, access account;According to effective information and preset authority information, determine there is the account for the behavior of sharing, preset authority information includes the mapping relations between account and the owner of account and the mapping relations between IP address and the owner of IP address.Method provided in an embodiment of the present invention can determine the account in the presence of the behavior of sharing, to carry out security monitoring to the account that there is the behavior of sharing, eliminate safe hidden trouble in time by analyzing journal file.

Description

The shared determination method and device of account
Technical field
The present embodiments relate to the shared determination method and devices of field of computer technology more particularly to a kind of account.
Background technique
Fort machine is under a specific network environment, in order to which Logistics networks and data are not by from using outwardly and inwardly The invasion and destruction at family, and the system used various technological means real-time collectings and monitor each component part in network environment State, security incident, network activity, so as to concentrated alarm, handle and audit in time fix duty.Fort machine is calculated by cutting terminal Direct access of the machine to network and server resource has taken over terminal computer to network kimonos by the way of agency by agreement The access of business device.
With the continuous expansion of corporate information technology (Information Technology, referred to as: IT) scale, IT O&M Task becomes to become increasingly complex, and IT O&M team is also more and more huger.Operation management band is given in huge team and complicated work Carry out huge challenge, therefore numerous companies pass through introducing fort machine system, for managing O&M permission, record user's operation and carrying out Ex post facto investigation, to improve the efficiency of operation management, reinforces the information security of enterprise.When finding suspicious operation, fort machine System can be accurately positioned by executing the account of suspicious operation to the operation maintenance personnel for using the fort machine account, after then carrying out Continuous processing.However, in actual operation, being likely to result in fort machine account due to various reasons and sharing phenomenon, i.e., multiple O&Ms Personnel use same fort machine account.Fort machine account shares so that in suspicious operation generation, can not determination promptly and accurately Operator significantly reduces the function of fort machine system, brings very big security risk for the operation management of company.
Currently, the shared behavior of fort machine account can not be determined by technological means in the prior art.
Summary of the invention
The embodiment of the present invention provides a kind of determination method and device that account is shared, can not lead in the prior art to solve It crosses technological means and finds the shared problem of fort machine account in time.
In a first aspect, the embodiment of the present invention provides a kind of determination method that account is shared, comprising:
Obtain the journal file in time interval to be analyzed;
According to journal file, determine that the effective information accessed every time in time interval to be analyzed, effective information include: access At the beginning of, the end time of access, the internet protocol address of access, access account;
According to effective information and preset authority information, determine there is the account for the behavior of sharing, preset authority information packet Include the mapping relations between account and the owner of account and the mapping relations between IP address and the owner of IP address.
Optionally, according to effective information and preset authority information, determine there is the account for the behavior of sharing, comprising:
According to effective information, the account using multiple IP address is determined;
For each account for using multiple IP address, closed according to the mapping between IP address and the owner of IP address System, determines the owner for multiple IP address that account uses;
According to the owner for multiple IP address that account uses, determine that account is that the first kind shares account or the second class shares Account;
The shared behavior probability that the first kind shares account shares the shared behavior probability of account less than the second class.
Optionally, the owner of the multiple IP address used according to account determines that account is that the first kind shares account, packet It includes:
If the owner for multiple IP address that account uses is unique, according to the mapping between account and the owner of account Relationship determines the owner of account;
If the owner for multiple IP address that account uses is different from the owner of account, it is determined that account is total for the first kind Use account.
Optionally, the method also includes:
If the owner for the multiple IP address that the account uses is unique, according to all of the account and account Mapping relations between person determine the owner of the account;
If the owner for multiple IP address that account uses is identical as the owner of account, it is determined that there is no share for account Behavior.
Optionally, the owner of the multiple IP address used according to account determines that account is that the second class shares account, packet It includes:
If the owner for multiple IP address that account uses is not unique, it is determined that account is that the second class shares account.
Optionally, the method also includes:
If account is that the second class shares account, determine account in the working time of each IP address according to effective information;
If account partly overlaps in the working time of each IP address, it is determined that account is that third class shares account, The shared behavior probability that second class shares account is less than the shared behavior probability that third class shares account.
Optionally, determine account in the working time of each IP address according to effective information, comprising:
All access of the account in time interval to be analyzed are classified according to IP address;
For every a kind of access, according to access at the beginning of and access end time, carry out the merging of time dimension, Determine account in the working time of each IP address.
Second aspect, the embodiment of the present invention provide a kind of determining device that account is shared, comprising:
Module is obtained, for obtaining the journal file in time interval to be analyzed;
Analysis module, for determining the effective information accessed every time in time interval to be analyzed, effectively according to journal file Information include: access at the beginning of, the end time of access, the internet protocol address of access, access account;
Processing module is preset for determining there is the account for the behavior of sharing according to effective information and preset authority information Authority information include between mapping relations and IP address and the owner of IP address between account and the owner of account Mapping relations.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, comprising:
Memory;
Processor;And
Computer program;
Wherein, the computer program stores in the memory, and is configured as being executed by the processor with reality Now such as the described in any item methods of first aspect.
Fourth aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored thereon with computer program, The computer program is executed by processor to realize such as the described in any item methods of first aspect.
The shared determination method and device of account provided in an embodiment of the present invention is obtained by analyzing journal file The effective information for taking access can determine the account in the presence of the behavior of sharing, solution according to effective information and preset authority information Determined the shared behavior that can not determine account by technological means in the prior art the problem of.To exist share behavior account into Row security monitoring can reduce security risk, help to eliminate security risk, it is horizontal to improve O&M.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows and meets implementation of the invention Example, and be used to explain the principle of the present invention together with specification.
Fig. 1 is the flow chart for one embodiment of determination method that account provided by the invention shares;
Fig. 2 is the flow chart for the another embodiment of determination method that account provided by the invention shares;
Fig. 3 is the flow chart for another embodiment of determination method that account provided by the invention shares;
Fig. 4 is the flow chart for the another embodiment of determination method that account provided by the invention shares;
Fig. 5 is the flow chart for another embodiment of determination method that account provided by the invention shares;
Fig. 6 is the structural schematic diagram for one embodiment of determining device that account provided by the invention shares;
Fig. 7 is the structural schematic diagram of one embodiment of electronic equipment provided by the invention.
Through the above attached drawings, it has been shown that the specific embodiment of the present invention will be hereinafter described in more detail.These attached drawings It is not intended to limit the scope of the inventive concept in any manner with verbal description, but is by referring to specific embodiments Those skilled in the art illustrate idea of the invention.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistented with the present invention.On the contrary, they be only with it is such as appended The example of device and method being described in detail in claims, some aspects of the invention are consistent.
Term " includes " and " having " and their any deformations in description and claims of this specification, it is intended that It is to cover and non-exclusive includes.Such as the process, method, system, product or equipment for containing a series of steps or units do not have It is defined in listed step or unit, but optionally further comprising the step of not listing or unit, or optionally also wrap Include the other step or units intrinsic for these process, methods, product or equipment.
" first " and " second " in the present invention only plays mark action, be not understood to indicate or imply ordinal relation, Relative importance or the quantity for implicitly indicating indicated technical characteristic." multiple " refer to two or more." and/ Or ", the incidence relation of affiliated partner is described, indicates may exist three kinds of relationships, for example, A and/or B, can indicate: individually depositing In A, A and B, these three situations of individualism B are existed simultaneously.It is a kind of "or" that character "/", which typicallys represent forward-backward correlation object, Relationship.
" one embodiment " or " embodiment " mentioned in the whole text in specification of the invention means related with embodiment A particular feature, structure, or characteristic include at least one embodiment of the application.Therefore, occur everywhere in the whole instruction " in one embodiment " or " in one embodiment " not necessarily refer to identical embodiment.It should be noted that not rushing In the case where prominent, the feature in embodiment and embodiment in the present invention be can be combined with each other.
Method and device provided in an embodiment of the present invention can be used for having log system, be able to carry out setting for log recording It is standby, such as fort machine, router, server etc..In an embodiment of the present invention, user uses relatively-stationary Internet protocol The address (Internet Protocol, referred to as: IP), i.e. the owner of IP address is relatively-stationary.
Fig. 1 is the flow chart for one embodiment of determination method that account provided by the invention shares, as shown in Figure 1, this implementation Example provide method may include:
Step S101, the journal file in time interval to be analyzed is obtained.
Journal file is the record file or file set for recording system operatio event, including event log and message Log has the important function such as processing historical data, the activity for diagnosing the tracking of problem and understanding system.Wherein, event day Will for being recorded in the event occurred in the execution of system, in order to provide the activity and diagnosis problem that can be used for understanding system with Track.Activity for understanding complication system is most important, especially in the less application program of user's interaction.For example, fort The journal file of machine has recorded access process of the operation maintenance personnel by fort machine to destination server.
Time interval to be analyzed in the present embodiment can be based on early warning mechanism or ex post facto mechanism are set in advance It sets.So-called early warning mechanism in advance refers to checking security risk, example in time by the analysis to journal file before problem occurs Such as, preset period of time can be used, journal file is periodically obtained and is analyzed, it specifically can be with hour, day, week Deng as preset period of time;Time interval to be analyzed can also be set as the case may be by user.So-called ex post facto machine System is referred in network by invading, attack, after there is safety problem, obtain the journal file that goes wrong in time section into Row analysis, to determine question classification, tackles the problem at its root.
The journal file in time interval to be analyzed got in the present embodiment can be individual log file, can also be with It is the file set for including multiple journal files.
Step S102, according to journal file, the effective information accessed every time in time interval to be analyzed, effective information are determined At the beginning of including: access, the end time of access, the internet protocol address of access, access account.
Journal file has recorded a large amount of information, in order to improve information processing efficiency, it is necessary first to analyze it with It obtains for determining that account shares the useful information of behavior.
According to the journal file in time interval to be analyzed, can determine accessed every time in time interval to be analyzed it is effective Information.Wherein, effective information includes but is not limited to: at the beginning of access, access end time, access IP address, visit The account asked.For example, can take out user by analyzing fort machine system log by fort machine system and access clothes The model of business device.
Table 1
At the beginning of access The end time of access The IP address of access The account of access
01:00 02:00 IP_E1 ID_E1
01:30 02:00 IP_D1 ID_D1
02:00 02:30 IP_D2 ID_D1
02:30 03:00 IP_D3 ID_C1
03:00 03:30 IP_D4 ID_C1
04:30 05:00 IP_B1 ID_B1
05:30 06:30 IP_D4 ID_B1
07:00 07:30 IP_C1 ID_B1
08:00 09:00 IP_A1 ID_A1
08:30 10:00 IP_A1 ID_A1
11:00 12:00 IP_A1 ID_A1
11:30 12:30 IP_B1 ID_A1
Table 1 has recorded the effective information accessed in time interval to be analyzed.Wherein, temporal information was made using 24 hours, ID_ A1, ID_B1, ID_C1, ID_D1 and ID_E1 are that related user account, IP_A1, IP_ are accessed in time interval to be analyzed B1, IP_C1, IP_D1, IP_D2, IP_D3, IP_D4 and IP_E1 are that related IP address is accessed in time interval to be analyzed.
Step S103, according to effective information and preset authority information, determine there is the account for the behavior of sharing, preset power Limit information includes the mapping relations between account and the owner of account and the mapping between IP address and the owner of IP address Relationship.
Table 2
Account The owner of account
ID_A1 A
ID_B1 B
ID_C1 C
ID_D1 D
ID_E1 E
Table 2 indicates the mapping relations between account and the owner/user of account.An account can only belong in the present embodiment In an owner, and an owner can possess multiple accounts, such as a user can possess with different rights Multiple accounts.The present embodiment is illustrated so that a user possesses an account as an example, and method provided in this embodiment is equally suitable The case where possessing multiple accounts for a user.
Table 3
IP address The owner of IP address
IP_A1 A
IP_B1 B
IP_C1 C
IP_D1 D
IP_E1 E
IP_D2 D
IP_D3 D
IP_D4 D
Table 3 indicates the mapping relations between IP address and the owner/user of IP address.An IP address in the present embodiment An owner can only be belonged to, and multiple IP address can be used in an owner, for example, a user is in different Office Areas Domain possesses multiple fixed office computers, then the user possesses multiple IP address.
Preset authority information in the present embodiment, i.e. mapping relations and IP address between the owner of account and account Mapping relations between the owner of IP address need to timely update as the case may be, to reflect truth.Example Such as, when the office area of staff is adjusted, the mapping relations between IP address and the owner of IP address may occur Change, needs to be updated;When having labor turnover or registration, the mapping relations between account and the owner of account may It changes, needs to be updated.
According to effective information and preset authority information, the account in the presence of the behavior of sharing can be determined.To be recorded in table 1 Effective information for be illustrated, account ID_E1 is accessed in time interval to be analyzed only by IP_E1, and The owner of account ID_E1 and the owner of IP_E1 are user E, therefore the behavior of sharing is not present in account ID_E1.And account ID_B1 is accessed in time interval to be analyzed by IP_B1, IP_C1 and IP_D4, and the owner of account ID_B1 is User B, address ip _ B1 owner are user B, and address ip _ C1 owner is user C, and address ip _ D4 owner is to use There is difference in family D, the i.e. owner of account and the owner of IP address, then account ID_B1 is needed there may be shared behavior Security monitoring is carried out to the account, to reduce security risk.
The shared determination method of account provided in this embodiment, by analyzing journal file, obtain access has Information is imitated, according to effective information and preset authority information, can determine in the presence of the account for the behavior of sharing, solve existing skill The problem of can not determining the shared behavior of account in art by technological means.Safe prison is carried out to the account that there is the behavior of sharing Control, can reduce security risk, help to eliminate security risk, it is horizontal to improve O&M.
Fig. 2 is the flow chart for the another embodiment of determination method that account provided by the invention shares, as shown in Fig. 2, this reality Applying the method that example provides may include:
Step S201, the journal file in time interval to be analyzed is obtained.
Step S202, according to journal file, the effective information accessed every time in time interval to be analyzed, effective information are determined At the beginning of including: access, the end time of access, the internet protocol address of access, access account.
Step S203, according to effective information, the account using multiple IP address is determined.
Optionally, the whole access that can be treated according to the account of access in analysis time section are classified, to each The IP address quantity that a account uses is counted, to determine the account using multiple IP address.It is exemplified by Table 1, wherein account ID_A1, ID_B1, ID_C1 and ID_D1 are the account using multiple IP address.
Step S204, for each account for using multiple IP address, according between IP address and the owner of IP address Mapping relations, determine the owner for multiple IP address that account uses.
For using each account of multiple IP address, according to all of IP address in default access information and IP address Relationship between person determines the owner for multiple IP address that the account uses.
According to table 1 and table 3, using the account ID_B1 of multiple IP address in time interval to be analyzed, by IP_B1, IP_C1 and IP_D4 are accessed, and address ip _ B1 owner is user B, and address ip _ C1 owner is user C, address The owner of IP_D4 is user D.
Step S205, the owner of the multiple IP address used according to account, determine account be the first kind share account or Second class shares account.Wherein, the shared behavior probability that the first kind shares account shares the shared behavior of account less than the second class Probability.
The shared behavior that the shared behavior probability that the second class shares account in the present embodiment is higher than the shared account of the first kind is general Rate, therefore the security monitoring of higher level can be used for such account.The first kind share account shared behavior probability compared with It is low, can be with follow-up observation for such account, alarm in time when an abnormal situation occurs.
The shared determination method of account provided in this embodiment is determined by analyzing journal file using multiple The account of IP address, according to the mapping relations between IP address and the owner of IP address, with determining multiple IP that account uses The owner of the owner of location, the multiple IP address used according to account determine the type that there is the account for the behavior of sharing, so as to Different grades of security monitoring is carried out according to the shared behavior probability of different type account.
Optionally, the owner of the multiple IP address used according to account determines that account is that the first kind shares account, can be with Include:
If the owner for multiple IP address that account uses is unique, according to the mapping between account and the owner of account Relationship determines the owner of account.
If the owner for multiple IP address that account uses is different from the owner of account, it is determined that account is total for the first kind Use account.
It is exemplified by Table 1, the IP address that account ID_C1 is used includes IP_D3 and IP_D4, and IP_D3's and IP_D4 is all Person is user D, and the owner of account ID_C1 is user C, i.e. the owner for multiple IP address that account ID_C1 is used is only One, and it is different from the owner of account, it is thus determined that account ID_C1 is that the first kind shares account.The first kind shares account may There are shared behaviors, but a possibility that be not excluded for normal use.In such as preset authority information, the owner of account and account Between mapping relations, and/or, the mapping relations between IP address and IP address are updated not in time, may result in by Account is mistaken for the first kind and shares account.
Optionally, if the owner for multiple IP address that account uses is identical as the owner of account, it is determined that account is not There are shared behaviors.
It is exemplified by Table 1, the IP address that account ID_D1 is used includes IP_D1 and IP_D2, and IP_D1's and IP_D2 is all Person is user D, and the owner of account ID_D1 is also user D, i.e. the owner for multiple IP address that account ID_D1 is used Uniquely, and it is identical as the owner of account, it is thus determined that the behavior of sharing is not present in account ID_D1.
Optionally, the owner of the multiple IP address used according to account determines that account is that the second class shares account, packet It includes:
If the owner for multiple IP address that account uses is not unique, it is determined that account is that the second class shares account.
It is exemplified by Table 1, the IP address that account ID_B1 is used includes IP_B1, IP_D4 and IP_C1, and the owner of IP_B1 is The owner of user B, IP_D4 are user D, and the owner of IP_C1 is user C, i.e. multiple IP address that account ID_B1 is used The owner is not unique, thus may determine that account ID_B1 is that the second class shares account.
Optionally, if the owner for multiple IP address that account uses is not unique, i.e., the account is that the second class shares account, Further, account can be determined in the working time of each IP address according to effective information.
If account partly overlaps in the working time of each IP address, it is determined that account is that third class shares account.
It is exemplified by Table 1, the owner for multiple IP address that account ID_B1 and ID_A1 are used is not unique, therefore, can be true Determining account ID_B1 and ID_A1 is that the second class shares account.Account ID_B1 and ID_A1 is shared for the second class further to be divided Analysis, to improve the accuracy that account shares analysis.Account ID_B1 is not overlapped in the working time of each IP address.Account There is overlapping in 11:30 to 12:00 in the working time of IP_A1 and IP_B1 in ID_A1, hence, it can be determined that account ID_A1 Account is shared for third class.The shared behavior probability that second class shares account ID_B1 is less than third class and shares being total to for account ID_A1 Use behavior probability.
Optionally, determine account in the working time of each IP address according to effective information, comprising:
All access of the account in time interval to be analyzed are classified according to IP address;
For every a kind of access, according to access at the beginning of and access end time, carry out the merging of time dimension, Determine account in the working time of each IP address.
Be illustrated with fort machine account: if suspicious fort machine account is user, two computers once used this Account, two computers are respectively PC1 and PC2, and IP is respectively IP1 and IP2.PC1 once made in t1 to t3, t2 to t5 and t6 to t8 Account user, and t1 < t2 < t3 < t4 < t5 < t6 < t7 < t8 once were used in t4 to t7 with account user, PC2.By analysis it is found that Fort machine account user is t1 to t5 and t6 to t8 in the working time of PC1, is t4 to t7 in the working time of PC2.Fort machine Account user is overlapped in the working time of different computers: t4 to t5 and t6 to t7, and there are accounts to share behavior.Therefore, may be used To determine that account user shares account as third class.
Using similarly method, it can determine that the account ID_A1 in table 1 is also that third class shares account.
It is combined below by the various embodiments described above, provides several specific embodiments and be specifically described.
Fig. 3 is the flow chart for another embodiment of determination method that account provided by the invention shares, as shown in figure 3, this reality Applying the method that example provides may include:
Step S301, the journal file in time interval to be analyzed is obtained.
Step S302, according to journal file, the effective information accessed every time in time interval to be analyzed, effective information are determined At the beginning of including: access, the end time of access, the internet protocol address of access, access account.
Step S303, according to effective information, the account using multiple IP address is determined.
Step S304, for each account for using multiple IP address, according between IP address and the owner of IP address Mapping relations, determine the owner for multiple IP address that account uses.
If step S305, the owner for multiple IP address that account uses is unique, according to the owner of account and account Between mapping relations, determine the owner of account.
If step S306, the owner for multiple IP address that account uses is different from the owner of account, it is determined that described Account is that the first kind shares account.
Fig. 4 is the flow chart for the another embodiment of determination method that account provided by the invention shares, as shown in figure 4, this reality Applying the method that example provides may include:
Step S401, the journal file in time interval to be analyzed is obtained.
Step S402, according to journal file, the effective information accessed every time in time interval to be analyzed, effective information are determined At the beginning of including: access, the end time of access, the internet protocol address of access, access account.
Step S403, according to effective information, the account using multiple IP address is determined.
Step S404, for each account for using multiple IP address, according between IP address and the owner of IP address Mapping relations, determine the owner for multiple IP address that account uses.
If step S405, the owner for multiple IP address that account uses is not unique, it is determined that account shares for the second class Account.
Fig. 5 is the flow chart for another embodiment of determination method that account provided by the invention shares, as shown in figure 5, this reality Applying the method that example provides may include:
Step S501, the journal file in time interval to be analyzed is obtained.
Step S502, according to journal file, the effective information accessed every time in time interval to be analyzed, effective information are determined At the beginning of including: access, the end time of access, the internet protocol address of access, access account.
Step S503, according to effective information, the account using multiple IP address is determined.
Step S504, for each account for using multiple IP address, according between IP address and the owner of IP address Mapping relations, determine the owner for multiple IP address that account uses.
If step S505, the owner for multiple IP address that account uses is not unique, account is determined according to effective information In the working time of each IP address.
The owner for multiple IP address that account uses is not unique, i.e., the account is that the second class shares account, for the account It number can be further analyzed, can be determined account in the working time of each IP address according to effective information.
If step S506, account partly overlaps in the working time of each IP address, it is determined that account is third class Share account.
It should be noted that it may include that third class shares account that the second class, which shares account,.When determining that an account is the It after two classes share account, can be further analyzed, when meeting the condition of the shared account of third class, determine that the account is Third class shares account, and third class shares account and certainly exists shared behavior, improves the accuracy that account shares analysis.Third Class shares the shared behavior probability highest of account, therefore can use high-grade security monitoring for such account, or even can To forbid the permission of such account to avoid risk.
The embodiment of the present invention also provides a kind of determining device that account is shared, and shown in Figure 6, the embodiment of the present invention is only It is illustrated by taking Fig. 6 as an example, is not offered as that present invention is limited only to this.The shared determining device of account provided in this embodiment, can To be fort machine, it is also possible to can also be other with log for the component in fort machine, such as integrated circuit, chip The equipment of system.Fig. 6 is the structural schematic diagram for one embodiment of determining device that account provided by the invention shares.As shown in fig. 6, The shared determining device 60 of account provided in this embodiment may include: to obtain module 601, analysis module 602 and processing module 603。
Module 601 is obtained, for obtaining the journal file in time interval to be analyzed.
Analysis module 602, for determining the effective information accessed every time in time interval to be analyzed according to journal file, Effective information include: access at the beginning of, the end time of access, the internet protocol address of access, access account.
Processing module 603, for determining there is the account for the behavior of sharing according to effective information and preset authority information, Preset authority information include mapping relations between account and the owner of account and IP address and IP address the owner it Between mapping relations.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill Art effect is similar, and details are not described herein again.
Optionally, processing module 603 can specifically include: the first determining module, the second determining module and third determine mould Block.
Wherein, the first determining module, for determining the account using multiple IP address according to effective information.
Second determining module, for being directed to each account using multiple IP address, according to the institute of IP address and IP address Mapping relations between the person of having determine the owner for multiple IP address that account uses.
Third determining module, the owner of multiple IP address for being used according to account determine that account is total for the first kind Account is shared with account or the second class.The shared behavior probability that the first kind shares account shares the common row of account less than the second class For probability.
Optionally, third determining module specifically can be used for, if the owner for multiple IP address that account uses is unique, Then according to the mapping relations between account and the owner of account, the owner of account is determined;If multiple IP that account uses The owner of location and the owner of account are different, it is determined that account is that the first kind shares account.
Optionally, third determining module can be also used for, if the owner for multiple IP address that account uses and account The owner is identical, it is determined that the behavior of sharing is not present in account.
Optionally, third determining module specifically can be used for, if the owner for multiple IP address that account uses is not only One, it is determined that account is that the second class shares account.
Optionally, third determining module specifically can be used for, if the account is that the second class shares account, basis has Effect information determines account in the working time of each IP address;If there is part weight in the working time of each IP address in account It is folded, it is determined that the account is that third class shares account.
Optionally, determine account in the working time of each IP address according to effective information, comprising:
All access of the account in time interval to be analyzed are classified according to IP address;
For every a kind of access, according to access at the beginning of and access end time, carry out the merging of time dimension, Determine account in the working time of each IP address.
The embodiment of the present invention also provides a kind of electronic equipment, shown in Figure 7, and the embodiment of the present invention is only by taking Fig. 7 as an example It is illustrated, is not offered as that present invention is limited only to this.Fig. 7 is the structural representation of one embodiment of electronic equipment provided by the invention Figure.As shown in fig. 7, electronic equipment 70 provided in this embodiment includes: memory 701, processor 702 and bus 703.Wherein, Bus 703 is for realizing the connection between each element.
Computer program is stored in memory 701, computer program may be implemented above-mentioned when being executed by processor 702 The technical solution of one embodiment of the method.
Wherein, be directly or indirectly electrically connected between memory 701 and processor 702, with realize data transmission or Interaction.It is electrically connected for example, these elements can be realized between each other by one or more of communication bus or signal wire, such as It can be connected by bus 703.The computer program for realizing the shared determination method of account is stored in memory 701, including At least one can be stored in the software function module in memory 701 in the form of software or firmware, and processor 702 passes through operation The software program and module being stored in memory 701, thereby executing various function application and data processing.
Memory 701 may be, but not limited to, random access memory (Random AccessMemory, referred to as: RAM), read-only memory (Read Only Memory, referred to as: ROM), programmable read only memory (Programmable Read-Only Memory, referred to as: PROM), erasable read-only memory (Erasable Programmable Read-Only Memory, referred to as: EPROM), electricallyerasable ROM (EEROM) (Electric Erasable Programmable Read- Only Memory, referred to as: EEPROM) etc..Wherein, memory 701 is for storing program, and processor 702 refers to receiving execution After order, program is executed.Further, the software program in above-mentioned memory 701 and module may also include operating system, can Including the various component softwares for management system task (such as memory management, storage equipment control, power management etc.) and/or Driving, and can be in communication with each other with various hardware or component software, to provide the running environment of other software component.
Processor 702 can be a kind of IC chip, the processing capacity with signal.Above-mentioned processor 702 can To be general processor, including central processing unit (Central Processing Unit, referred to as: CPU), network processing unit (Network Processor, referred to as: NP) etc..It may be implemented or execute disclosed each method, the step in the embodiment of the present invention Rapid and logic diagram.General processor can be microprocessor or the processor is also possible to any conventional processor etc.. It is appreciated that Fig. 7 structure be only illustrate, can also include than shown in Fig. 7 more perhaps less component or have with Different configuration shown in Fig. 7.Each component shown in fig. 7 can use hardware and/or software realization.
The embodiment of the present invention also provides a kind of computer readable storage medium, is stored thereon with computer program, computer The determination method that the account that any of the above-described embodiment of the method provides shares may be implemented when program is executed by processor.The present embodiment In computer readable storage medium can be any usable medium that computer can access, or include one or more Data storage devices, the usable mediums such as usable medium integrated server, data center can be magnetic medium, (for example, soft Disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as SSD) etc..
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims (10)

1. a kind of shared determination method of account characterized by comprising
Obtain the journal file in time interval to be analyzed;
According to the journal file, the effective information accessed every time in the time interval to be analyzed, the effective information are determined At the beginning of including: access, the end time of access, the internet protocol address of access, access account;
According to the effective information and preset authority information, determine there is the account for the behavior of sharing, the preset permission letter Breath includes that the mapping relations between account and the owner of account and the mapping between IP address and the owner of IP address are closed System.
2. the method according to claim 1, wherein described believe according to the effective information and preset permission Breath determines there is the account for the behavior of sharing, comprising:
According to the effective information, the account using multiple IP address is determined;
For each account for using multiple IP address, closed according to the mapping between the IP address and the owner of IP address System, determines the owner for the multiple IP address that the account uses;
According to the owner for the multiple IP address that the account uses, determine that the account is that the first kind shares account or the Two classes share account;
The shared behavior probability that the first kind shares account is less than the shared behavior probability that second class shares account.
3. according to the method described in claim 2, it is characterized in that, the multiple IP address used according to the account The owner, determine the account be the first kind share account, comprising:
If the owner for the multiple IP address that the account uses is unique, according to the owner of the account and account it Between mapping relations, determine the owner of the account;
If the owner for the multiple IP address that the account uses is different from the owner of the account, it is determined that the account Number for the first kind share account.
4. according to the method described in claim 2, it is characterized in that, the method also includes:
If the owner for the multiple IP address that the account uses is unique, according to the owner of the account and account it Between mapping relations, determine the owner of the account;
If the owner for the multiple IP address that the account uses is identical as the owner of the account, it is determined that the account Number there is no share behavior.
5. according to the method described in claim 2, it is characterized in that, the multiple IP address used according to the account The owner, determine the account be the second class share account, comprising:
If the owner for the multiple IP address that the account uses is not unique, it is determined that the account is that the second class shares account Number.
6. according to the method described in claim 5, it is characterized in that, the method also includes:
If the account is that the second class shares account, determine the account in the work of each IP address according to the effective information Make the time;
If the account partly overlaps in the working time of each IP address, it is determined that the account is that third class shares account Number, the shared behavior probability that second class shares account is less than the shared behavior probability that the third class shares account.
7. according to the method described in claim 6, it is characterized in that, described determine the account each according to the effective information The working time of a IP address, comprising:
All access of the account in the time interval to be analyzed are classified according to IP address;
For every a kind of access, according to access at the beginning of and access end time, carry out the merging of time dimension, determine Working time of the account in each IP address.
8. a kind of shared determining device of account characterized by comprising
Module is obtained, for obtaining the journal file in time interval to be analyzed;
Analysis module, for determining the effective information accessed every time in the time interval to be analyzed according to the journal file, The effective information include: access at the beginning of, access end time, access internet protocol address, access Account;
Processing module, it is described for determining there is the account for the behavior of sharing according to the effective information and preset authority information Preset authority information include mapping relations between account and the owner of account and IP address and IP address the owner it Between mapping relations.
9. a kind of electronic equipment characterized by comprising
Memory;
Processor;And
Computer program;
Wherein, the computer program stores in the memory, and is configured as being executed by the processor to realize such as The described in any item methods of claim 1-7.
10. a kind of computer readable storage medium, which is characterized in that be stored thereon with computer program, the computer program It is executed by processor to realize the method according to claim 1 to 7.
CN201810732670.0A 2018-07-05 2018-07-05 Account sharing determination method and device Active CN109005156B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810732670.0A CN109005156B (en) 2018-07-05 2018-07-05 Account sharing determination method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810732670.0A CN109005156B (en) 2018-07-05 2018-07-05 Account sharing determination method and device

Publications (2)

Publication Number Publication Date
CN109005156A true CN109005156A (en) 2018-12-14
CN109005156B CN109005156B (en) 2021-06-01

Family

ID=64598360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810732670.0A Active CN109005156B (en) 2018-07-05 2018-07-05 Account sharing determination method and device

Country Status (1)

Country Link
CN (1) CN109005156B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600398A (en) * 2019-01-28 2019-04-09 杭州数梦工场科技有限公司 A kind of account usage behavior detection method and device
CN109617924A (en) * 2019-01-28 2019-04-12 杭州数梦工场科技有限公司 A kind of account usage behavior detection method and device
CN109862004A (en) * 2019-01-28 2019-06-07 杭州数梦工场科技有限公司 A kind of account usage behavior detection method and device
CN111970250A (en) * 2020-07-27 2020-11-20 深信服科技股份有限公司 Method for identifying account sharing, electronic device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140026189A1 (en) * 2012-07-19 2014-01-23 Alibaba Group Holding Limited Method, client, server and system of login verification
CN104348817A (en) * 2013-08-07 2015-02-11 深圳市腾讯计算机系统有限公司 User account protection method and user account protection device
CN104378346A (en) * 2014-06-30 2015-02-25 南京信风网络科技有限公司 Method for preventing account number from being embezzled
CN107046550A (en) * 2017-06-14 2017-08-15 微梦创科网络科技(中国)有限公司 A kind of detection method and device of abnormal login behavior

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140026189A1 (en) * 2012-07-19 2014-01-23 Alibaba Group Holding Limited Method, client, server and system of login verification
CN104348817A (en) * 2013-08-07 2015-02-11 深圳市腾讯计算机系统有限公司 User account protection method and user account protection device
CN104378346A (en) * 2014-06-30 2015-02-25 南京信风网络科技有限公司 Method for preventing account number from being embezzled
CN107046550A (en) * 2017-06-14 2017-08-15 微梦创科网络科技(中国)有限公司 A kind of detection method and device of abnormal login behavior

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600398A (en) * 2019-01-28 2019-04-09 杭州数梦工场科技有限公司 A kind of account usage behavior detection method and device
CN109617924A (en) * 2019-01-28 2019-04-12 杭州数梦工场科技有限公司 A kind of account usage behavior detection method and device
CN109862004A (en) * 2019-01-28 2019-06-07 杭州数梦工场科技有限公司 A kind of account usage behavior detection method and device
CN109862004B (en) * 2019-01-28 2021-08-24 杭州数梦工场科技有限公司 Account use behavior detection method and device
CN109600398B (en) * 2019-01-28 2022-03-01 杭州数梦工场科技有限公司 Account use behavior detection method and device
CN111970250A (en) * 2020-07-27 2020-11-20 深信服科技股份有限公司 Method for identifying account sharing, electronic device and storage medium

Also Published As

Publication number Publication date
CN109005156B (en) 2021-06-01

Similar Documents

Publication Publication Date Title
US20220014556A1 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US12063254B2 (en) Parametric analysis of integrated operational and information technology systems
US11601475B2 (en) Rating organization cybersecurity using active and passive external reconnaissance
US12058177B2 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US10609079B2 (en) Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management
US10432660B2 (en) Advanced cybersecurity threat mitigation for inter-bank financial transactions
US10140453B1 (en) Vulnerability management using taxonomy-based normalization
CN105139139B (en) Data processing method and device and system for O&amp;M audit
US9537879B2 (en) Cyber security monitoring system and method for data center components
US9794153B2 (en) Determining a risk level for server health check processing
US20160248798A1 (en) Method and apparatus for automating threat model generation and pattern identification
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
CN109005156A (en) The shared determination method and device of account
US20210092160A1 (en) Data set creation with crowd-based reinforcement
EP2951753A1 (en) Targeted security alerts
US20210136120A1 (en) Universal computing asset registry
CN102906756A (en) Security threat detection associated with security events and actor category model
CN108259202A (en) A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems
CN112291266B (en) Data processing method, device, server and storage medium
US20140215608A1 (en) Security threat analysis
KR101973728B1 (en) Integration security anomaly symptom monitoring system
CN101119232A (en) Log recording method and system
EP3679506A2 (en) Advanced cybersecurity threat mitigation for inter-bank financial transactions
US11297086B2 (en) Correlation-based network security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant