Search

CN-122019324-A - Bastion machine operation instruction out-of-range behavior identification and control method

CN122019324ACN 122019324 ACN122019324 ACN 122019324ACN-122019324-A

Abstract

The application provides a fort machine operation instruction out-of-range behavior recognition and control method, which comprises the steps of extracting an input value of a current operation instruction and a safety boundary value preset by a system through a fort machine operation log, synchronously collecting CPU occupancy rate, memory usage amount and running task number of a target host machine, analyzing the association relation of the CPU occupancy rate, the memory usage amount and the running task number according to host machine resource state data and task load data, recognizing that the host machine is in a light-load running state or a heavy-load running state currently to obtain a host machine load grade, calculating the deviation degree of the operation instruction input value and the safety boundary by adopting a dynamic risk quantization algorithm according to the operation instruction input value, the safety boundary value and the host machine load grade, and adjusting a risk weight coefficient by combining the host machine load grade to obtain the out-of-range risk grade.

Inventors

  • ZHANG ZHIYAO
  • Yu Shunhuai
  • HUANG JING
  • ZOU YILONG
  • CHEN JIANZHANG
  • YAN YUAN
  • Lin Peigui

Assignees

  • 南方电网数字电网集团(广东)有限公司

Dates

Publication Date
20260512
Application Date
20260130

Claims (9)

  1. 1. A fort operation instruction out-of-range behavior identification and control method is characterized by comprising the following steps: extracting an input value of a current operation instruction and a safety boundary value preset by a system through a fort operation log, and synchronously collecting the CPU occupancy rate, the memory usage amount and the running task number of a target host; Analyzing the association relation between the host resource state and the task load according to the CPU occupancy rate, the memory usage amount and the running task number, and identifying the current load state of the host to obtain the host load level; Calculating the deviation degree of the input value of the current operation instruction and the safety boundary according to the input value of the current operation instruction, the safety boundary value and the host load level, and adjusting a risk weight coefficient by combining the host load level to obtain a boundary crossing risk level; Extracting a reference alarm threshold value and a load adjustment coefficient according to the out-of-range risk level and the host load level, adjusting the reference alarm threshold value, and comparing the out-of-range risk level with an adjusted alarm trigger threshold value to obtain an alarm level; identifying the residual processing capacity of the host from the CPU occupancy rate according to the alarm level and the host load level, and generating a safety response instruction; and issuing blocking operation or starting a monitoring process to a target host according to the safety response instruction and the delay execution time window, extracting delay time from the delay execution time window, triggering secondary state detection after the time reaches, and recording an operation execution state and a historical decision record.
  2. 2. The method for identifying and controlling the out-of-range behavior of a fort operation command according to claim 1, wherein the step of extracting the input value of the current operation command and the preset safety boundary value of the system through the fort operation log and synchronously collecting the CPU occupancy rate, the memory usage amount and the running task number of the target host comprises the following steps: Reading operation records from the bastion machine log files, analyzing time stamps, user identifiers and command strings, extracting file sizes, concurrent connection numbers and query record numbers in command parameters, and acquiring file size threshold values, concurrent connection threshold values and query record threshold values corresponding to the command strings from security configuration files to obtain a job input data set; And connecting the target host through an SSH protocol, and collecting the CPU occupancy rate, the memory usage amount and the running task number of the target host to obtain host resource state data.
  3. 3. The method for identifying and controlling the out-of-range behavior of a fort machine operation instruction according to claim 1, wherein the analyzing the association relationship between the host resource state and the task load according to the CPU occupancy rate, the memory usage amount and the running task number, identifying the current load state of the host, and obtaining the host load level, comprises: Collecting time sequence data of the CPU occupancy rate, the memory usage amount and the running task number of a host computer, and calculating the average task resource consumption and task resource density indexes; constructing a two-dimensional scatter diagram according to the average task resource consumption and the task resource density index, clustering the scatter diagram into multiple categories by adopting a K-means clustering algorithm, and calculating center points of the categories; And determining that the host is in a light load running state, a heavy load running state or a medium load running state currently by comparing Euclidean distance between the current resource status point and the class center point, and assigning a corresponding load grade to obtain the load grade of the host.
  4. 4. The method for identifying and controlling the operation command boundary crossing behavior of a bastion machine according to claim 1, wherein the calculating the deviation degree of the operation command input value and the safety boundary according to the operation command input value, the safety boundary value and the host load level, and adjusting the risk weight coefficient according to the host load level, to obtain the boundary crossing risk level comprises: Calculating the difference value between the input value of the current operation instruction and the safety boundary value, and calculating the percentage of the difference value to the safety boundary value as the basic deviation degree; Inquiring a load weight mapping table according to the host load level, determining a weight factor, and multiplying the basic deviation degree by the weight factor to obtain a weighted deviation value; constructing a risk assessment matrix according to the weighted deviation values, extracting historical execution records of each operation type in different deviation intervals from a fort machine log database, counting the ratio of the number of system abnormality generation times to the total operation times, and filling the risk assessment matrix; searching an initial risk probability value corresponding to a current operation instruction through the risk assessment matrix, adjusting the initial risk probability value according to the residual rate and the residual amount of the memory of the CPU of the host, converting the initial risk probability value into a risk scoring interval by adopting a nonlinear mapping function, and determining a risk score; And dividing the boundary crossing risk level according to the risk score, and storing the boundary crossing risk level in association with the operation instruction identifier to obtain the boundary crossing risk level.
  5. 5. The bastion machine operation instruction out-of-range behavior recognition and control method according to claim 4, further comprising obtaining a command type and an operation authority level of an operation instruction from a bastion machine log, extracting an authority range and a resource access limit allowed by the command type of the operation instruction from a security boundary, analyzing a degree to which the operation authority exceeds the allowed range and a range to which the resource access breaks through the limit, determining a risk weight adjustment direction in combination with a host CPU occupancy rate and a memory usage amount, and recognizing a threat degree of the operation instruction, comprising: Analyzing a job instruction character string from a fort log, extracting a command header identifier to determine a command type, reading a role identifier of an executing user to obtain an operation authority level, inquiring a standard authority level and an accessible resource list corresponding to the command type from a security configuration library, and calculating a difference value between an actual operation authority level and the standard authority level to obtain an authority override weight; extracting a target file path, a database table name and a network target address which are actually accessed from the operation instruction parameters, comparing the target file path, the database table name and the network target address with the accessible resource list item by item, counting the number of resource items which are not in the list, and calculating the proportion of the number of the resource items which are not in the list to the total number of actually accessed resources to obtain a resource breakthrough rate; Multiplying the resource breakthrough rate by the authority override weight to obtain an initial risk product, determining a high load weight coefficient or a low load weight coefficient according to the current host CPU occupancy rate and the memory usage amount, and adjusting the initial risk product to obtain a load adjustment risk value; and inquiring a threat level mapping table according to the load adjustment risk value, and determining the threat degree of the operation instruction.
  6. 6. The method for identifying and controlling the out-of-range behavior of a fort machine operation command according to claim 1, wherein the steps of extracting a reference alarm threshold and a load adjustment coefficient according to the out-of-range risk level and the host load level, adjusting the reference alarm threshold, comparing the out-of-range risk level with an adjusted alarm trigger threshold, and obtaining an alarm level include: inquiring a reference alarm threshold value table according to the boundary crossing risk level to obtain a corresponding initial threshold value; Inquiring a load adjustment coefficient table according to the host load level, determining an up-regulation coefficient or a down-regulation coefficient, and multiplying the initial threshold value by a corresponding coefficient to obtain a dynamic alarm threshold value; Converting the boundary crossing risk level into a numerical value, comparing the numerical value with the dynamic alarm threshold value, and calculating a difference value to obtain an alarm intensity value; And inquiring an alarm level mapping table according to the alarm intensity value to determine an alarm level.
  7. 7. The bastion machine operation instruction out-of-range behavior identification and management method according to claim 1, wherein the identifying host remaining processing power from the CPU occupancy based on the alert level and the host load level, generating a safety response instruction, comprises: constructing a response decision table according to the alarm level and the host load level, calculating the residual processing capacity from the current CPU occupancy rate, and determining a resource state identifier; Performing response judgment according to the resource state identification, the alarm level and the host load level, and determining a response instruction type; and generating a rule table according to the response instruction type query instruction, setting corresponding parameters, and combining to obtain a safety response instruction.
  8. 8. The method of claim 7, further comprising obtaining an instruction type from the safety response instruction, identifying a task queue saturation level from the number of running tasks, performing an execution adjustment on the blocking instruction according to the task queue saturation level, and obtaining a final execution instruction, and comprising: Extracting instruction type identifiers and execution parameters from the safety response instructions, acquiring the number of current running tasks, calculating the saturation degree of a task queue, and determining a queue state identifier; Performing execution adjustment judgment according to the queue state identifier and the instruction type identifier, and determining whether to add a delay execution mark and a delay time length value; And constructing a final execution instruction according to the adjusted execution control parameters.
  9. 9. The method for identifying and controlling the out-of-range behavior of a fort machine operation command according to claim 1, wherein the issuing a blocking operation or starting a monitoring process to a target host according to the safety response command and a delayed execution time window, extracting a delay time length from the delayed execution time window and triggering a secondary state detection after the time length arrives, recording an operation execution state and a history decision record, comprises: Judging an execution mode according to the type identifier and the time window field of the safety response instruction, and issuing an operation command or setting a timer to a target host; When the timer is triggered or immediately executed, a blocking signal or a command for starting a monitoring process is sent through a remote interface, and execution confirmation information returned by a target host is received; Judging whether to start secondary detection according to the execution confirmation information, acquiring the state of the target host again after the delay time is over, comparing the state difference, and recording the instruction type, the execution time stamp, the target host identifier, the execution result and the state change value into a historical record database to obtain an operation execution state and a historical decision record.

Description

Bastion machine operation instruction out-of-range behavior identification and control method Technical Field The invention relates to the technical field of information, in particular to a fort machine operation instruction out-of-range behavior identification and management and control method. Background The fort machine is used as core equipment for operation and maintenance safety management, plays a vital role in identifying and managing operation crossing behaviors, directly relates to the stable operation and safety protection capability of a key information system, and can cause system resource exhaustion, service interruption and even safety hole expansion if the crossing operation fails to be found or processed improperly in time. The existing method mainly judges the risk level according to the fixed difference value between the operation input value and the preset reference value, and the greater the difference value is, the higher the alarm level is and the tendency is to be blocked immediately. The method is easy to generate judgment deviation when the load condition of the host is different, and because the same difference has obvious difference on the actual influence of the system under different running environments, the same difference is treated uniformly, so that the alarm and blocking strategies lack pertinence. The core technical difficulty is that the numerical deviation degree and the risk level judgment are directly influenced by the real-time resource bearing state of the target host. When the host is in low load operation, the CPU occupancy rate and the memory usage amount are lower, the number of operation tasks is less, the available processing allowance is sufficient, the larger input value difference value does not cause substantial harm, otherwise, even smaller difference value can rapidly aggravate resource shortage in a high load state. The change of the resource bearing state makes it difficult to accurately reflect the real risk by simply relying on the deviation degree, and the fixed threshold cannot adapt to the dynamic environment, so that contradiction which is difficult to reconcile is formed in the risk assessment. For example, operation and maintenance personnel need to upload large files to a server in batches to update data, if the current load of the server is very low, the uploading operation enables the size of the files to be far beyond a daily reference value, but the residual resources can be completely born and belong to normal operation requirements, and if the operation and maintenance personnel still trigger high-priority alarms according to a large deviation degree and block the alarms in real time at the moment, necessary operations are interrupted, and the operation and maintenance efficiency is affected. Therefore, how to integrate the real-time load level of the target host on the basis of deviation calculation and dynamically adjust the alarm level dividing threshold and the blocking response strategy becomes a key problem of accurately identifying the real boundary crossing behavior and reducing the misjudgment. Disclosure of Invention The invention provides a fort machine operation instruction out-of-range behavior identification and control method, which comprises the following steps: extracting an input value of a current operation instruction and a safety boundary value preset by a system through a fort operation log, and synchronously collecting the CPU occupancy rate, the memory usage amount and the running task number of a target host; Analyzing the association relation between the host resource state and the task load according to the CPU occupancy rate, the memory usage amount and the running task number, and identifying the current load state of the host to obtain the host load level; Calculating the deviation degree of the input value of the current operation instruction and the safety boundary according to the input value of the current operation instruction, the safety boundary value and the host load level, and adjusting a risk weight coefficient by combining the host load level to obtain a boundary crossing risk level; Extracting a reference alarm threshold value and a load adjustment coefficient according to the out-of-range risk level and the host load level, adjusting the reference alarm threshold value, and comparing the out-of-range risk level with an adjusted alarm trigger threshold value to obtain an alarm level; identifying the residual processing capacity of the host from the CPU occupancy rate according to the alarm level and the host load level, and generating a safety response instruction; and issuing blocking operation or starting a monitoring process to a target host according to the safety response instruction and the delay execution time window, extracting delay time from the delay execution time window, triggering secondary state detection after the time reaches, and recording an operation execution state and a hi