Search

CN-122019484-A - Data flow monitoring method and device

CN122019484ACN 122019484 ACN122019484 ACN 122019484ACN-122019484-A

Abstract

The application discloses a data flow monitoring method and a device, which relate to the technical field of data monitoring and mainly aim at adding classification information for data in a data flow full link so as to solve the problems of unclear data classification definition and lack of accurate basis for management and control in the data flow process; the method comprises the steps of collecting multi-source heterogeneous log data from a target network carrying a data transfer process, carrying out asset analysis and asset access relation analysis on the multi-source heterogeneous log data to obtain data item information of assets in the target network and dynamic access relation among the assets, constructing a data item mapping relation among the data item information based on the dynamic access relation, and adding matched classification information for all link data in a data transfer full link corresponding to the multi-source heterogeneous log data based on the data item mapping relation and classification information corresponding to the data in a database to obtain a data transfer monitoring result.

Inventors

  • RAN LINAN
  • ZHANG JIAQI
  • WANG LI
  • LIU HAO
  • DONG XU
  • YAO YIXIONG
  • WU YUNKUN
  • WANG QINGGUAN
  • Jiang Ranshi
  • CHEN DAZHAO
  • WANG ZIHENG

Assignees

  • 奇安信科技集团股份有限公司

Dates

Publication Date
20260512
Application Date
20251224

Claims (10)

  1. 1. A method for monitoring data flow, the method comprising: collecting multi-source heterogeneous log data from a target network carrying a data streaming process; performing asset analysis and asset access relation analysis on the multi-source heterogeneous log data to obtain data item information of the assets in the target network and a dynamic access relation between the assets; Constructing a data item mapping relation among the data item information based on the dynamic access relation; and adding matched classification and classification information for each link data in the data stream full link corresponding to the multi-source heterogeneous log data based on the data item mapping relation and the classification and classification information corresponding to the data in the database, so as to obtain a data stream monitoring result.
  2. 2. The method of claim 1, wherein the performing asset analysis on the multi-source heterogeneous log data to obtain data item information of the assets in the target network comprises extracting identification information capable of uniquely identifying independent assets in the target network and target data items associated with the identification information from the multi-source heterogeneous log data, wherein the target data items are data items matched in the assets after data flows are transferred to the assets corresponding to the identification information; And/or the number of the groups of groups, The method comprises the steps of carrying out asset access relation analysis on multi-source heterogeneous log data to obtain dynamic access relations among assets in a target network, extracting access behavior characteristics, interaction metadata and identification information capable of uniquely identifying independent assets in the target network from the multi-source heterogeneous log data, carrying out association matching on logs of different sources based on the identification information to obtain access session, carrying out clustering processing on the access behavior characteristics to obtain regular target behavior characteristics, and combing out the dynamic access relations among the assets in the target network based on the access session and the target behavior characteristics.
  3. 3. The method of claim 1, wherein constructing a data item mapping relationship between data item information based on the dynamic access relationship comprises: Screening out related assets with access association corresponding to the assets based on the dynamic access relation, matching each first data item in the data item information with each second data item in the data item information of the related assets, and establishing a mapping relation between each first data item and the second data item successfully matched with each first data item; And summarizing the mapping relation corresponding to each data item information to obtain the data item mapping relation.
  4. 4. The method according to claim 1, wherein the data item mapping relationship includes a data item used by the database, and adding matched classification information for each link data in the data stream full link corresponding to the multi-source heterogeneous log data based on the data item mapping relationship and classification information corresponding to the data in the database includes: Determining a data stream to full link corresponding to the multi-source heterogeneous log data; And respectively executing each link data in the full link of the data flow, namely extracting a target data item in the link data, inquiring the mapping relation of the data item to determine an associated data item associated with the target data item in the database, replacing the link data of which the target data item is the associated data item with the database, matching the link data with the database, and adding classification grading information corresponding to the data successfully matched in the database for the link data.
  5. 5. The method according to claim 4, wherein the method further comprises: And if the link data is not successfully matched with the data in the database, setting and adding classification grading information matched with the link data based on the sensitive data in the link data.
  6. 6. The method according to any one of claims 1-5, further comprising: Collecting user login log data from the target network; Analyzing the user login log data and determining user behaviors and data information of data associated with the user behaviors; and based on the data information, associating user behaviors to link data in the data flow full link.
  7. 7. A data flow monitoring device, the device comprising: the acquisition module is used for acquiring multi-source heterogeneous log data from a target network carrying a data transfer process; The analysis module is used for carrying out asset analysis and asset access relation analysis on the multi-source heterogeneous log data to obtain data item information of the assets in the target network and a dynamic access relation between the assets; the construction module is used for constructing a data item mapping relation among the data item information based on the dynamic access relation; and the monitoring module is used for adding matched classification information for each link data in the data stream full link corresponding to the multi-source heterogeneous log data based on the data item mapping relation and the classification information corresponding to the data in the database, so as to obtain a data stream monitoring result.
  8. 8. A computer-readable storage medium, characterized in that the storage medium comprises a stored program, wherein the program, when run, controls a device on which the storage medium is located to perform the data flow monitoring method of any one of claims 1 to 6.
  9. 9. An electronic device comprising a memory for storing a program, and a processor coupled to the memory for executing the program to perform the data flow monitoring method of any one of claims 1 to 6.
  10. 10. A computer program product, the computer program product comprising: computer program/computer executable instructions for performing the data flow monitoring method of any one of claims 1 to 6.

Description

Data flow monitoring method and device Technical Field The present application relates to the field of data monitoring technologies, and in particular, to a method and an apparatus for monitoring data flow. Background Currently, data security management mainly focuses on classification and classification of static data in a database, and the data security management is implemented by adding classification and classification information (such as classification and classification labels) to the data. However, when data in the database is called by an application program, flows to a downstream service system through an interface, and is finally presented to a user in various forms, the original classification and grading information in the database cannot be inherited along with the data flow. Therefore, once the data leave the database, the data is trapped in the dilemma that classification definition is unclear and management and control lack of accurate basis, so that potential safety hazards are buried. Therefore, how to add classification and classification information to data in a data transfer full link is a problem that needs to be solved at present. Disclosure of Invention The application provides a data flow monitoring method and a data flow monitoring device, which mainly aim to add classification information for data in a data flow full link so as to solve the problems of unclear data classification definition and lack of accurate basis for management and control in a data flow process. In order to achieve the above purpose, the present application mainly provides the following technical solutions: The data flow monitoring method at least comprises the steps of collecting multi-source heterogeneous log data from a target network carrying a data flow process, carrying out asset analysis and asset access relation analysis on the multi-source heterogeneous log data to obtain data item information of assets in the target network and a dynamic access relation between the assets, constructing a data item mapping relation between the data item information based on the dynamic access relation, and adding matched classification information for all link data in a data flow full link corresponding to the multi-source heterogeneous log data based on the data item mapping relation and classification information corresponding to the data in a database to obtain a data flow monitoring result. In some embodiments of the application, asset analysis is performed on the multi-source heterogeneous log data to obtain data item information of assets in the target network, the method comprises the steps of extracting identification information capable of uniquely identifying independent assets in the target network and target data items associated with the identification information from the multi-source heterogeneous log data, transferring the target data items to assets corresponding to the identification information, and then matching the data items in the assets, and respectively executing fusion processing on the target data items associated with the identification information according to each piece of identification information, and summarizing the identification information and the data items obtained after the fusion processing into data item information corresponding to the assets identified by the identification information. In some embodiments of the application, the method for analyzing the asset access relationship of the multi-source heterogeneous log data to obtain the dynamic access relationship among the assets in the target network comprises the steps of extracting access behavior characteristics, interaction metadata and identification information capable of uniquely identifying independent assets in the target network from the multi-source heterogeneous log data, carrying out association matching on logs from different sources based on the identification information to obtain access session, carrying out clustering processing on the access behavior characteristics to obtain regular target behavior characteristics, and combing out the dynamic access relationship among the assets in the target network based on the access session and the target behavior characteristics. In some embodiments of the application, the data item mapping relation among the data item information is built based on the dynamic access relation, and the method comprises the steps of screening out the associated asset which has access association with the asset corresponding to the data item information based on the dynamic access relation, matching each first data item in the data item information with each second data item in the data item information of the associated asset, building the mapping relation between each first data item and the second data item successfully matched with each first data item, and summarizing the mapping relation corresponding to each data item information to obtain the data item mapping relation. In s