CN-122027272-A - Application safety monitoring system and method based on behavior portrait data

Abstract

The invention discloses an application security monitoring system and method based on behavior portrayal data, which relates to the technical field of network security and comprises a flow acquisition and preprocessing module, a behavior portrayal module, a security analysis module and a policy execution module, the flow collection and preprocessing module is deployed on the network access layer and comprises a network probe and a data cleaning unit, the behavior portrayal module is connected with the log output end of the flow collection terminal, the security analysis module is connected with the output end of the behavior portrayal module, and the policy execution module is connected with the alarm output end of the security analysis module. According to the invention, by establishing the multidimensional static behavior model, the function of high risk detection rate is realized, the behavior base line is established and is quantitatively compared with the real-time behavior, the abnormal behavior which cannot be identified by the traditional rule base can be found, the false alarm rate is obviously reduced, and the detection rate of internal threats and advanced persistent threats is improved.

Inventors

• LI BO
• Fu Gehua
• LIU FENGZHENG
• HU YIFAN
• LI XUEWU
• Liang Zhanbu
• HE MINGDONG

Assignees

• 广东电网有限责任公司
• 广东电网有限责任公司数智运营中心

Dates

Publication Date

20260512

Application Date

20260205

Claims (10)

1. 1. The application security monitoring system based on the behavior portrayal data is characterized by comprising a flow collection and preprocessing module, a behavior portrayal module, a security analysis module and a strategy execution module, wherein the flow collection and preprocessing module is deployed on a network access layer and comprises a network probe and a data cleaning unit, an interaction session of an application layer is collected and restored to generate a structured log, the behavior portrayal module is connected with a log output end of a flow collection terminal and is internally provided with a baseline learning engine and a real-time portrayal engine, the baseline learning engine establishes a static behavior model according to a historical log, the real-time portrayal engine updates a dynamic behavior sequence in real time according to the latest log flow, the security analysis module is connected with an output end of the behavior portrayal module and comprises a sequence anomaly detector and an aggregation score device, the sequence anomaly detector compares the deviation of the dynamic behavior sequence and the static behavior model, the aggregation score device generates a risk score according to the deviation degree and a preset rule base, and the strategy execution module is connected with an alarm output end of the security analysis module and executes blocking, verifying or alarming operation according to a script interface called by the risk score grade.
2. 2. The system of claim 1, wherein the static behavior model built by the baseline learning engine in the behavior portrayal module is specifically stored in a behavior model database, the static behavior model comprises a data structure generated by statistics of a history log, a time access matrix, a resource access vector, a parameter mode set, an environment fingerprint set, a class C address segment set formed by three bytes before a source IP address associated with a successful session of the identifier, and a fingerprint value set obtained by performing MD5 operation on the average session number and standard deviation of the identifier in each hour of 30 continuous history workdays, the average session number and standard deviation of the identifier in each of the history accessed application programming interface paths and web resource uniform resource identifiers, and the parameter mode set, wherein the parameter value length median, the character type proportion and the highest occurrence frequency of the parameter value corresponding to a high-frequency request parameter key submitted by the identifier are recorded.
3. 3. The system for monitoring application security based on behavior portrayal data according to claim 1, wherein the real-time portrayal engine built in the behavior portrayal module is characterized by comprising a dynamic behavior sequence maintained for each operation user identifier, wherein the dynamic behavior sequence is a sliding time window queue stored in a memory database, the storage window covers the last 60 minutes of continuous time, the dynamic behavior sequence records the following data in real time, namely a real-time timestamp list, a real-time resource list, a real-time parameter snapshot list, a real-time environment list, and an MD5 hash fingerprint value of a user agent character string and three bytes before a source IP address of each session in the real-time environment list.
4. 4. The security monitoring system based on the behavior portrait data is characterized in that the sequence anomaly detector of the security analysis module comprises a multi-dimensional comparison unit, wherein the multi-dimensional comparison unit performs four comparison operations including time rule comparison, calculation of the total number of actual sessions within 1 hour before the current moment, Z score calculation with the average value of the corresponding week type and hour in a time access matrix, resource frequency comparison, traversal of the real-time resource list, statistics of the occurrence times of each resource in the current window, parameter compliance comparison, traversal of the real-time parameter snapshot list, checking of the character string length of each parameter key in real-time value, environment mutation comparison, and checking of the latest recorded source IP address segment and user agent fingerprint in the real-time environment list.
5. 5. The security monitoring system based on behavior portrait data application according to claim 1 is characterized in that an aggregation scoring device of the security analysis module is connected with a rule base preset with a risk weight table, the risk weight table distributes integer weight values for each anomaly type marked by the sequence anomaly detector, the aggregation scoring device receives a list containing anomaly type codes output by the sequence anomaly detector, each item in the list is converted into a corresponding weight score according to the risk weight table and accumulated to obtain an initial risk score, the aggregation scoring device receives event alarms generated by directly matching a preset malicious rule base in a flow collection and preprocessing module log, accumulates fixed event scores for each event alarm, and adds the initial risk and the event scores and normalizes the total number of effective sessions marked by an operation user in a current time window to obtain an integrated risk score.
6. 6. The system for monitoring application security based on behavior portrait data as claimed in claim 1, wherein a three-level response policy mapping table is preset in the policy execution module, wherein the first-level response policy corresponds to a case that the comprehensive risk score value is 60-80, the execution action comprises sending a token cancellation instruction containing an operation user identifier to an identity authentication service of an application system, and sending a yellow alarm message containing a risk abstract to an external security manager console, the second-level response policy corresponds to a case that the comprehensive risk score value is 80-95, the execution action comprises sending an instruction to a network firewall deployed at the front end of an application server, adding a source IP address of a current trigger abnormality into a blocking list, blocking time is 30 minutes, and sending an orange alarm message containing a detailed log fragment to the security manager console, and the third-level response policy corresponds to a case that the comprehensive risk score value is more than 95, the execution action comprises sending an instruction to an access control module of the application server, temporarily reducing the authority of the corresponding operation user identifier to a minimum level for 2 hours, and synchronously executing all actions of the second-level response policy, and simultaneously sending the red alarm message to the security manager.
7. 7. The method for monitoring the application security based on the behavior portrayal data is characterized by comprising the following specific steps of: s1, acquiring network traffic of an application server through a deployed network probe, and extracting key fields through a data cleaning unit to generate a structured session log stream; S2, based on a 30-day history session log, establishing a static behavior model comprising a time rule, a resource frequency, a parameter mode and an environmental fingerprint for each active user identification and storing the static behavior model in a lasting manner; S3, generating a dynamic behavior sequence for each active user identifier based on a session log in a real-time sliding time window and temporarily storing the dynamic behavior sequence in a cache; S4, carrying out multi-dimensional comparison on the dynamic behavior sequence and the corresponding static behavior model, and identifying statistical deviation anomalies in four dimensions of time, frequency, parameters and environment; s5, combining the identified deviation abnormality with the known malicious rule event matched in the real-time session, and calculating the comprehensive risk score value of the current user identification through a weighted accumulation and activity normalization algorithm; S6, according to a preset threshold value interval in which the comprehensive risk score value falls, step-type response actions from alarming, token cancellation to network blocking and authority degradation are automatically executed; s7, recording all original logs, comparison results, risk scores and response actions to an external audit database, and supporting joint search according to user identification, time range and risk level.
8. 8. The method for monitoring application security based on behavior portrayal data according to claim 7, wherein the step S2 of establishing a static behavior model is specifically: s21, extracting all successful authentication session logs of the past 30 days from an external audit database and grouping the logs according to operation user identifiers; S22, grouping each user, respectively calculating the average value and standard deviation of the session number generated per hour in the working day mode and the rest day mode, and storing the average value and standard deviation into a time access matrix; s23, counting average value and standard deviation of daily access times of each accessed application programming interface path or web page resource uniform resource identifier in the user group, and storing the average value and standard deviation into a resource access vector; s24, counting five specific values with highest frequency of occurrence and length median of character string, proportion of alphanumeric characters and frequency of occurrence of corresponding parameter values for all request parameter keys with frequency of occurrence more than 100 times in the user group to form a parameter mode record; S25, collecting the first three bytes of the source IP addresses of all sessions in the user packet to form an address segment set, and forming a fingerprint set by the MD5 hash values of all user agent character strings, and storing the fingerprint set in the environment fingerprint set.
9. 9. The method for monitoring application security based on behavior portrait data as claimed in claim 7, wherein the S4 multi-dimensional comparison is specifically: S41, acquiring a static behavior model corresponding to a current user identifier to be detected and a dynamic behavior sequence of 60 minutes recently; s42, counting the total session number of the previous 1 hour in a real-time timestamp list of the dynamic behavior sequence, acquiring a historical average value and a standard deviation of a corresponding time point from a time access matrix of the static behavior model, calculating a Z score and performing abnormality judgment; S43, traversing a real-time resource list of the dynamic behavior sequence, counting the occurrence times of each resource, and comparing the occurrence times with a threshold value of 'average value plus three times standard deviation' of frequency baselines of corresponding resources in a resource access vector of a static behavior model; s44, traversing a real-time parameter snapshot list of the dynamic behavior sequence, and performing compliance check on length deviation and character type proportion on each real-time parameter value and records of corresponding keys in a parameter mode set of the static behavior model; s45, acquiring the latest source IP address segment and user agent fingerprint in a real-time environment list of a dynamic behavior sequence, and checking whether the latest source IP address segment and user agent fingerprint exist in an environment fingerprint set of a static behavior model; S46, outputting a list containing all dimension codes judged to be abnormal and specific abnormal descriptions.
10. 10. The method for monitoring application security based on behavior portrait data as claimed in claim 7, wherein the algorithm of the comprehensive risk scoring value in S5 is specifically: Setting the current operation user mark as U, setting the event score set generated by session layer detection as E= { E 1 ,e 2 ,...,e m } in the current sliding time window W, wherein E i is the severity score of the ith alarm event, setting the deviation item set generated by portrait layer detection as D= { D 1 ,d 2 ,...,d n }, each deviation item D j has a predefined weight coefficient W j which is obtained from the scoring weight mapping table of the behavior portrait model and the rule knowledge base according to the deviation type, setting the effective session total number of the user U in the window W as S, and setting the calculation formula of the comprehensive risk score R (U, W) of the user U in the window W as follows: wherein alpha and beta are adjustment coefficients, the contribution degree of the balanced conversation event and the image deviation is a real number larger than 0, dev (dj) is a deviation degree quantized value of a deviation item dj, the deviation degree quantized value is a real number normalized to a [0,1] interval, and denominator lg (S+1) carries out smooth normalization processing on the score of the high-activity user.

Description

Application safety monitoring system and method based on behavior portrait data Technical Field The invention relates to the technical field of network security, in particular to an application security monitoring system and method based on behavior portrait data. Background With the penetration of enterprise digital transformation, core business increasingly depends on various Web applications, API interfaces and database services, traditional security protection means such as boundary firewalls, intrusion Detection Systems (IDS), web Application Firewalls (WAF) and the like, and is mainly defended based on known attack feature libraries or simple threshold rules, and detection dead zones often exist when the methods face internal threats originating from legal user credentials, such as account theft, data theft, internal personnel abuses and 'low-slow-small' penetration behaviors without obvious attack features, and obvious hysteresis and high false alarm rate are shown; In the prior art, some solutions attempt to introduce a user behavior analysis concept and collect user logs to score risks, however, the solutions generally have the defects of single analysis dimension, dependence on simple access frequency or time abnormality, difficulty in describing complex behavior patterns, lack of modeling of a refined and quantized historical behavior baseline of each user individual, excessive universality rules of abnormality judgment, insufficient individuation, disconnection of detection and response, dependence on manual research and judgment after risk alarm generation, slow response speed, incapability of forming an automatic safety closed loop, high system architecture coupling degree, unclear boundaries of behavior modeling, risk calculation and strategy execution modules, and difficulty in expansion and maintenance. Patent document CN111614614B discloses a security monitoring method and device applied to the internet of things, and the above patent identifies an intranet with an effective behavior characteristic deviating from the baseline behavior characteristic of the intranet of the same type by more than a preset threshold as an intranet with abnormal network behavior, so that the security of the abnormal internet of things terminal can be monitored, and the security is improved. After the traffic behavior information collected by each Internet of things gateway is collected through the threat perception platform, the traffic behavior information belonging to the same type of intranet can be subjected to data cleaning and normalization processing and effective behavior characteristics are extracted from the traffic behavior information when being integrated, but risk situations cannot be perceived in advance and risk management can be actively carried out. Therefore, the application provides an application safety monitoring system and method based on behavior portrait data, which have high risk detection rate. Disclosure of Invention The invention aims to provide an application safety monitoring system and method based on behavior portrait data, so as to solve the technical problems of hysteresis and high false alarm rate in the background technology. The system comprises a flow acquisition and preprocessing module, a behavior portrayal module, a security analysis module and a strategy execution module, wherein the flow acquisition and preprocessing module is deployed on a network access layer and comprises a network probe and a data cleaning unit, an interaction session of an application layer is acquired and restored to generate a structured log, the behavior portrayal module is connected with a log output end of a flow acquisition terminal and is internally provided with a baseline learning engine and a real-time portrayal engine, the baseline learning engine establishes a static behavior model according to the history log and the real-time portrayal engine updates a dynamic behavior sequence in real time according to the latest log stream, the security analysis module is connected with an output end of the behavior portrayal module and comprises a sequence anomaly detector and an aggregation score device, the sequence anomaly detector compares the deviation of the dynamic behavior sequence and the static behavior model, the aggregation score device generates a risk score according to the deviation degree and a preset rule base, and the strategy execution module is connected with an alarm output end of the security analysis module and executes blocking, verification or operation according to an alarm interface called by the score risk grade. Preferably, a static behavior model established by a baseline learning engine built in the behavior portrait module for each operation user identifier is specifically stored in a behavior model database, the static behavior model comprises a data structure which is generated by statistics of a history log, a time access matrix, a resource access vector, a par