CN119652552A - Security baseline trust evaluation method and system based on user behavior - Google Patents
Security baseline trust evaluation method and system based on user behavior Download PDFInfo
- Publication number
- CN119652552A CN119652552A CN202411521885.XA CN202411521885A CN119652552A CN 119652552 A CN119652552 A CN 119652552A CN 202411521885 A CN202411521885 A CN 202411521885A CN 119652552 A CN119652552 A CN 119652552A
- Authority
- CN
- China
- Prior art keywords
- user
- data
- behavior
- context awareness
- trust
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a security baseline trust evaluation method and a security baseline trust evaluation system based on user behaviors, which relate to the technical field of network security and comprise the steps of collecting behavior data and context awareness data of a user, analyzing the behavior data and the context awareness data of the user, calculating a current trust value of the user, setting a preliminary security baseline, comparing the current trust value of the user with the preliminary security baseline to perform user trust evaluation, and performing authority control on the user based on the current trust value of the user. According to the invention, the user behavior data and the context awareness data are collected, a comprehensive data set is constructed, and the current trust value of the user is calculated by analysis, so that the trust value can be timely adjusted when the user behavior is abnormal, potential security threat is avoided, the operation behavior of the user can be more comprehensively and accurately estimated, and the access authority of the user is dynamically adjusted by calculating the trust value in real time, thereby enhancing the security of the system and improving the adaptability in a complex environment.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a security baseline trust evaluation method and system based on user behaviors.
Background
Today, with the rapid development of information technology, with the wide application of computer networks, cloud computing and mobile internet, the traditional security mechanism faces new challenges, and the information security problem is increasingly prominent. Existing security measures rely mostly on static rules and predefined policies, however, as user behavior changes dynamically and context awareness techniques are applied, relying solely on static rules has been difficult to deal with complex security threats. In recent years, trust evaluation technology based on user behavior and context awareness gradually becomes a research hotspot, and when the existing trust evaluation method processes complex behavior patterns and multidimensional context awareness data, certain limitations still exist, and operation background and context awareness factors cannot be comprehensively considered, so that the existing trust evaluation method cannot sufficiently cope with changeable security environments.
Disclosure of Invention
The invention is provided in view of the problems existing in the existing security baseline trust evaluation method and system based on user behaviors.
Therefore, the problem to be solved by the invention is that the existing trust evaluation method still has certain limitation when processing complex behavior patterns and multidimensional context awareness data, and cannot comprehensively consider operation background and context awareness factors and fully cope with changeable security environments.
The technical scheme includes that the security baseline trust evaluation method based on user behaviors comprises the steps of collecting behavior data and context awareness data of users, analyzing the user behavior data and the context awareness data, calculating current trust values of the users, setting a preliminary security baseline, comparing the current trust values of the users with the preliminary security baseline to conduct user trust evaluation, controlling authority of the users based on the current trust values of the users, and conducting risk monitoring and early warning on the user behavior data and the context awareness data.
The method for evaluating the security baseline trust based on the user behavior is an optimal scheme, wherein the step of collecting the user behavior data and the context awareness data refers to collecting real-time user behavior data and context awareness data as well as historical user behavior data and context awareness data, and performing data cleaning, deduplication processing and data normalization on the data.
The invention is used as a preferred scheme of the security baseline trust evaluation method based on user behavior, wherein the analysis is carried out on user behavior data and context awareness data, the calculation of the comprehensive trust value of a user refers to the combination of the user behavior data and the context awareness data to generate a data set and the data set is converted into a transaction database, and each transaction represents the operation behavior of the user under different time periods and context awareness;
Counting the occurrence times of each behavior item and context awareness item in the primary scanning data set, setting a frequency threshold Q, screening out the behavior items and context awareness items with the occurrence times exceeding the frequency threshold Q, generating a frequent item list, and carrying out descending sorting on the frequent items according to the occurrence frequency of the items;
Scanning the data set again, inserting frequent items of each transaction into the FP tree according to the sequence in the list, generating a frequent item set by recursively traversing the FP tree, calculating the data support degree Z and setting a support degree threshold W, screening out the frequent item set higher than the support degree threshold W as a frequent behavior mode, and storing the frequent behavior mode in the blockchain;
Extracting context awareness data from the behavior mode as background data and combining the user operation behavior data to form complete mode description, determining the sequence of user operation behaviors according to the arrangement sequence of behavior items in the FP tree, setting a natural language description template, filling the identified behavior operation and context awareness data into the template to generate a sentence of natural language description, and checking through a natural language processing tool;
Inputting the text sentence into a sentence analysis tool to generate a sentence analysis tree, segmenting the complete sentence analysis tree into a plurality of subtrees, extracting phrases from the segmented subtrees corresponding to different parts of the sentence by each subtree, and performing structural optimization on the extracted phrases;
taking the phrases extracted from the sentence analysis tree as text features, extracting operation sequences and time features in the behavior mode, and extracting context awareness features in context awareness data;
converting phrases extracted from the analysis tree into tensor representations, defining tensor dimensions, taking different phrases in the text sentence as first dimensions of the tensor, taking operation sequence and time information in the behavior mode as second dimensions of the tensor, and taking context awareness data as third dimensions of the tensor;
Initializing a three-dimensional tensor with the shape of (Hin, win, din), filling the tensor with text features according to the Hin dimension, filling the tensor with behavior features according to the Win dimension, and filling the tensor with context awareness features according to the Din dimension;
Calculating the occurrence frequency of each phrase in the behavior mode, mapping the result to the Hin dimension of the tensor, calculating the rarity of each feature in the whole behavior mode set, mapping the result to each position of the tensor, and filling the weight value into the corresponding position of the tensor according to the TF-IDF calculation result;
Performing depth feature extraction on the feature tensor by applying a convolution layer operation to generate a convolution feature map, initializing a ConvLSTM layer, inputting the feature map generated by the convolution layer into the ConvLSTM layer, performing cyclic calculation through a time step, extracting time sequence features of a behavior mode to generate a ConvLSTM feature map, splicing and integrating the feature maps generated by the convolution layer and the ConvLSTM layer to form a comprehensive feature representation, performing the Flatten operation on the integrated feature map, and flattening the multidimensional feature map into a one-dimensional vector;
Screening features by using an LI regularization method, discretizing the screened continuous feature values, setting a discretization interval according to the distribution of the feature values, and mapping the feature values into the discretization interval;
combining the discretized feature values into complete feature vectors, inputting the generated feature vectors into a Bayesian network model for trust value inference, including defining input nodes of the Bayesian network model as behavior feature nodes and context awareness feature nodes, defining output nodes as trust values of user behaviors, determining condition dependency relations among the input nodes, and establishing a condition probability table for each node;
Constructing a topological structure of a Bayesian network by using a Bayesian network tool, connecting nodes and edges into a directed acyclic graph, and representing the condition dependency relationship of each node by the edges;
Collecting historical feature vectors and corresponding trust labels as training data, inputting the training data into a Bayesian network model for model training, evaluating the generalization performance of the model through cross verification, and acquiring a trained Bayesian network model after optimizing the Bayesian network structure and parameters according to an evaluation structure;
Inputting the real-time user behavior feature vector and the context awareness feature vector into a Bayesian network model, performing forward inference on the input features by the Bayesian network model, and calculating posterior probability distribution of trust value nodes;
and sorting the output probability values, selecting the trust state with the highest probability as a selection result of the maximum posterior probability selection method according to the sorting result, and mapping the selected trust state into a final trust value by using a nonlinear mapping method.
The method comprises the steps of setting a preliminary safety baseline, comparing a current trust value of a user with the preliminary safety baseline, performing user trust evaluation, namely calculating the mean value and standard deviation of the trust value of a historical normal user, and setting the preliminary safety baseline according to the calculated mean value and standard deviation;
Comparing the current user trust value with the preliminary security baseline, and judging user operation:
if the current trust value is within the baseline range, indicating that the operation meets the expectations;
If the current trust value is not within the baseline range, an anomaly and risk are indicated.
As a preferable scheme of the security baseline trust evaluation method based on the user behavior, the method for performing authority control on the user based on the current trust value of the user comprises the following steps of,
If the user trust value is within the baseline range, granting the user corresponding operation authority and access authority, wherein the user can execute the requested operation without limitation, and continuously monitoring the user behavior;
If the user trust value is not in the baseline range, the access authority of the user is immediately limited, the user is prevented from performing high risk operation, the user is subjected to secondary authentication and an emergency alarm is sent to an administrator, and if the user passes the secondary authentication, part of the authority of the user is restored and continuous monitoring is performed.
The method for evaluating the security baseline trust based on the user behavior is characterized by comprising the steps of performing risk monitoring on user behavior data and context awareness data and performing early warning, namely monitoring the behavior data and the context awareness data of a user in real time, identifying operation deviating from the security baseline and abnormal context awareness, automatically sending out early warning to inform a related manager to perform emergency treatment if the user behavior data and the context awareness data are abnormal, integrating the generated abnormal conditions after the emergency treatment to generate an abnormal report, storing the real-time data and the abnormal report generated in the evaluation process, and implementing access control.
The method for evaluating the security baseline trust based on the user behavior is characterized by comprising the steps of storing real-time data and an abnormal report generated in the evaluation process, performing access control, namely storing the real-time data collected in the evaluation process, including behavior data, context awareness data, trust value calculation results of a user and data and the abnormal report generated in the risk evaluation process, in a classification manner, storing the real-time data in a real-time database according to time sequence, storing the abnormal report in an abnormal event database, setting access rights according to roles and trust values of the user, and generating an access log after data access.
It is a further object of the present invention to provide a secure baseline trust evaluation method based on user behavior, comprising,
The data collection module is used for collecting real-time and historical user behavior data and corresponding context awareness data and preprocessing the collected data;
The frequent item extraction module is used for screening out high-frequency behavior items and context awareness items, constructing an FP tree, generating a frequent item set, calculating the support degree and screening out frequent behavior modes;
the feature processing module is used for generating a sentence analysis tree through a sentence analysis tool, extracting phrases and structural features in the sentence, and converting the phrases and the features into tensor representations;
The trust value calculation module is used for carrying out trust value inference by using the Bayesian network model, calculating a trust value based on user behavior characteristics and context awareness characteristics, carrying out forward inference on the real-time user behavior characteristic vector, generating posterior probability distribution of the trust value, and outputting a final trust value;
the permission control module is used for judging the normal condition of the user behavior, performing permission control based on the current trust value of the user, and granting or limiting the operation permission of the user;
The early warning module is used for monitoring behavior data and context awareness data of a user in real time, identifying operation and abnormal context awareness deviating from a safety base line, early warning abnormal conditions and generating an abnormal report, storing the abnormal report and the real-time data into a database and implementing access control.
A computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of a security baseline trust evaluation method based on user behaviors when executing the computer program.
A computer readable storage medium having stored thereon a computer program which when executed by a processor implements the steps of a secure baseline trust evaluation method based on user behavior.
The invention has the beneficial effects that the present trust value of the user is calculated by collecting the user behavior data and the context awareness data, constructing the comprehensive data set and analyzing, the trust value can be adjusted in time when the user behavior is abnormal, the potential safety threat is avoided, the operation behavior of the user can be estimated more comprehensively and accurately, and the access authority of the user is dynamically adjusted by calculating the trust value in real time, so that the safety of the system is enhanced and the adaptability in a complex environment is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a security baseline trust evaluation method based on user behavior.
Fig. 2 is a schematic diagram of a security baseline trust evaluation system based on user behavior.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Example 1
Referring to fig. 1, a first embodiment of the present invention provides a security baseline trust evaluation method based on user behavior, which includes,
S1, collecting behavior data and context awareness data of a user, analyzing the behavior data and the context awareness data of the user, and calculating a current trust value of the user;
Specifically, collecting behavior data and context awareness data of a user refers to collecting real-time user behavior data and context awareness data as well as historical user behavior data and context awareness data and performing data cleaning, deduplication and data normalization on the data.
By collecting real-time user behavior data, the system can timely acquire the current operation behavior of the user, and provides instant information support for trust evaluation. Meanwhile, the collection of the context awareness data provides important background information for the user behavior, and the system can be combined with the context awareness data to more comprehensively understand the rationality behind the user operation. Through the combination of the real-time data and the context awareness data, the system can evaluate the credibility of the user operation more accurately, and the collection of the historical data provides a basis for the system to establish the user behavior mode and the context awareness change. By analyzing the historical data, the system can identify the user's normal operation mode as a reference standard for evaluating current behavior. The historical data can also help the system predict future operational trends of the user, providing a more comprehensive trust assessment framework.
Further, analyzing the user behavior data and the context awareness data, and calculating the comprehensive trust value of the user refers to combining the user behavior data and the context awareness data to generate a data set and converting the data set and the data set into a transaction database, wherein each transaction represents the operation behavior of the user under different time periods and context awareness;
Counting the occurrence times of each behavior item and context awareness item in the initial scanning data set, setting a frequency threshold Q, screening out the behavior items and context awareness items with the occurrence times exceeding the frequency threshold Q, generating a frequent item list, descending and sorting the frequent items according to the occurrence frequency of the items, and setting the threshold Q according to the average value of the occurrence times of the behavior items and the context awareness items in the data set;
Scanning the data set again, inserting frequent items of each transaction into the FP tree according to the sequence in the list, generating a frequent item set by recursively traversing the FP tree, and sharing path nodes in the FP tree if a plurality of transactions have the same behaviors and context awareness;
Calculating data support degree Z:
Wherein X is the number of times the item set appears, and C is the total number of transactions;
setting a support degree threshold W, screening out frequent item sets higher than the support degree threshold W as frequent behavior patterns, storing the frequent behavior patterns in a blockchain, performing preliminary setting according to system safety requirements and data distribution conditions, and performing fine adjustment according to conditions in practical application;
extracting context awareness data from the behavior mode as background data and forming complete mode description by combining user operation behavior data, deleting irrelevant words in the behavior mode description by using a standard deactivated word list, performing morphological reduction and stem extraction on the text by using an NLP tool, and uniformly formatting the processed behavior description;
Determining the sequence of user operation behaviors according to the arrangement sequence of the behavior items in the FP tree, and setting a natural language description template:
the template 1 is that a user logs in a system by using a device at a time;
a template 2, uploading a file by a user at a place;
template 3, user logs out the system at [ time ];
Filling the identified behavioral operations and context awareness data into a template to generate statements of natural language descriptions and checking by a natural language processing tool (such as GRAMMARLY);
inputting a text sentence into a sentence parsing tool (such as Stanford Parser) to generate a sentence parsing tree, segmenting the complete sentence parsing tree into a plurality of subtrees, extracting phrases from the segmented subtrees corresponding to different parts of the sentence, performing structural optimization on the extracted phrases, for example, combining adjacent phrases into a complete phrase to enhance the expressive power thereof, and combining a login system and an uploading file into a login system and uploading the file;
extracting operation sequence and time characteristics in a behavior mode by taking phrases extracted from a sentence analysis tree as text characteristics, and extracting context awareness characteristics (geographic position, equipment information and network state) in context awareness data;
Converting phrases extracted from the parse tree into tensor representations, defining tensor dimensions, taking different phrases in the text sentence as a first dimension of the tensor, capturing content information in a behavior mode, taking operation sequence and time information in the behavior mode as a second dimension of the tensor, capturing time point or sequence information of the behavior occurrence by the dimension, taking context awareness data as a third dimension of the tensor, ensuring that environmental context information is reserved,
Initializing a three-dimensional tensor with the shape of (Hin, win, din), filling the tensor with text features according to the Hin dimension, filling the tensor with behavior features according to the Win dimension, and filling the tensor with context awareness features according to the Din dimension;
calculating the occurrence frequency of each phrase in the behavior pattern, and mapping the result to the Hin dimension of the tensor:
where TF (t, d) is the frequency of occurrence of the term t in the document d, f (t, d) is the number of occurrences of the term t in the document d, f (k, d) is the number of occurrences of the term k in the document d, k represents a particular term in the document d;
calculating rarity of each feature in the whole behavior pattern set, mapping the result to various positions of tensors:
where IDF (t, D) is the rarity of term t in the whole document D, df (t) contains the number of documents of term t, N is the total number of documents in the document set;
TF-IDF(t,d)=TF(t,d)×IDF(t,D),
In the formula, TF-IDF (t, d) combines the occurrence frequency (TF) of terms in a document and the rarity degree (IDF) in the whole document set, is used for measuring the importance of terms in the document, the higher the TF-IDF value is, the description term t is important in the document d, and is rare in the whole document set, so that the term t is a characteristic word with higher distinction;
Filling the weight value into the corresponding position of the tensor according to the TF-IDF calculation result;
performing depth feature extraction on the feature tensor by applying a convolution layer operation to generate a convolution feature map, wherein the method comprises the steps of setting the size of a convolution kernel and convolution steps, stacking the convolution layers for multiple times, and gradually extracting features of higher layers;
Initializing ConvLSTM layers, setting the time step number and the convolution kernel size of ConvLSTM layers, setting the time window size of ConvLSTM processing, and ensuring that the time dependence of the user behavior can be captured;
Inputting a feature map generated by a convolution layer into a ConvLSTM layer, circularly calculating through a time step, extracting time sequence features of a behavior mode to generate a ConvLSTM feature map, splicing and integrating the feature maps generated by the convolution layer and the ConvLSTM layer to form a comprehensive feature representation, performing a flat operation on the integrated feature map, flattening the multi-dimensional feature map into a one-dimensional vector, facilitating subsequent feature fusion and model input, flattening the feature map, and representing each feature as an independent numerical value for model processing;
ConvLSTM is a deep learning model combining a convolutional layer and an LSTM (long short-term memory network), which is suitable for processing spatio-temporal sequence data;
The LI regularization method is used for screening out the features with the most influence on trust evaluation, the feature set can be automatically thinned in the process, important features are reserved, unnecessary information is reduced, and complexity of the model is reduced.
According to the calculated TF-IDF weight, retaining important feature phrases and context awareness features, discretizing the screened continuous feature values, setting a discretization interval according to the distribution of the feature values, and mapping the feature values into the discretization interval;
The discretized eigenvalues are combined into complete eigenvectors, the generated eigenvectors are input into a Bayesian network model for trust value inference, comprising,
Defining input nodes of a Bayesian network model as behavior feature nodes and context awareness feature nodes, defining output nodes as trust values of user behaviors, determining condition dependency relationships among the input nodes, establishing a condition probability table for each node, representing probability distribution of child nodes under the condition of a given father node, for example, calculating the probability of the trust value being 'high trust' under the condition of given equipment information and operation types;
Constructing a topological structure of a Bayesian network (such as pgmpy, bayesPy of Python or GeNIe tools) by using a Bayesian network tool, connecting nodes and edges into a directed acyclic graph, and representing the condition dependency relationship of each node by the edges;
Collecting historical feature vectors and corresponding trust labels as training data, inputting the training data into a Bayesian network model for model training, and calculating parameters in a conditional probability table by a maximum likelihood estimation method;
through cross verification of the generalization performance of the evaluation model, the trained Bayesian network model is obtained after the Bayesian network structure and parameters are optimized according to the evaluation result;
Inputting the real-time user behavior feature vector and the context awareness feature vector into a Bayesian network model, performing forward inference on the input features by the Bayesian network model, and calculating posterior probability distribution of trust value nodes;
and sorting the output probability values, selecting the trust state with the highest probability as a selection result of the maximum posterior probability selection method according to the sorting result, and mapping the selected trust state into a final trust value by using a nonlinear mapping method.
By combining the user behavior data and context awareness data to generate a data set and converting to a transaction database, the system is able to capture the user's operational behavior in different contexts. The process not only comprehensively covers the multidimensional data of the user, but also effectively avoids the misjudgment possibly caused by a single data source. For example, a user's operation at regular work hours and on a particular device may be trusted, while the same operation is performed at non-work hours or on a strange device, which may present a safety hazard. The introduction of transaction databases allows the system to systematically manage and analyze these multidimensional data, ensuring that all relevant behavioral and situational awareness information is fully accounted for. By the method, the system can provide more comprehensive basic data for the follow-up frequent item set extraction and trust value calculation, the accuracy and the integrity of analysis are ensured, the FP tree can compress a storage path in a large amount of data, and the frequent behavior mode is ensured to be identified efficiently. And combining the previous data set construction process, further refining the user behavior and context awareness data at this stage, and extracting a key behavior and context awareness combination. This not only helps the system accurately identify the user's normal operating mode, but also quickly discovers abnormal behavior that deviates from the normal mode. For example, in an actual security baseline trust evaluation scenario, the system can quickly identify the abnormal behavior of the user under the abnormal situation awareness through the FP-tree and react in time. The FP tree is combined with the transaction database, so that data redundancy can be effectively avoided, meanwhile, the accuracy of frequent item set extraction is ensured, high-quality input is provided for subsequent trust value calculation, and the accuracy of trust value calculation is ensured by identifying important behavior items under different situations. For example, a particular operation may rarely occur in the entire behavioral dataset, but has a critical role in particular situational awareness;
TF-IDF is able to effectively capture this rare but important behavior. Subsequently, the introduction of the convolution layer and the ConvLSTM layer enables the system to extract deep features of the behavior pattern from the multi-dimension, including not only spatial features, but also time dependence. In an actual scene, the operation behaviors of the user often have continuity and time dependence, and the combination of the convolution layer and ConvLSTM enables the system to capture time sequence characteristics of the behaviors, so that the accuracy of trust value evaluation is further improved. This combination also ensures that the system can still make accurate decisions in the face of complex, dynamically changing operational behaviors. The behavior patterns are converted into normalized text descriptions by natural language processing tools and tensor representations are further generated, which ensures the clarity of expression of the data and consistency of analysis. Natural language processing helps to filter out extraneous information, ensuring that the system is concerned with security-related core content. For example, the user's operational behavior is converted into a normalized statement and further parsed into tensors, such that the system performs a comprehensive analysis of the user's behavior in multiple dimensions. The tensor structure not only reserves the space-time characteristics of the user behavior, but also combines the context awareness data to ensure that the environmental context information is reserved. In a practical scenario, this way of data processing can help the system identify the potential risk of abnormal behavior. For example, sensitive operations by a user at unusual times or locations may be marked as high risk operations, and the system can respond in time.
By combining natural language processing with tensor representation, the system can realize efficient conversion between structured data and unstructured data, ensure the depth and breadth of data analysis, and accurately infer the trust value of a user by establishing conditional dependency between behavioral characteristics and context awareness characteristics through a Bayesian network. The reasoning process considers various uncertainties, and ensures that the system can still make reasonable assessment when facing complex behavior patterns. For example, in an actual application scenario, when some operation behaviors of a user have obvious differences from the normal operation of the user, the bayesian network can determine the credibility of the behaviors through probability inference, and make corresponding permission adjustment. The process effectively avoids misjudgment caused by single characteristic abnormality, and improves the robustness of trust evaluation. The Bayesian network is combined with the steps, so that the trust evaluation strategy can be adaptively adjusted when the system is in response to complex and changeable security threats, and the overall security of the system is ensured.
S2, setting a preliminary security baseline, and comparing the current trust value of the user with the preliminary security baseline to evaluate the trust of the user;
Specifically, setting a preliminary security baseline and comparing the current trust value of the user with the preliminary security baseline to perform user trust evaluation, namely calculating the mean value and standard deviation of the trust value of the historical normal user, and setting the preliminary security baseline according to the calculated mean value and standard deviation, wherein in the embodiment, if the mean value of the historical trust value of the user is 0.8 and the standard deviation is 0.1, the baseline range can be set as [0.7,0.9];
Comparing the current user trust value with the preliminary security baseline, and judging user operation:
if the current trust value is within the baseline range, indicating that the operation meets the expectations;
If the current trust value is not within the baseline range, an anomaly and risk are indicated.
In this embodiment, the system is able to determine an appropriate baseline range (e.g., [0.7,0.9 ]) by calculating the mean (e.g., 0.8) and standard deviation (e.g., 0.1) of the historical normal user trust values. This baseline range is set to effectively cover normal user operation behavior while having sufficient sensitivity to abnormal behavior that deviates from this range. Compared with the method for setting the base line by adopting fixed rules or experience in the prior art, the base line is set in a data-driven mode, the method is more accurate and dynamic, can adapt to the behavior difference of different user groups, improves the self-adaptability and flexibility of the system, and can judge whether the user operation accords with the expectation in real time by comparing the comprehensive trust value of the current user with the initial safety base line. If the trust value is within the baseline range, which indicates that the user operation accords with the normal behavior mode, the system can normally grant the operation authority. The real-time comparison mechanism enables the system to dynamically adjust trust evaluation of the user and prevents misjudgment caused by change of historical data. In addition, if the trust value is not in the baseline range, the system can timely identify potential security threats and take corresponding security measures. The real-time trust value comparison mechanism can improve the safety protection capability of the system, particularly can respond rapidly when facing high-frequency and complex user operation, and reduces the safety risk.
S3, performing authority control on the user based on the current trust value of the user, performing risk monitoring on the user behavior data and the context awareness data, and performing early warning;
Specifically, performing rights control on the user based on the user's current trust value includes,
If the user trust value is within the baseline range, granting the user corresponding operation authority and access authority, wherein the user can execute the requested operation without limitation, and continuously monitoring the user behavior;
If the user trust value is not in the baseline range, the access authority of the user is immediately limited, the user is prevented from performing high risk operation, the user is subjected to secondary authentication and an emergency alarm is sent to an administrator, and if the user passes the secondary authentication, part of the authority of the user is restored and continuous monitoring is performed.
And authority is granted or limited based on the user trust value, so that the limitation of the traditional static authority management is broken through. Traditional rights management typically relies on preset fixed rules that are difficult to cope with dynamic changes in user behavior. By dynamically adjusting the authority, the invention can grant the operation authority in time when the user behavior accords with the expectation, thereby improving the user experience and the system operation efficiency, and when the user behavior deviates from the baseline, the system can rapidly limit the authority and avoid potential security threat. For example, when the user trust value is higher than the baseline range, the system allows the user to access more functional modules, so that the operation convenience is improved, unnecessary safety check is reduced, the overall performance of the system is improved, the real-time monitoring mechanism ensures that the system can continuously track the user behavior after the authority is granted, and timely discover and cope with possible abnormal operation, and when the user trust value exceeds the baseline range, the system further confirms the user identity through secondary verification, thereby effectively preventing misjudgment and improving the system safety. The secondary verification mechanism adds more verification means, such as double-factor authentication, biological recognition and the like, on the basis of the traditional verification method, so that the confirmation capability of the system to the user identity is further improved, after the user passes the secondary verification, the system can recover part of rights and monitor the user behavior continuously, and the design not only enhances the fault tolerance capability of the system, but also improves the protection and management flexibility of the user.
Further, performing risk monitoring and early warning on the user behavior data and the context awareness data means that the behavior data and the context awareness data of the user are monitored in real time, operation deviating from a safety base line and abnormal context awareness are identified, if abnormal conditions occur on the user behavior data and the context awareness data, early warning is automatically sent out to inform a related manager to perform emergency treatment, the generated abnormal conditions are integrated after the emergency treatment to generate an abnormal report, the real-time data and the abnormal report generated in the evaluation process are stored, and access control is implemented.
By monitoring the user's behavioral data and situational awareness data in real time, the system is able to identify potential security risks at a first time. For example, a user attempting to access a sensitive resource at an unexpected time or place may represent a potential intrusion threat. Through real-time monitoring, the system can timely find and respond to the abnormal conditions, the overall safety of the system is ensured, and an automatic early warning mechanism ensures that the system can rapidly take emergency measures when detecting risks, so that the occurrence rate of safety events is reduced. By timely notifying an administrator, the system can realize quick response, thereby effectively preventing the expansion of potential threats, and the exception report provides detailed event recording and analysis results for the system and the administrator, thereby being beneficial to the follow-up examination and the optimization of security policies. Through the integration of abnormal conditions, the system can summarize and identify common safety threat modes, and further perfect safety protection measures.
Further, storing the real-time data and the abnormal report generated in the evaluation process and implementing the access control means storing the real-time data collected in the evaluation process including the behavior data, the context awareness data, the trust value calculation result of the user and the data and the abnormal report generated in the risk evaluation process in a classified manner, storing the real-time data in a real-time database according to the time sequence, storing the abnormal report in an abnormal event database, setting the access authority according to the roles and the trust values of the user, and generating the access log after the data access.
By storing the real-time data and the abnormal reports in a classified manner, the system can effectively improve the data management efficiency. Real-time data and exception reports often have different characteristics and usage scenarios, and classification storage helps the system to quickly locate needed information when processing and accessing data, reducing complexity of data queries. Meanwhile, the classified storage can also improve the safety of data, separate abnormal data from normal data, and facilitate special processing and monitoring of abnormal events. The storage mode can effectively avoid data confusion and misuse, provide a more refined management means for the system, store real-time data in a real-time database, ensure timeliness and accuracy of the data, and realize a more accurate and dynamic access control mechanism by setting access rights according to roles and trust values of users.
Example 2
Referring to fig. 2, for a second embodiment of the present invention, which is different from the previous embodiment, there is provided a security baseline trust evaluation system based on user behavior, which includes,
The data collection module is used for collecting real-time and historical user behavior data and corresponding context awareness data and preprocessing the collected data;
The frequent item extraction module is used for screening out high-frequency behavior items and context awareness items, constructing an FP tree, generating a frequent item set, calculating the support degree and screening out frequent behavior modes;
the feature processing module is used for generating a sentence analysis tree through a sentence analysis tool, extracting phrases and structural features in the sentence, and converting the phrases and the features into tensor representations;
The trust value calculation module is used for carrying out trust value inference by using the Bayesian network model, calculating a trust value based on user behavior characteristics and context awareness characteristics, carrying out forward inference on the real-time user behavior characteristic vector, generating posterior probability distribution of the trust value, and outputting a final trust value;
the permission control module is used for judging the normal condition of the user behavior, performing permission control based on the current trust value of the user, and granting or limiting the operation permission of the user;
The early warning module is used for monitoring behavior data and context awareness data of a user in real time, identifying operation and abnormal context awareness deviating from a safety base line, early warning abnormal conditions and generating an abnormal report, storing the abnormal report and the real-time data into a database and implementing access control.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes a usb disk, a removable hard disk, a Read-only memory (ROM), a random access memory (RAM, random Access Memory), a magnetic disk, an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium include an electrical connection (an electronic device) having one or more wires, a portable computer diskette (a magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of techniques known in the art, discrete logic circuits with logic gates for implementing logic functions on data signals, application specific integrated circuits with appropriate combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Claims (10)
1. A security baseline trust evaluation method based on user behavior is characterized by comprising the following steps of,
Collecting behavior data and context awareness data of a user, analyzing the behavior data and the context awareness data of the user, and calculating a current trust value of the user;
Setting a preliminary safety baseline, and comparing the current trust value of the user with the preliminary safety baseline to evaluate the trust of the user;
And performing authority control on the user based on the current trust value of the user, performing risk monitoring on the user behavior data and the context awareness data, and performing early warning.
2. The method for evaluating the security baseline trust based on the user behavior according to claim 1, wherein the step of collecting the user behavior data and the context awareness data is to collect real-time user behavior data and context awareness data and historical user behavior data and context awareness data and perform data cleaning, deduplication and data normalization on the data.
3. The method for evaluating the security baseline trust based on the user behavior according to claim 2, wherein the analyzing the user behavior data and the context awareness data, calculating the current trust value of the user means that the user behavior data and the context awareness data are combined to generate a data set and converted into a form of transaction database, and each transaction represents the operation behavior of the user under different time periods and context awareness;
Counting the occurrence times of each behavior item and context awareness item in the primary scanning data set, setting a frequency threshold Q, screening out the behavior items and context awareness items with the occurrence times exceeding the frequency threshold Q, generating a frequent item list, and carrying out descending sorting on the frequent items according to the occurrence frequency of the items;
Scanning the data set again, inserting frequent items of each transaction into the FP tree according to the sequence in the list, generating a frequent item set by recursively traversing the FP tree, calculating the data support degree Z and setting a support degree threshold W, screening out the frequent item set higher than the support degree threshold W as a frequent behavior mode, and storing the frequent behavior mode in the blockchain;
Extracting context awareness data from the behavior mode as background data and combining the user operation behavior data to form complete mode description, determining the sequence of user operation behaviors according to the arrangement sequence of behavior items in the FP tree, setting a natural language description template, filling the identified behavior operation and context awareness data into the template to generate a sentence of natural language description, and checking through a natural language processing tool;
Inputting the text sentence into a sentence analysis tool to generate a sentence analysis tree, segmenting the complete sentence analysis tree into a plurality of subtrees, extracting phrases from the segmented subtrees corresponding to different parts of the sentence by each subtree, and performing structural optimization on the extracted phrases;
taking the phrases extracted from the sentence analysis tree as text features, extracting operation sequences and time features in the behavior mode, and extracting context awareness features in context awareness data;
converting phrases extracted from the analysis tree into tensor representations, defining tensor dimensions, taking different phrases in the text sentence as first dimensions of the tensor, taking operation sequence and time information in the behavior mode as second dimensions of the tensor, and taking context awareness data as third dimensions of the tensor;
Initializing a three-dimensional tensor with the shape of (Hin, win, din), filling the tensor with text features according to the Hin dimension, filling the tensor with behavior features according to the Win dimension, and filling the tensor with context awareness features according to the Din dimension;
Calculating the occurrence frequency of each phrase in the behavior mode, mapping the result to the Hin dimension of the tensor, calculating the rarity of each feature in the whole behavior mode set, mapping the result to each position of the tensor, and filling the weight value into the corresponding position of the tensor according to the TF-IDF calculation result;
Performing depth feature extraction on the feature tensor by applying a convolution layer operation to generate a convolution feature map, initializing a ConvLSTM layer, inputting the feature map generated by the convolution layer into the ConvLSTM layer, performing cyclic calculation through a time step, extracting time sequence features of a behavior mode to generate a ConvLSTM feature map, splicing and integrating the feature maps generated by the convolution layer and the ConvLSTM layer to form a comprehensive feature representation, performing the Flatten operation on the integrated feature map, and flattening the multidimensional feature map into a one-dimensional vector;
Screening features by using an LI regularization method, discretizing the screened continuous feature values, setting a discretization interval according to the distribution of the feature values, and mapping the feature values into the discretization interval;
combining the discretized feature values into complete feature vectors, inputting the generated feature vectors into a Bayesian network model for trust value inference, including defining input nodes of the Bayesian network model as behavior feature nodes and context awareness feature nodes, defining output nodes as trust values of user behaviors, determining condition dependency relations among the input nodes, and establishing a condition probability table for each node;
Constructing a topological structure of a Bayesian network by using a Bayesian network tool, connecting nodes and edges into a directed acyclic graph, and representing the condition dependency relationship of each node by the edges;
Collecting historical feature vectors and corresponding trust labels as training data, inputting the training data into a Bayesian network model for model training, evaluating the generalization performance of the model through cross verification, and acquiring a trained Bayesian network model after optimizing the Bayesian network structure and parameters according to an evaluation structure;
Inputting the real-time user behavior feature vector and the context awareness feature vector into a Bayesian network model, performing forward inference on the input features by the Bayesian network model, and calculating posterior probability distribution of trust value nodes;
and sorting the output probability values, selecting the trust state with the highest probability as a selection result of the maximum posterior probability selection method according to the sorting result, and mapping the selected trust state into a final trust value by using a nonlinear mapping method.
4. The method for evaluating the trust of the safety baseline based on the user behavior of claim 3, wherein the steps of setting a preliminary safety baseline, comparing the current trust value of the user with the preliminary safety baseline, performing user trust evaluation, namely calculating the mean value and the standard deviation of the trust value of a historical normal user, and setting the preliminary safety baseline according to the calculated mean value and standard deviation;
Comparing the current user trust value with the preliminary security baseline, and judging user operation:
if the current trust value is within the baseline range, indicating that the operation meets the expectations;
If the current trust value is not within the baseline range, an anomaly and risk are indicated.
5. The method for security baseline trust evaluation based on user behavior according to claim 4, wherein controlling the user rights based on the current trust value of the user comprises,
If the user trust value is within the baseline range, granting the user corresponding operation authority and access authority, and allowing the user to execute the requested operation without limitation, so as to continuously monitor the user behavior;
If the user trust value is not in the baseline range, the access authority of the user is immediately limited, the user is prevented from performing high risk operation, the user is subjected to secondary authentication and an emergency alarm is sent to an administrator, and if the user passes the secondary authentication, part of the authority of the user is restored and continuous monitoring is performed.
6. The method for evaluating the security baseline trust based on the user behavior according to claim 5, wherein the steps of performing risk monitoring and early warning on the user behavior data and the context awareness data are performed by monitoring the user behavior data and the context awareness data in real time, identifying the operation deviating from the security baseline and abnormal context awareness, automatically sending out early warning to inform a related manager to perform emergency treatment if the user behavior data and the context awareness data are abnormal, integrating the generated abnormal conditions after the emergency treatment to generate an abnormal report, storing the real-time data and the abnormal report generated in the evaluation process, and implementing access control.
7. The method for evaluating the security baseline trust based on the user behavior according to claim 6, wherein the steps of storing the real-time data and the abnormal report generated in the evaluation process and implementing the access control are that the real-time data collected in the evaluation process comprises the behavior data, the context awareness data, the trust value calculation result of the user and the data and the abnormal report generated in the risk evaluation process are stored in a classified manner, the real-time data is stored in a real-time database according to the time sequence, the abnormal report is stored in an abnormal event database, the access authority is set according to the roles and the trust values of the user, and the access log is generated after the data access.
8. A user behavior based security baseline trust evaluation system based on the user behavior based security baseline trust evaluation method according to any one of claim 1-7, comprising,
The data collection module is used for collecting real-time and historical user behavior data and corresponding context awareness data and preprocessing the collected data;
The frequent item extraction module is used for screening out high-frequency behavior items and context awareness items, constructing an FP tree, generating a frequent item set, calculating the support degree and screening out frequent behavior modes;
the feature processing module is used for generating a sentence analysis tree through a sentence analysis tool, extracting phrases and structural features in the sentence, and converting the phrases and the features into tensor representations;
The trust value calculation module is used for carrying out trust value inference by using the Bayesian network model, calculating a trust value based on user behavior characteristics and context awareness characteristics, carrying out forward inference on the real-time user behavior characteristic vector, generating posterior probability distribution of the trust value, and outputting a final trust value;
the permission control module is used for judging the normal condition of the user behavior, performing permission control based on the current trust value of the user, and granting or limiting the operation permission of the user;
The early warning module is used for monitoring behavior data and context awareness data of a user in real time, identifying operation and abnormal context awareness deviating from a safety base line, early warning abnormal conditions and generating an abnormal report, storing the abnormal report and the real-time data into a database and implementing access control.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the user behavior based security baseline trust evaluation method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the user behavior based security baseline trust evaluation method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411521885.XA CN119652552A (en) | 2024-10-29 | 2024-10-29 | Security baseline trust evaluation method and system based on user behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411521885.XA CN119652552A (en) | 2024-10-29 | 2024-10-29 | Security baseline trust evaluation method and system based on user behavior |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119652552A true CN119652552A (en) | 2025-03-18 |
Family
ID=94951639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411521885.XA Pending CN119652552A (en) | 2024-10-29 | 2024-10-29 | Security baseline trust evaluation method and system based on user behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119652552A (en) |
-
2024
- 2024-10-29 CN CN202411521885.XA patent/CN119652552A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10706229B2 (en) | Content aware heterogeneous log pattern comparative analysis engine | |
| CN111813960B (en) | Knowledge graph-based data security audit model device, method and terminal equipment | |
| EP3872637A1 (en) | Application programming interface assessment | |
| CN119071052A (en) | Network anomaly monitoring method and system for switch | |
| CN117094184B (en) | Modeling method, system and medium of risk prediction model based on intranet platform | |
| CN117436073B (en) | Security log alarming method, medium and equipment based on intelligent label | |
| CN117540372B (en) | Database intrusion detection and response system for intelligent learning | |
| CN119249440A (en) | Data security analysis method and intelligent data security workstation | |
| CN117692203A (en) | An intelligent recommendation method and system for event handling strategies | |
| CN119830308B (en) | File management system and method based on data analysis | |
| CN118972162B (en) | Network resource access control method and system based on identity authentication and port perception | |
| CN114443409B (en) | Payment service system monitoring method, device and equipment and computer storage medium | |
| CN111475380A (en) | Log analysis method and device | |
| CN119886702A (en) | Power grid safety production detection method and device, electronic equipment and storage medium | |
| CN119341888A (en) | Security early warning methods, devices, equipment, media and program products | |
| CN119204686A (en) | A construction worker safety risk assessment and early warning method, device and equipment | |
| CN118965234A (en) | A method and system for preventing enterprise data assets from leaking | |
| CN115913596A (en) | A method for comprehensive assessment and analysis of network data security situation | |
| CN116405287B (en) | Industrial control system network security assessment method, equipment and medium | |
| CN118332500A (en) | Multi-source data intelligent fusion method for service asset detection on cloud | |
| CN117370548A (en) | User behavior risk identification method, device, electronic equipment and medium | |
| KR102661221B1 (en) | A method to detect abnormal symptoms occurring during login using text generated during login | |
| CN119652552A (en) | Security baseline trust evaluation method and system based on user behavior | |
| CN113656271B (en) | Method, device, equipment and storage medium for processing abnormal behaviors of user | |
| Bozyiğit et al. | MACHINE LEARNING BASED SECURITY ANALYSIS: ALARM GENERATION AND THREAT FORECASTING |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |