+

CN119814475B - Monitoring abnormality investigation method and monitoring system thereof - Google Patents

Monitoring abnormality investigation method and monitoring system thereof Download PDF

Info

Publication number
CN119814475B
CN119814475B CN202510293969.0A CN202510293969A CN119814475B CN 119814475 B CN119814475 B CN 119814475B CN 202510293969 A CN202510293969 A CN 202510293969A CN 119814475 B CN119814475 B CN 119814475B
Authority
CN
China
Prior art keywords
disconnection
reconnection
operation data
risk value
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202510293969.0A
Other languages
Chinese (zh)
Other versions
CN119814475A (en
Inventor
康俊燕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongyulian Cloud Computing Service Shanghai Co ltd
Original Assignee
Zhongyulian Cloud Computing Service Shanghai Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongyulian Cloud Computing Service Shanghai Co ltd filed Critical Zhongyulian Cloud Computing Service Shanghai Co ltd
Priority to CN202510293969.0A priority Critical patent/CN119814475B/en
Publication of CN119814475A publication Critical patent/CN119814475A/en
Application granted granted Critical
Publication of CN119814475B publication Critical patent/CN119814475B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

本发明属于计算机技术领域,提供了监控异常排查方法及其监控系统。所述方法包括:在断线重连设备完成一次身份认证之后,设置该断线重连设备与目标服务器之间为基础通信模式;获取断线重连设备在断线重连期间的第一运行数据,获取与断线重连设备具有预设关联关系的若干关联计算机设备在断线重连期间的第二运行数据;使用风险分析模型对第一运行数据、第二运行数据进行风险评估得出综合风险值,若综合风险值高于风险阈值,则对该断线重连设备进行二次身份认证,否则将基础通信模式切换为正常通信模式。本发明通过对断线重连设备进行风险排查,可降低异常的断线重连设备对目标服务器造成安全威胁的风险。

The present invention belongs to the field of computer technology, and provides a monitoring anomaly troubleshooting method and a monitoring system thereof. The method comprises: after a disconnection and reconnection device completes an identity authentication, setting a basic communication mode between the disconnection and reconnection device and a target server; obtaining first operation data of the disconnection and reconnection device during the disconnection and reconnection period, and obtaining second operation data of several associated computer devices having a preset association relationship with the disconnection and reconnection device during the disconnection and reconnection period; using a risk analysis model to conduct a risk assessment on the first operation data and the second operation data to obtain a comprehensive risk value, and if the comprehensive risk value is higher than the risk threshold, a secondary identity authentication is performed on the disconnection and reconnection device, otherwise the basic communication mode is switched to a normal communication mode. The present invention can reduce the risk of abnormal disconnection and reconnection devices posing a security threat to the target server by conducting a risk investigation on the disconnection and reconnection device.

Description

Monitoring abnormality investigation method and monitoring system thereof
Technical Field
The invention relates to the technical field of computers, in particular to a monitoring abnormality investigation method and a monitoring system thereof.
Background
In the current digital age, various devices are widely connected into a computer system, and the situation that the devices are disconnected and reconnected frequently occurs. When a device is disconnected and reconnected, the prior art often lacks an effective mechanism for comprehensive risk investigation. The conventional method generally simply performs identity authentication on the device, and the normal communication function of the device is directly recovered after the authentication is passed, so that risks possibly faced by the device during disconnection, such as malicious tampering, network attack and the like, are not fully considered, and thus the computer system may be faced with security threat.
Therefore, designing a new abnormality detection scheme for the disconnection reconnection device to ensure safe and stable operation of the computer system is a technical problem to be solved at present.
Disclosure of Invention
In view of the above technical problems, the present invention provides a monitoring anomaly investigation method, a monitoring system, an electronic device, a computer storage medium and a computer program product.
The invention discloses a monitoring abnormality investigation method which is applied to a monitoring cloud, and comprises the following steps:
after the disconnection reconnection equipment completes one-time identity authentication, setting a basic communication mode between the disconnection reconnection equipment and a target server, wherein only uploading and downloading of a plurality of data of specified types are allowed in the basic communication mode;
Acquiring first operation data of the disconnection reconnection device during the disconnection reconnection period, and acquiring second operation data of a plurality of associated computer devices with preset association relations with the disconnection reconnection device during the disconnection reconnection period;
and performing risk assessment on the first operation data and the second operation data by using a risk analysis model to obtain a comprehensive risk value, if the comprehensive risk value is higher than a risk threshold value, performing secondary identity authentication on the disconnection reconnection equipment, otherwise, switching the basic communication mode into a normal communication mode.
Optionally, the acquiring the first operation data of the disconnection reconnection device during the disconnection reconnection includes:
acquiring a historical disconnection record of the disconnection reconnection device, counting the type number of each disconnection cause in the historical disconnection record, and obtaining a first dynamic adjustment coefficient according to the type number;
adjusting the standard acquisition time length corresponding to the equipment type of the disconnection reconnection equipment by using the first dynamic adjustment coefficient to obtain a target acquisition time length;
And acquiring the first operation data of the disconnection reconnection device in the disconnection reconnection period by taking the disconnection time as a reference, wherein the duration of the disconnection reconnection period is the target acquisition duration.
Optionally, the risk assessment of the first operation data and the second operation data using the risk analysis model obtains a comprehensive risk value, including:
performing risk assessment on the business data in the first operation data and the second operation data by using a risk analysis model to obtain business risk values;
if the business risk value is higher than a business risk threshold value, setting the comprehensive risk value as a preset value;
and if the business risk value is not higher than the business risk threshold, extracting first disconnection operation data of the disconnection reconnection device from the first operation data, extracting second disconnection operation data of the associated computer device from the second operation data, and performing risk assessment on the first disconnection operation data and the second disconnection operation data according to a preset logic rule to obtain a comprehensive risk value.
Optionally, extracting first disconnection operation data of the disconnection reconnection device from the first operation data, extracting second disconnection operation data of the associated computer device from the second operation data, performing risk assessment on the first disconnection operation data and the second disconnection operation data according to a preset logic rule, and obtaining a comprehensive risk value, where the method includes:
extracting and obtaining a first disconnection time and a first disconnection reconnection time of the disconnection reconnection device from the first operation data, and calculating and obtaining a first reconnection waiting time according to the first disconnection time and the first disconnection reconnection time;
Extracting and obtaining a second disconnection time and a second disconnection reconnection time of the related computer equipment from the second operation data, and calculating and obtaining a second reconnection waiting time according to the second disconnection time and the second disconnection reconnection time;
determining and obtaining a disconnection sequence between the disconnection reconnection equipment and each associated computer equipment according to the first disconnection time and each second disconnection time;
judging the overall matching degree of the wire breakage sequence and a standard wire breakage sequence, and obtaining a first risk value according to the overall matching degree, wherein the standard wire breakage sequence corresponds to the wire breakage reconnection device;
Performing deviation comparison on the first reconnection waiting time and each second reconnection waiting time respectively with the corresponding standard reconnection waiting time, and determining a second risk value according to the deviation comparison result;
And fusing the first risk value and the second risk value to obtain the comprehensive risk value.
Optionally, the fusing the first risk value and the second risk value to obtain the integrated risk value includes:
Fusing the first risk value and the second risk value to obtain a preliminary comprehensive risk value;
a second dynamic adjustment coefficient of the disconnection reconnection device is called, and the preliminary comprehensive risk value is adjusted by using the second dynamic adjustment coefficient to obtain the comprehensive risk value;
wherein the second dynamic adjustment coefficient is derived from a historical execution of the standard wire-break order.
The invention also discloses a monitoring system applied to the monitoring cloud, the system comprises a processing device and a storage device, wherein the computer code stored in the storage device is called and executed by the processing device to realize the following steps:
after the disconnection reconnection equipment completes one-time identity authentication, setting a basic communication mode between the disconnection reconnection equipment and a target server, wherein only uploading and downloading of a plurality of data of specified types are allowed in the basic communication mode;
Acquiring first operation data of the disconnection reconnection device during the disconnection reconnection period, and acquiring second operation data of a plurality of associated computer devices with preset association relations with the disconnection reconnection device during the disconnection reconnection period;
and performing risk assessment on the first operation data and the second operation data by using a risk analysis model to obtain a comprehensive risk value, if the comprehensive risk value is higher than a risk threshold value, performing secondary identity authentication on the disconnection reconnection equipment, otherwise, switching the basic communication mode into a normal communication mode.
The invention also discloses an electronic device comprising at least one processor, a memory and a computer program stored in the memory and executable on the at least one processor, the processor executing the computer program to implement the method as described in any one of the preceding.
The invention also discloses a computer storage medium storing a computer program for execution by a processor to implement a method as described in any of the preceding.
The invention also discloses a computer program product comprising computer code which, when executed by a processor of an electronic device, implements a method as described in any of the preceding.
The invention has the advantages that:
according to the scheme, the abnormal risk can be comprehensively analyzed by combining the operation data of the disconnection reconnection equipment and the related computer equipment during the disconnection reconnection, so that the risk investigation of the disconnection reconnection equipment is completed, and the risk of safety threat to a target server caused by the abnormal disconnection reconnection equipment is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a monitoring anomaly investigation method disclosed in an embodiment of the invention;
Fig. 2 is a schematic structural diagram of a monitoring system according to an embodiment of the present invention.
Detailed Description
Other advantages and advantages of the present application will become apparent to those skilled in the art from the following detailed description, which, by way of illustration, is to be read in connection with certain specific embodiments, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In addition, the technical features of the different embodiments of the present application described below may be combined with each other as long as they do not collide with each other.
In view of the above technical problems, as shown in fig. 1, an embodiment of the present invention discloses a monitoring anomaly investigation method applied to a monitoring cloud, the method includes the following steps:
S101, setting a basic communication mode between the disconnection reconnection device and a target server after the disconnection reconnection device completes identity authentication once, wherein the basic communication mode only allows uploading and downloading of a plurality of specified types of data.
The monitoring cloud may communicate with the accessed individual computer devices via, for example, eBPF (Extended Berkeley PACKET FILTER) technology to receive communication data from the computer devices, thereby enabling status monitoring of large-scale computer devices. For example, the computer device is a plurality of financial transaction computers in a financial transaction system, the computers are distributed in various securities business departments, banking sites, financial data centers and the like, and the monitoring cloud is used for monitoring the running state of the computer device and managing the communication connection between the computer device and the target server.
The monitored computer equipment is disconnected with the monitoring cloud because of communication faults and the like, and disconnected computer equipment tries to reestablish connection with the monitoring cloud through the modes of restarting the whole machine, restarting a communication module and the like, and at the moment, the computer equipment is disconnected reconnection equipment. The disconnected reconnection device needs to send identity data (including key information such as device numbers, affiliated organization codes, digital certificates and the like) to the monitoring cloud for verification. In consideration of the fact that the equipment possibly faces safety risks during disconnection, the monitoring cloud can not immediately recover all communication functions of the equipment, after verification is passed, the monitoring cloud limits communication between the equipment and a target server to a basic communication mode, namely only data meeting specified types (identity data of the equipment, current basic running state data, such as CPU temperature, residual available space of memory and the like, which do not relate to sensitive transaction information) are allowed to be uploaded and downloaded, and large-scale data interaction of the equipment possibly at risk is prevented when insufficient investigation is carried out, so that safety threat to a computer system is avoided.
S102, acquiring first operation data of the disconnection reconnection device during disconnection reconnection, and acquiring second operation data of a plurality of associated computer devices with preset association relations with the disconnection reconnection device during disconnection reconnection.
The monitoring cloud further obtains first operation data of the disconnection reconnection device in a disconnection reconnection period, wherein the disconnection reconnection period refers to a period from a certain time (for example, 10s before disconnection) before the disconnection time of the disconnection reconnection device to the time when reconnection is started. Taking the transaction computer of the securities business department as an example, the monitoring cloud obtains the detailed log record of the transaction software during the disconnection period through a safety communication channel pre-established with the transaction computer. These logs are screened to see if there are abnormal login attempts, e.g., multiple times to login to different transaction accounts using an incorrect password for a short period of time, or if there are unauthorized programs attempting to modify default parameters of the transaction order, such as transaction price limits, upper transaction amount limits, etc.
Meanwhile, the monitoring cloud terminal can also acquire second operation data of a plurality of associated computer devices with preset association relations (pre-designated manually) with the disconnection reconnection device in the same time period. The associated computer device may be an auxiliary device for supporting the transaction computer, such as a data storage server, a monitoring and early warning server, an associated business exchange server, etc., or may be a computer or server of another financial system (e.g., a banking system) having business to and from the transaction computer. The operation data of the associated computer equipment in the same time period is abnormal or not, and the operation data can be used for assisting in analyzing whether the disconnection and reconnection behaviors of the transaction computer are abnormal or not.
And S103, performing risk assessment on the first operation data and the second operation data by using a risk analysis model to obtain a comprehensive risk value, if the comprehensive risk value is higher than a risk threshold, performing secondary identity authentication on the disconnection reconnection equipment, otherwise, switching the basic communication mode into a normal communication mode.
After the first operation data of the disconnection reconnection device and the second operation data of the related device are successfully obtained, the monitoring cloud enables a pre-trained risk analysis model to conduct depth analysis and risk assessment on the data.
For example, a risk threshold of 75 points is preset based on past security events and risk assessment experience. When the calculated comprehensive risk value is 85 minutes and is obviously higher than the risk threshold, the monitoring cloud can immediately trigger a secondary identity authentication process. The method comprises the steps of but not limited to requiring the staff of the securities business department to input a randomly generated disposable password through a dynamic two-dimensional code displayed on a mobile authentication APP scanning device exclusive to a financial system, and simultaneously combining with a biological recognition technology such as fingerprint recognition or facial recognition and the like to perform multiple identity verification. Through the strict secondary identity authentication mode, the validity of the equipment and the true identity of an operator are further confirmed, so that illegal equipment or malicious personnel can be effectively prevented from performing financial transaction operation by utilizing the loopholes during the disconnection of the equipment.
If the calculated comprehensive risk value is 65 minutes and is lower than the risk threshold, the monitoring cloud judges that abnormal conditions which are enough to threat the safety of the financial transaction do not occur in the disconnection reconnection period of the disconnection reconnection device. At this time, the monitoring cloud stably switches the basic communication mode between the device and the monitoring cloud to the normal communication mode. The trading computer of the securities business department can resume normal financial trade operation, such as receiving stock quotation data, buying and selling stocks for clients, executing funds transfer and other various complicated and high-frequency financial trade businesses, and ensuring the efficient and smooth development of the financial trade businesses.
According to the scheme, the abnormal risk can be comprehensively analyzed by combining the operation data of the disconnection reconnection equipment and the related computer equipment during the disconnection reconnection, so that the risk investigation of the disconnection reconnection equipment is completed, and the risk of safety threat to a target server caused by the abnormal disconnection reconnection equipment is reduced.
It should be noted that, the above-mentioned scheme of the present invention is not only used in financial transaction systems, but also used in, for example, industrial control systems, intelligent transportation systems, medical information systems, etc., and these systems all have various computer devices (for example, order data importing computers, signal controllers, doctor terminals, etc.), and these computer devices need to be communicatively connected with corresponding target servers under the supervision of the monitoring cloud. In addition, the risk analysis model is also obtained by training the actual operation data in the corresponding application system in advance, and may be constructed by using, for example, a transducer, a general large model (for example, GPT series), and the like, which will not be described in detail.
Optionally, the acquiring the first operation data of the disconnection reconnection device during the disconnection reconnection includes:
acquiring a historical disconnection record of the disconnection reconnection device, counting the type number of each disconnection cause in the historical disconnection record, and obtaining a first dynamic adjustment coefficient according to the type number;
adjusting the standard acquisition time length corresponding to the equipment type of the disconnection reconnection equipment by using the first dynamic adjustment coefficient to obtain a target acquisition time length;
And acquiring the first operation data of the disconnection reconnection device in the disconnection reconnection period by taking the disconnection time as a reference, wherein the duration of the disconnection reconnection period is the target acquisition duration.
In this embodiment, the operation data of the wire-break reconnection device in a period of time before wire breaking may be used to reflect whether there is an abnormality, for example, the wire-break reconnection device has a characteristic of obvious data transmission failure before wire breaking, which indicates that there may be problems such as electromagnetic interference, line failure, etc. in the area where the wire-break reconnection device is located, resulting in unstable data transmission. If the disconnection reconnection device is normally operated before disconnection, the disconnection reconnection device may be exposed to an abnormal condition, and the risk value of the disconnection reconnection device is higher. In addition, the "abnormality" of the present invention may include abnormality of the business content, which will be described in detail later.
And for the acquisition time length of the first operation data, taking the disconnection time as a reference, upwards reaching the reconnection time, downwards (i.e. in the history direction) reaching the preset time, and taking the time period between the reconnection time and the preset time as the acquisition time length. Specifically:
the historical wire breakage record of the wire breakage reconnection equipment is firstly obtained, wherein the historical wire breakage record comprises a plurality of wire breakage records of the wire breakage reconnection equipment, and each wire breakage record also comprises corresponding wire breakage reasons, such as line aging, electromagnetic interference, software faults and the like. When the diversity of fault reasons is higher, more operation data before disconnection need to be acquired, so that a risk analysis model can accurately analyze whether the disconnection reconnection device is disconnected due to conventional reasons or whether the disconnection is caused by unconventional abnormal reasons (such as intentional plugging by an intruder), otherwise, only less operation data before disconnection in a shorter time period need to be acquired. And then, counting the types of various broken line reasons (namely, how many broken line reasons are in total) and then obtaining a first dynamic adjustment coefficient according to the matching of the types, wherein the first dynamic adjustment coefficient is positively correlated with the types of the types.
Different computer devices are grouped in advance, each computer device corresponds to one device type, such as transaction type devices and data management type devices, and different device types correspond to different standard acquisition time periods (such as 5s and 10 s). And then, a first dynamic adjustment coefficient (for example, 1.2 and 1.5) is used for adjusting the standard acquisition time length corresponding to the equipment type of the disconnection reconnection equipment to obtain the target acquisition time length. The adjustment is, for example, the first dynamic adjustment coefficient multiplied by the standard acquisition time period.
And finally, taking the disconnection time as a reference, and acquiring first operation data of the disconnection reconnection equipment in the disconnection reconnection period according to the target acquisition time length.
The second operation data of the associated computer device is the same as the disconnection reconnection device, that is, the operation data of the disconnection reconnection device and the associated computer device in the same disconnection reconnection period are obtained at the same time.
Optionally, the risk assessment of the first operation data and the second operation data using the risk analysis model obtains a comprehensive risk value, including:
performing risk assessment on the business data in the first operation data and the second operation data by using a risk analysis model to obtain business risk values;
if the business risk value is higher than a business risk threshold value, setting the comprehensive risk value as a preset value;
and if the business risk value is not higher than the business risk threshold, extracting first disconnection operation data of the disconnection reconnection device from the first operation data, extracting second disconnection operation data of the associated computer device from the second operation data, and performing risk assessment on the first disconnection operation data and the second disconnection operation data according to a preset logic rule to obtain a comprehensive risk value.
In this embodiment, the acquired first operation data and second operation data include service data and disconnection operation data of each computer device at the same time. Where the transaction data refers to a particular type of data processing transaction undertaken by the computer device, such as securities transaction data (transaction time, transaction amount, transaction object, transaction type, etc.), account login data (e.g., multiple login password errors, multiple changes to other login accounts), etc. And analyzing whether abnormal business contents exist in the business data by using a risk analysis model so as to obtain corresponding business risk values. The risk analysis model realizes training by using actual business risk data, so that whether the current business data has a business risk of a specified type or not can be identified, and a specific business risk value can be estimated.
The disconnection operation data mainly comprise disconnection time, disconnection reconnection time and the like, and because the disconnection reconnection equipment and the associated computer equipment have an association relationship, the association relationship is embodied in a standard operation rule, the normal disconnection reconnection operation of the disconnection reconnection equipment is realized by relying on the assistance cooperation of other associated computer equipment, and the logic rule is formed based on the standard operation rule. Therefore, the risk assessment is carried out on the first disconnection operation data and the second disconnection operation data according to the preset logic rule, and the comprehensive risk value is obtained.
It should be noted that, the preset value is a fixed value, which is higher than the risk threshold. When the comprehensive risk value is a preset value, the service abnormality of the disconnection reconnection equipment is determined, and at the moment, the reconnection behavior after disconnection of the disconnection reconnection equipment can be directly determined as abnormal behavior, and secondary identity verification is required.
Optionally, extracting first disconnection operation data of the disconnection reconnection device from the first operation data, extracting second disconnection operation data of the associated computer device from the second operation data, performing risk assessment on the first disconnection operation data and the second disconnection operation data according to a preset logic rule, and obtaining a comprehensive risk value, where the method includes:
extracting and obtaining a first disconnection time and a first disconnection reconnection time of the disconnection reconnection device from the first operation data, and calculating and obtaining a first reconnection waiting time according to the first disconnection time and the first disconnection reconnection time;
Extracting and obtaining a second disconnection time and a second disconnection reconnection time of the related computer equipment from the second operation data, and calculating and obtaining a second reconnection waiting time according to the second disconnection time and the second disconnection reconnection time;
determining and obtaining a disconnection sequence between the disconnection reconnection equipment and each associated computer equipment according to the first disconnection time and each second disconnection time;
judging the overall matching degree of the wire breakage sequence and a standard wire breakage sequence, and obtaining a first risk value according to the overall matching degree, wherein the standard wire breakage sequence corresponds to the wire breakage reconnection device;
Performing deviation comparison on the first reconnection waiting time and each second reconnection waiting time respectively with the corresponding standard reconnection waiting time, and determining a second risk value according to the deviation comparison result;
And fusing the first risk value and the second risk value to obtain the comprehensive risk value.
In this embodiment, as described above, the disconnection operation data of each computer device mainly includes a disconnection time and a disconnection reconnection time, so that reconnection waiting periods of the disconnection reconnection device and the associated computer device can be calculated respectively, that is, how long these devices wait for communication reconnection with the monitoring cloud after disconnection.
In view of factors such as service association relation and data security among the computer devices, when a certain computer device needs to be disconnected and reconnected due to abnormal communication, the computer device cannot directly perform operations such as restarting and the like, but coordinates with other related computer devices according to a predetermined standard disconnection sequence, and each computer device including the disconnected and reconnected device sequentially disconnects communication connection with the monitoring cloud according to the standard disconnection sequence (for example, the computer device is realized by restarting a complete machine or a communication module or performing communication disconnection, reconnection and the like through a software operation mode). In addition, to ensure transaction standardization, data security, etc., such standard wire-break sequences typically encourage workers to refer to execution, but do not have to be strictly executed in their entirety, and some of the standard wire-break sequences may actually be performed without reference. According to the invention, the first risk value of the reconnection behavior of the disconnection reconnection device is analyzed by analyzing the overall matching degree of the disconnection sequence of the computer devices and the standard disconnection reconnection sequence, and the first risk value is inversely related to the overall matching degree. For example, when only the disconnection reconnection device is found to be disconnected from the monitoring cloud, but no other related computer device is disconnected from the monitoring cloud, the disconnection reconnection device is determined to have a high risk, for example, an illegal person directly pulls out the disconnection reconnection device from the connection interface with the monitoring cloud, and when the disconnection sequence of all the key computer devices accords with the standard disconnection sequence, the disconnection reconnection device is determined to have a low risk.
Meanwhile, in addition to the disconnection sequence, the time required for restarting, disconnecting, reconnecting operation and the like is considered, and the reconnection waiting time of different computer devices is generally regular. Therefore, the invention further compares the deviation of the reconnection waiting time of each related computer device with the corresponding standard reconnection waiting time, and further analyzes the second risk value of the reconnection behavior of the disconnection reconnection device. For example, the above-mentioned deviations of each of the computer devices involved are calculated, for example an average or median value of these deviations is calculated, and a second risk value is derived from this median value and the preset control data. The standard reconnection waiting time is obtained by carrying out statistical analysis on a plurality of groups of disconnection time and first reconnection time of corresponding computer equipment. For example, the standard reconnection waiting time of the disconnected reconnection device is 10s, but the monitoring cloud finds that the reconnection waiting time of the disconnected reconnection device is only 5s, which indicates that the disconnected reconnection device may be another computer device which is ready for communication connection, for example, the computer device is a counterfeit device but is configured with a trusted digital certificate (obtained through an illegal way), and an intruder quickly pulls out the original computer device and inserts the counterfeit computer device into the counterfeit computer device, and at the moment, the disconnected reconnection device is determined to have a great risk.
And finally, fusing (e.g. summing and taking the maximum value) the obtained first risk value and the second risk value to obtain a comprehensive risk value.
Optionally, the fusing the first risk value and the second risk value to obtain the integrated risk value includes:
Fusing the first risk value and the second risk value to obtain a preliminary comprehensive risk value;
a second dynamic adjustment coefficient of the disconnection reconnection device is called, and the preliminary comprehensive risk value is adjusted by using the second dynamic adjustment coefficient to obtain the comprehensive risk value;
wherein the second dynamic adjustment coefficient is derived from a historical execution of the standard wire-break order.
In this embodiment, as previously described, the standard wire-break order, while advantageous for transaction normalization, data security, etc., is not necessarily all strictly performed, and in practice, the relevant personnel may only perform some of the critical orders therein, and may not perform for which non-critical orders. In consideration of the actual situation, the invention further obtains the historical execution degree corresponding to the standard disconnection sequence based on the actual operation record of the related personnel, and the higher the historical execution degree is, the higher the duty ratio of the standard disconnection sequence which is strictly executed is, and the lower the duty ratio is, otherwise. The historical execution level may be the duty cycle at which the standard wire-break order is strictly executed, or the wire-break order that is most adopted involves the ratio of each node in the standard wire-break order to all nodes in the standard wire-break order, for example, 8 nodes in the standard wire-break order, and 6 of which are most adopted, then the historical execution level is 75%.
Then, the invention obtains a corresponding second dynamic adjustment coefficient based on the historical execution degree matching, and uses the second dynamic adjustment coefficient to correct the obtained preliminary comprehensive risk value appropriately so as to obtain a final comprehensive risk value. Thus, unnecessary secondary identity authentication can be reduced, and user experience is improved. The second dynamic adjustment coefficient is positively correlated with the historical execution degree, and the sensitivity of the risk analysis can be adjusted through the second dynamic adjustment coefficient.
As shown in fig. 2, the embodiment of the invention also discloses a monitoring system applied to a monitoring cloud, the system comprises a processing device and a storage device, wherein computer codes stored in the storage device are called and executed by the processing device to realize the following steps:
after the disconnection reconnection equipment completes one-time identity authentication, setting a basic communication mode between the disconnection reconnection equipment and a target server, wherein only uploading and downloading of a plurality of data of specified types are allowed in the basic communication mode;
Acquiring first operation data of the disconnection reconnection device during the disconnection reconnection period, and acquiring second operation data of a plurality of associated computer devices with preset association relations with the disconnection reconnection device during the disconnection reconnection period;
and performing risk assessment on the first operation data and the second operation data by using a risk analysis model to obtain a comprehensive risk value, if the comprehensive risk value is higher than a risk threshold value, performing secondary identity authentication on the disconnection reconnection equipment, otherwise, switching the basic communication mode into a normal communication mode.
The monitoring system can be embedded in the monitoring cloud, and can also be positioned outside the monitoring cloud but can be called by the monitoring cloud.
The embodiment of the invention also discloses an electronic device, which comprises at least one processor, a memory and a computer program stored in the memory and capable of running on the at least one processor, wherein the processor executes the computer program to realize the method according to the previous embodiment.
The embodiment of the invention also discloses a computer storage medium, which stores a computer program, and the computer program is executed by a processor to implement the method according to the previous embodiment.
The embodiment of the invention also discloses a computer program product, which comprises computer code, wherein the computer code is executed by a processor of electronic equipment to realize the method according to the previous embodiment.
The computer readable storage medium described above can include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (10)

1.一种监控异常排查方法,应用于监控云端,其特征在于:所述方法包括如下步骤:1. A monitoring anomaly troubleshooting method, applied to monitoring the cloud, characterized in that the method comprises the following steps: 在断线重连设备完成一次身份认证之后,设置该断线重连设备与目标服务器之间为基础通信模式;所述基础通信模式中仅允许若干指定类型的数据的上传、下载;After the disconnected reconnecting device completes an identity authentication, a basic communication mode is set between the disconnected reconnecting device and the target server; in the basic communication mode, only uploading and downloading of certain specified types of data are allowed; 获取断线重连设备在断线重连期间的第一运行数据,以及获取与断线重连设备具有预设关联关系的若干关联计算机设备在断线重连期间的第二运行数据;Acquiring first operation data of the disconnection and reconnection device during the disconnection and reconnection period, and acquiring second operation data of a plurality of associated computer devices having a preset association relationship with the disconnection and reconnection device during the disconnection and reconnection period; 使用风险分析模型对所述第一运行数据、所述第二运行数据进行风险评估得出综合风险值,若所述综合风险值高于风险阈值,则对该断线重连设备进行二次身份认证,否则将所述基础通信模式切换为正常通信模式。A risk analysis model is used to perform risk assessment on the first operating data and the second operating data to obtain a comprehensive risk value. If the comprehensive risk value is higher than the risk threshold, a secondary identity authentication is performed on the disconnected and reconnected device, otherwise the basic communication mode is switched to the normal communication mode. 2.根据权利要求1所述的一种监控异常排查方法,其特征在于:所述获取断线重连设备在断线重连期间的第一运行数据,包括:2. A monitoring anomaly troubleshooting method according to claim 1, characterized in that: the step of obtaining the first operating data of the disconnection and reconnection device during the disconnection and reconnection period comprises: 获取该断线重连设备的历史断线记录,统计所述历史断线记录中各断线原因的类型数量,根据所述类型数量匹配得出第一动态调节系数;Obtaining historical disconnection records of the disconnection reconnection device, counting the number of types of disconnection reasons in the historical disconnection records, and obtaining a first dynamic adjustment coefficient according to the number of types; 使用所述第一动态调节系数对与该断线重连设备所属设备类型对应的标准获取时长进行调节,获得目标获取时长;Using the first dynamic adjustment coefficient, a standard acquisition duration corresponding to the device type to which the disconnection reconnection device belongs is adjusted to obtain a target acquisition duration; 以断线时刻为基准,获取该断线重连设备在断线重连期间的所述第一运行数据;所述断线重连期间的时长即为所述目标获取时长。The first operation data of the disconnection and reconnection device during the disconnection and reconnection period is obtained based on the disconnection time; the duration of the disconnection and reconnection period is the target acquisition duration. 3.根据权利要求1所述的一种监控异常排查方法,其特征在于:所述使用风险分析模型对所述第一运行数据、所述第二运行数据进行风险评估得出综合风险值,包括:3. A monitoring anomaly troubleshooting method according to claim 1, characterized in that: the risk analysis model is used to perform risk assessment on the first operation data and the second operation data to obtain a comprehensive risk value, including: 使用风险分析模型对所述第一运行数据、所述第二运行数据中的业务数据进行风险评估,得出业务风险值;Using a risk analysis model to perform risk assessment on the business data in the first operation data and the second operation data to obtain a business risk value; 若所述业务风险值高于业务风险阈值,则设置所述综合风险值为预设值;If the business risk value is higher than the business risk threshold, setting the comprehensive risk value to a preset value; 若所述业务风险值不高于业务风险阈值,则:从所述第一运行数据中提取得出断线重连设备的第一断线操作数据,从所述第二运行数据中提取得出关联计算机设备的第二断线操作数据,按照预设的逻辑规则对所述第一断线操作数据、所述第二断线操作数据进行风险评估,得出综合风险值。If the business risk value is not higher than the business risk threshold, then: extract the first disconnection operation data of the disconnection and reconnection device from the first operation data, extract the second disconnection operation data of the associated computer device from the second operation data, and perform risk assessment on the first disconnection operation data and the second disconnection operation data according to preset logical rules to obtain a comprehensive risk value. 4.根据权利要求3所述的一种监控异常排查方法,其特征在于:从所述第一运行数据中提取得出断线重连设备的第一断线操作数据,从所述第二运行数据中提取得出关联计算机设备的第二断线操作数据,按照预设的逻辑规则对所述第一断线操作数据、所述第二断线操作数据进行风险评估,得出综合风险值,包括:4. A monitoring anomaly troubleshooting method according to claim 3, characterized in that: extracting first disconnection operation data of a disconnection and reconnection device from the first operation data, extracting second disconnection operation data of an associated computer device from the second operation data, and performing risk assessment on the first disconnection operation data and the second disconnection operation data according to a preset logical rule to obtain a comprehensive risk value, including: 从所述第一运行数据中提取得出断线重连设备的第一断线时刻、第一断线重连时刻,根据第一断线时刻、第一断线重连时刻计算得出第一重连等待时长;将所述第一断线时刻、所述第一重连等待时长确定为所述第一断线操作数据;Extracting a first disconnection moment and a first disconnection reconnection moment of the disconnection reconnection device from the first operation data, and calculating a first reconnection waiting time according to the first disconnection moment and the first disconnection reconnection moment; determining the first disconnection moment and the first reconnection waiting time as the first disconnection operation data; 从所述第二运行数据中提取得出关联计算机设备的第二断线时刻、第二断线重连时刻,根据第二断线时刻、第二断线重连时刻计算得出第二重连等待时长;将所述第二断线时刻、所述第二重连等待时长确定为所述第二断线操作数据;Extracting a second disconnection time and a second disconnection reconnection time of the associated computer device from the second operation data, calculating a second reconnection waiting time according to the second disconnection time and the second disconnection reconnection time; determining the second disconnection time and the second reconnection waiting time as the second disconnection operation data; 根据所述第一断线时刻、各所述第二断线时刻确定得出断线重连设备与各关联计算机设备之间的断线次序;Determine the disconnection order between the disconnection reconnection device and each associated computer device according to the first disconnection time and each of the second disconnection times; 判断所述断线次序与标准断线次序的整体匹配度,根据所述整体匹配度对照得出第一风险值;其中,所述标准断线次序与断线重连设备对应;Determine the overall matching degree between the disconnection sequence and the standard disconnection sequence, and obtain a first risk value according to the overall matching degree; wherein the standard disconnection sequence corresponds to a disconnection reconnection device; 将所述第一重连等待时长、各所述第二重连等待时长分别与对应的标准重连等待时长进行偏差比对,根据偏差比对结果确定得出第二风险值;Compare the first reconnection waiting time and each of the second reconnection waiting time with the corresponding standard reconnection waiting time for deviation, and determine a second risk value according to the deviation comparison result; 将所述第一风险值和所述第二风险值进行融合,获得所述综合风险值。The first risk value and the second risk value are combined to obtain the comprehensive risk value. 5.根据权利要求4所述的一种监控异常排查方法,其特征在于:所述将所述第一风险值和所述第二风险值进行融合,获得所述综合风险值,包括:5. A monitoring anomaly troubleshooting method according to claim 4, characterized in that: the step of fusing the first risk value and the second risk value to obtain the comprehensive risk value comprises: 将所述第一风险值和所述第二风险值进行融合,获得初步综合风险值;Merging the first risk value and the second risk value to obtain a preliminary comprehensive risk value; 调取所述断线重连设备的第二动态调节系数,使用所述第二动态调节系数对所述初步综合风险值进行调整,获得所述综合风险值;Retrieving a second dynamic adjustment coefficient of the disconnection and reconnection device, and using the second dynamic adjustment coefficient to adjust the preliminary comprehensive risk value to obtain the comprehensive risk value; 其中,所述第二动态调节系数是根据所述标准断线次序的历史执行度得出的。The second dynamic adjustment coefficient is obtained according to the historical execution degree of the standard disconnection sequence. 6.一种监控系统,应用于监控云端,所述系统包括处理装置、存储装置,其特征在于:所述存储装置中存储的计算机代码被所述处理装置调用并执行,以实现如下步骤:6. A monitoring system, applied to monitoring the cloud, comprising a processing device and a storage device, characterized in that: the computer code stored in the storage device is called and executed by the processing device to implement the following steps: 在断线重连设备完成一次身份认证之后,设置该断线重连设备与目标服务器之间为基础通信模式;所述基础通信模式中仅允许若干指定类型的数据的上传、下载;After the disconnected reconnecting device completes an identity authentication, a basic communication mode is set between the disconnected reconnecting device and the target server; in the basic communication mode, only uploading and downloading of certain specified types of data are allowed; 获取断线重连设备在断线重连期间的第一运行数据,以及获取与断线重连设备具有预设关联关系的若干关联计算机设备在断线重连期间的第二运行数据;Acquiring first operation data of the disconnection and reconnection device during the disconnection and reconnection period, and acquiring second operation data of a plurality of associated computer devices having a preset association relationship with the disconnection and reconnection device during the disconnection and reconnection period; 使用风险分析模型对所述第一运行数据、所述第二运行数据进行风险评估得出综合风险值,若所述综合风险值高于风险阈值,则对该断线重连设备进行二次身份认证,否则将所述基础通信模式切换为正常通信模式。A risk analysis model is used to perform risk assessment on the first operating data and the second operating data to obtain a comprehensive risk value. If the comprehensive risk value is higher than the risk threshold, a secondary identity authentication is performed on the disconnected and reconnected device, otherwise the basic communication mode is switched to the normal communication mode. 7.根据权利要求6所述的一种监控系统,其特征在于:所述获取断线重连设备在断线重连期间的第一运行数据,包括:7. A monitoring system according to claim 6, characterized in that: the step of obtaining the first operation data of the disconnection and reconnection device during the disconnection and reconnection period comprises: 获取该断线重连设备的历史断线记录,统计所述历史断线记录中各断线原因的类型数量,根据所述类型数量匹配得出第一动态调节系数;Obtaining historical disconnection records of the disconnection reconnection device, counting the number of types of each disconnection reason in the historical disconnection records, and obtaining a first dynamic adjustment coefficient according to the number of types; 使用所述第一动态调节系数对与该断线重连设备所属设备类型对应的标准获取时长进行调节,获得目标获取时长;Using the first dynamic adjustment coefficient, a standard acquisition duration corresponding to the device type to which the disconnection reconnection device belongs is adjusted to obtain a target acquisition duration; 以断线时刻为基准,获取该断线重连设备在断线重连期间的所述第一运行数据;所述断线重连期间的时长即为所述目标获取时长。The first operation data of the disconnection and reconnection device during the disconnection and reconnection period is obtained based on the disconnection time; the duration of the disconnection and reconnection period is the target acquisition duration. 8.一种电子设备,包括:至少一个处理器、存储器以及存储在所述存储器中并可在所述至少一个处理器上运行的计算机程序,其特征在于:所述处理器执行所述计算机程序以实现如权利要求1-5任一所述的方法。8. An electronic device, comprising: at least one processor, a memory, and a computer program stored in the memory and executable on the at least one processor, wherein the processor executes the computer program to implement the method according to any one of claims 1 to 5. 9.一种计算机存储介质,所述计算机存储介质存储有计算机程序,其特征在于:所述计算机程序被处理器执行以实现如权利要求1-5任一所述的方法。9. A computer storage medium storing a computer program, wherein the computer program is executed by a processor to implement the method according to any one of claims 1 to 5. 10.一种计算机程序产品,其特征在于:所述计算机程序产品中包含计算机代码,所述计算机代码被电子设备的处理器执行时,实现如权利要求1-5任一所述的方法。10. A computer program product, characterized in that: the computer program product contains computer code, and when the computer code is executed by a processor of an electronic device, it implements the method according to any one of claims 1 to 5.
CN202510293969.0A 2025-03-13 2025-03-13 Monitoring abnormality investigation method and monitoring system thereof Active CN119814475B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510293969.0A CN119814475B (en) 2025-03-13 2025-03-13 Monitoring abnormality investigation method and monitoring system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510293969.0A CN119814475B (en) 2025-03-13 2025-03-13 Monitoring abnormality investigation method and monitoring system thereof

Publications (2)

Publication Number Publication Date
CN119814475A CN119814475A (en) 2025-04-11
CN119814475B true CN119814475B (en) 2025-05-09

Family

ID=95268123

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510293969.0A Active CN119814475B (en) 2025-03-13 2025-03-13 Monitoring abnormality investigation method and monitoring system thereof

Country Status (1)

Country Link
CN (1) CN119814475B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AR106568A1 (en) * 2016-05-12 2018-01-31 Soluciones Integrales De Ingeniería Y Desarrollo S R L DEVICE AND METHOD OF PROTECTION FOR ELECTRICAL AND / OR ELECTRONIC EQUIPMENT BEFORE SHORT-TERM ELECTRIC SHOCK
CN111510492A (en) * 2020-04-15 2020-08-07 矩阵元技术(深圳)有限公司 Data processing method, device, equipment and system for realizing disconnection reconnection

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10019677B2 (en) * 2009-11-20 2018-07-10 Alert Enterprise, Inc. Active policy enforcement
CN111262941B (en) * 2020-01-17 2021-08-20 杭州涂鸦信息技术有限公司 Method for reconnecting cloud server and electronic equipment
CN112087772B (en) * 2020-10-10 2023-04-07 Oppo(重庆)智能科技有限公司 Network anomaly recovery method, terminal and computer storage medium
CN119071049B (en) * 2024-08-16 2025-05-09 深圳市广泰联邦科技有限公司 Server security access monitoring method based on Internet of things
CN119135745A (en) * 2024-09-24 2024-12-13 平安银行股份有限公司 Cloud native signaling service disconnection reconnection method, device, equipment and storage medium
CN119449432B (en) * 2024-11-11 2025-06-20 厦门多多云技术创新研究院有限公司 A network data risk assessment system for computers
CN119363481B (en) * 2024-12-24 2025-03-18 中宇联云计算服务(上海)有限公司 Gateway access abnormity monitoring and early warning method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AR106568A1 (en) * 2016-05-12 2018-01-31 Soluciones Integrales De Ingeniería Y Desarrollo S R L DEVICE AND METHOD OF PROTECTION FOR ELECTRICAL AND / OR ELECTRONIC EQUIPMENT BEFORE SHORT-TERM ELECTRIC SHOCK
CN111510492A (en) * 2020-04-15 2020-08-07 矩阵元技术(深圳)有限公司 Data processing method, device, equipment and system for realizing disconnection reconnection

Also Published As

Publication number Publication date
CN119814475A (en) 2025-04-11

Similar Documents

Publication Publication Date Title
US20220272105A1 (en) Blockchain-based data detection method, apparatus, and computer-readable storage medium
CN114338064B (en) Method, device, system, equipment and storage medium for identifying network traffic type
CN108667828A (en) Risk control method and device and storage medium
CN110892675B (en) Method and apparatus for monitoring block chains
CN110750784A (en) Safety prevention and control method and system for automatic vending equipment
CN112581129A (en) Block chain transaction data management method and device, computer equipment and storage medium
CN112437034A (en) False terminal detection method and device, storage medium and electronic device
CN119396617A (en) A fault location system and method for intelligent terminal equipment
CN118075017A (en) Network information security protection detection method and system
CN111179085B (en) Account data processing method, device and system
CN108009406B (en) Account freezing method, account unfreezing method and server
CN114780358B (en) Abnormal operation behavior detection method and detection device
CN113938312B (en) Method and device for detecting violent cracking flow
CN119814475B (en) Monitoring abnormality investigation method and monitoring system thereof
CN114598556B (en) IT infrastructure configuration integrity protection method and protection system
CN113938314A (en) Encrypted flow detection method and device and storage medium
CN114745426A (en) Method, device and equipment for monitoring abnormity of terminal, readable storage medium and system
CN111400168A (en) Intelligent software wind control method, electronic device and computer readable storage medium
CN111932377A (en) Asset security product early warning method and device, electronic equipment and storage medium
CN117834216B (en) Intelligent processing method and system based on communication white list
CN115766223A (en) User identification method and device, electronic equipment and storage medium
CN120524165A (en) Power data safety monitoring method and system
US20250240297A1 (en) Access control for requests to services
CN118296587A (en) Application system login method and device based on intelligent wearable equipment
CN120415788A (en) Abnormal request identification method, device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载