Note: Descriptions are shown in the official language in which they were submitted.
RISK ANALYSIS METHOD, DEVICE, ELECTRONIC DESIGN AND COMPUTER
READABLE MEDIUM
Technical Field
[0001] The present disclosure relates to the field of computer information
processing, and in
particular to a risk analysis method, device, electronic design, and computer
readable medium.
Background
[0002] Generally speaking, an enterprise is composed of human resources,
funds, markets, as
well as machines and devices, materials, information and other elements. At
present, enterprise
management is becoming more and more important, especially in the current
information
society; various electronic materials inside the enterprise can be easily
stolen by the employees
of the enterprise, which may cause great business losses. In order to achieve
sustainable and
secure development of enterprises, there are many ways to control the
information security of
enterprises: first, improve the level of science and technology and build a
network security
system; second, standardize the rules and regulations, and promote employees'
awareness of
information security; third, refine the supervisory responsibilities of
government departments at
all levels and strengthen the supervision. However, the above aspects can only
constrain the
employees from the perspective of ethics and regulations. For some employees
with certain
special purposes and intentions, the above management methods may have little
effect.
Moreover, especially for those who are responsible for network security of an
enterprise, some of
the irregularities of these employees or traces of illegal operations can be
easily removed by
them. In this case, information security management within the enterprise is
an urgent problem to
be solved.
[0003] Therefore, there is a need for a new risk analysis method, device,
electronic design,
and computer readable medium.
[0004] The above information disclosed in this Background Art section is
only for
enhancement of understanding of the background of the present disclosure, and
thus it may
include information that does not constitute a prior art known to a person of
ordinary skill in the
art.
1
CA 3059709 2019-10-22
Summary
[0005] In light of the foregoing, the present disclosure provides a risk
analysis method,
device, electronic design, and computer readable medium, which can
comprehensively consider
enterprise security and can quickly target dangerous behaviors and dangerous
targets in the event
of a security incident.
[0006] Other features and advantages of the present disclosure will be
apparent from the
following detailed description, or learned in part by the practice of
implementing the disclosure.
[0007] According to an aspect of the present disclosure, a risk analysis
method is provided.
The method comprises: acquiring a target entity, a target behavior, and an
association
relationship between the target entity and the target behavior; using the
target entity and the
target behavior as nodes and using the association relationship between the
target entity and the
target behavior as an edge to jointly form a knowledge map model; and
performing risk analysis
for the target entity and the target behavior by using the knowledge map
model.
[0008] In an exemplary embodiment of the present disclosure, the method
further comprises:
determining the strength of the association relationship on the basis of a
frequency of operational
behavior between the target entity and the target behavior.
[0009] In an exemplary embodiment of the present disclosure, the target
entity comprises
any combination of users, devices, and network addresses; and/or the target
behavior comprises a
plurality of predetermined behaviors of the target entity; and/or the
association relationship
between the target entity and the target behavior comprises an operational
behavior.
[0010] In an exemplary embodiment of the present disclosure, the
determining a target
entity, a target behavior, and an association relationship between the target
entity and the target
behavior comprises: extracting a user, a device, and a network address in a
monitoring log as the
target entity; extracting a predetermined behavior in the monitoring log as
the target behavior;
and extracting an operational behavior between the target entity and the
target behavior in the
monitoring log as the association relationship.
[0011] In an exemplary embodiment of the present disclosure, the
determining the strength
of the relationship between the target entity and the target behavior
comprises: determining the
strength of the association relationship on the basis of a frequency of
operational behavior
between the target entity and the target behavior.
2
CA 3059709 2019-10-22
[0012] In an exemplary embodiment of the present disclosure, the using the
target entity and
the target behavior as nodes and using the association relationship between
the target entity and
the target behavior as an edge to jointly form a knowledge map model further
comprises: using
the strength of the association relationship as a weight of the edge of the
knowledge map model.
[0013] In an exemplary embodiment of the present disclosure, the performing
risk analysis
for the target entity and the target behavior by using the knowledge map model
comprises:
determining a risk value of the target entity through the knowledge map model;
and/or
determining an abnormal target entity through the knowledge map model; and/or
determining an
abnormal target behavior through the knowledge map model.
[0014] In an exemplary embodiment of the present disclosure, the
determining a risk value of
the target entity through the knowledge map model comprises: acquiring a
security level for each
target behavior in the knowledge map model; determining the risk value of the
target entity in the
knowledge map model on the basis of the weight of the edge in the knowledge
map model, the
security level of the target behavior, and the out degree and/or in degree of
each target entity in a
target entity set in the knowledge map model.
[0015] In an exemplary embodiment of the present disclosure, the risk value
of the target
entity is calculated through the following risk formula:
ID (Y i)
RU) = >8(i)a(i) _______________________________
Ni
[0016] wherein R(j) is the risk value of the target entity Xj, Yi is the i-
th target behavior
associated with the target entity Xj, BO is the connection strength between
the target entity Xj
and Yi, a(i) is the security level of the target entity Xj, ID (h) is the out
degree and in degree of
Yi, and Ni is the number of target entities associated with Yi.
[0017] In an exemplary embodiment of the present disclosure, the
determining an abnormal
target entity through the knowledge map model comprises: determining the
target entity with a
risk value greater than a threshold; determining a set of associated entities
of the target entity;
determining the target entity to be an abnormal target entity, if the risk
value of the target entity
is greater than the risk values of every target entity in the set of
associated entities.
[0018] In an exemplary embodiment of the present disclosure, the
determining an abnormal
target behavior through the knowledge map model comprises: determining the
abnormal target
entity; determining risk values of every target behavior associated with the
abnormal target entity
3
CA 3059709 2019-10-22
through the knowledge map model; determining a target behavior corresponding
to the
maximum risk value to be the abnormal target behavior.
[0019] According to another aspect of the present disclosure, a risk
analysis device is
provided. The device comprises: an extraction module, which is used for
acquiring a target
entity, a target behavior, and an association relationship between the target
entity and the target
behavior; a model module, which is used for using the target entity and the
target behavior as
nodes and using the association relationship between the target entity and the
target behavior as
an edge to jointly form a knowledge map model; and an analysis model, which is
used for
performing risk analysis for the target entity and the target behavior by
using the knowledge map
model.
[0020] According to another aspect of the present disclosure, an electronic
device is
provided. The electronic device comprises: one or more processors; a storage
device for storing
one or more programs; one or more programs are executed by the one or more
processors such
that the one or more processors implement the method according to the
descriptions above.
[0021] According to another aspect of the present disclosure, a computer
readable medium is
provided, and the computer readable medium has stored thereon a computer
program, wherein
the program is executed by a processor to implement the method according to
the descriptions
above.
[0022] The risk analysis method, device, electronic design, and computer
readable medium
disclosed in the present disclosure can comprehensively consider enterprise
security and can
quickly target dangerous behaviors and dangerous targets in the event of a
security incident.
[0023] It should be understood that the above general description and the
following detailed
description are merely exemplary and are not intended to limit the disclosure.
Brief Description of the Drawings
[0024] The above and other objects, features, and advantages of the present
invention will
become more apparent from the aspects of the description. The drawings
described below are
only some of the embodiments of the present disclosure, and a person skilled
in the art can obtain
other drawings based on these drawings without any inventive skills.
[0025] FIG. 1 is a system block diagram of a risk analysis method and
device according to an
exemplary embodiment of the present disclosure.
4
CA 3059709 2019-10-22
[0026] FIG. 2 is a flow chart of a risk analysis method according to an
exemplary
embodiment of the present disclosure.
[0027] FIG. 3 is a schematic diagram of a risk analysis method according to
an exemplary
embodiment of the present disclosure.
[0028] FIG. 4 is a schematic diagram of a risk analysis method according to
another
exemplary embodiment of the present disclosure.
[0029] FIG. 5 is a block diagram of a risk analysis device according to
another exemplary
embodiment of the present disclosure.
[0030] FIG. 6 is a block diagram of an electronic device according to
another exemplary
embodiment of the present disclosure.
[0031] FIG. 7 is a schematic diagram showing a computer readable storage
medium
according to another exemplary embodiment of the present disclosure.
Detailed Description
[0032] Exemplary embodiments of the present disclosure will now be
described in more
detail with reference to the accompanying drawings. However, these exemplary
embodiments
can be embodied in many forms and it should not be construed that the present
invention is
limited to the embodiments set forth herein; rather, these embodiments are
provided so that this
disclosure will be thorough and complete,. The same reference numerals in the
drawings denote
the same or similar parts, and repeated description thereof will be omitted.
[0033] Furthermore, the described features, structures, or characteristics
may be combined in
any suitable manner in one or more embodiments. In the following description,
numerous
specific details will be set forth; however, one skilled in the art will
appreciate that the technical
solution of the present disclosure may be practiced without one or more of the
specific details, or
other methods, components, devices, steps, etc. may be employed. In other
instances, well-
known methods, devices, implementations, or operations are not shown or
described in detail to
avoid obscuring the aspects of the present disclosure.
[0034] The block diagrams shown in the figures are merely functional
entities and do not
necessarily have to correspond to physically separate entities. That is, these
functional entities
may be implemented in software, or implemented in one or more hardware modules
or integrated
CA 3059709 2019-10-22
circuits. These functional entities may be implemented in different networks
and/or processor
devices and/or microcontroller devices.
[0035] The flowcharts shown in the figures are merely illustrative, and not
all of the contents
and operations/steps are necessarily included therein, and are not necessarily
performed in the
order described. For example, some operations/steps can be separated, while
some
operations/steps can be combined or partially combined. Therefore, the order
of actual execution
may change according to actual conditions.
[0036] It will be understood that, although the terms first, second, third,
etc. may be used
herein to describe various components, these components are not limited by
these terms. These
terms are used to distinguish one component from another. Thus, a first
component discussed
below could be termed a second component without departing from the teachings
of the present
disclosure. The term "and/or" as used herein includes any and all combinations
of one or more of
the listed items.
[0037] It will be understood by a person skilled in the art that the
drawings are only a
schematic diagram of the exemplary embodiments, and the modules or processes
in the drawings
are not necessarily required to implement the present disclosure, and
therefore are not intended
to limit the scope of the present disclosure.
[0038] FIG. 1 is a system block diagram of a risk analysis method and
device according to an
exemplary embodiment of the present disclosure.
[0039] As shown in FIG. 1, the system architecture 100 may include terminal
devices 101,
102, 103, a network 104, and a server 105. The network 104 is used to provide
a medium for
communication links between the terminal devices 101, 102, 103 and the server
105. The
network 104 may include various types of connections, such as wired, wireless
communication
links, fiber optic cables, and the like.
[0040] A user can use the terminal devices 101, 102, 103 to perform various
information
interactions through the network 104 to receive or transmit messages and the
like. Various
communication client applications can be installed on the terminal devices
101, 102, and 103, for
example, shopping applications, web browser applications, search applications,
instant
messaging tools, email clients, social platform software, and the like.
6
CA 3059709 2019-10-22
[0041] The terminal devices 101, 102, 103 may be various electronic devices
having a
display screen and supporting web browsing, including but not limited to
smartphones, tablets,
laptop portable computers, desktop computers, and the like.
[0042] The server 105 may be a data server for monitoring the terminal
devices 101, 102,
103, and the server 105 may acquire logs of various operations or data
services performed by the
user using the terminal devices 101, 102, 103. The server 105 can perform data
analysis and the
like on the obtained log information, and feedback the processing results
(abnormal terminal
device, abnormal operation behavior, and the like) to the terminal devices.
[0043] The server 105 may, for example, acquire a target entity, a target
behavior, and an
association relationship between the target entity and the target behavior;
the server 105 may, for
example, use the target entity and the target behavior as nodes and associate
the relationship
between the target entity and the target behavior as an edge to jointly form a
knowledge map
model; the server 105 can perform risk analysis of the target entity and the
target behavior, for
example, by using the knowledge map model, in which the target entity includes
a user, a device,
and a network address; and/or the target behavior includes a plurality of
predetermined behaviors
of the target entity; and/or the relationship between the target entity and
the target behavior
includes an operational behavior.
[0044] The server 105 can be a physical server and can also be composed,
for example, of
multiple servers. A portion of the server 105 can be used, for example, as a
risk analysis system
in the present disclosure for performing a risk analysis of the target entity
and the target behavior
through the knowledge map model; in addition, a portion of the server 105 can
also be used, for
example, as a data system for responding to data access requests by a user
terminal.
[0045] It should be noted that the risk analysis method provided by the
embodiments of the
present disclosure may be performed by the server 105. Accordingly, a risk
analysis device can
be disposed in the server 105. The requesting end that provides the user with
a data operation or
a data request is generally located in the terminal devices 101, 102, 103.
[0046] According to the risk analysis method and device of the present
disclosure, the risk
analysis of the target entity and the target behavior through the knowledge
map model can
comprehensively consider the enterprise security, and can also quickly target
dangerous
behaviors and dangerous targets when a security event occurs.
7
CA 3059709 2019-10-22
[0047] FIG. 2 is a flow chart of a risk analysis method according to an
exemplary
embodiment of the present disclosure. The risk analysis method 20 includes at
least steps S202 to
S206.
[0048] As shown in FIG. 2, in S202, a target entity, a target behavior, and
an association
relationship between the target entity and the target behavior are acquired.
The target entity
includes any combination of users, devices, and network addresses.
[0049] In this case, the target entity is an individual in the enterprise
that performs a target
behavior, and the target entity may include a user, a device, and a network
address.
[0050] In this embodiment, the target behavior is a set of behaviors
performed by the target
entity in the enterprise and having a security risk, and the target behavior
includes multiple
predetermined behaviors of the target entity; and specifically, for example,
uploading data,
downloading data, and viewing data may be performed.
[0051] The association relationship between the target entity and the
target behavior includes
an operational behavior. An association relationship is a connection between a
target entity and
its target behavior.
[0052] In one embodiment, the step of determining the target entity, the
target behavior, and
the association relationship between the target entity and the target behavior
includes: extracting
a user, a device, and a network address in a monitoring log as the target
entity; extracting a
predetermined behavior in the monitoring log as the target behavior; and
extracting an
operational behavior between the target entity and the target behavior in the
monitoring log as
the association relationship.
[0053] In one embodiment, for example, the target entity A is an XX user;
the target
behavior B is a data downloading behavior; the target behavior C is a data
deletion behavior. If
the XX user has the data downloading behavior, it is determined that the
target entity A has an
association relationship with the target behavior B. On the other hand, if the
XX user has no data
deletion behavior, it is determined that there is no association relationship
between the target
entity A and the target behavior C.
[0054] In S204, the target entity and the target behavior are used as
nodes, and the
association relationship between the target entity and the target behavior is
used as an edge to
create a knowledge map model.
8
CA 3059709 2019-10-22
[0055] In one embodiment, the method further includes: determining the
strength of the
association relationship between the target entity and the target behavior.
Specifically, the
strength of the association relationship may be determined, for example, by
the frequency of
operational behavior between the target entity and the target behavior. In
addition, the strength of
the association relationship is taken as the weight of the edge of the
knowledge map model.
[0056] In one embodiment, the frequency of operation for a predetermined
time may be the
strength 0 of the association relationship. For example, when the XX user has
data downloading
behavior within one day, the association relationship between the target
entity A and the target
behavior B may be determined as, for example, when the number of XX user data
downloading
behaviors is 10, the strength of the association relationship 0 = 10.
[0057] In one embodiment, a knowledge map is the combination of the theory
and method of
applied mathematics, graphics, information visualization technology,
information science and the
like, and the citation analysis of metrology and co-occurrence analysis
methods, wherein
visualized map is used to visually display the core structure of the
discipline, the development
history, the frontier domain and the overall knowledge architecture. It is a
modern theory that
achieves the purpose of multidisciplinary integration.
[0058] The knowledge map may include a variety of nodes:
[0059] Among them, entity: refers to something that is distinguishable and
independent.
[0060] Concept: refers to a collection of entities with the same
characteristics.
[0061] Attribute: points from an entity to its attribute value. Different
attribute types
correspond to edges of different types of attributes.
[0062] Relationship: on the knowledge map, the relationship is a function
that maps kk graph
nodes (entities, semantic classes, attribute values) to the respective Boolean
values.
[0063] A general representation of a knowledge map is that nodes are
collections of entities
in the knowledge base, which contain 1E1 different entities; edges are
collections of relationships
in the knowledge base, which contain R1 different relationships.
[0064] In one embodiment, based on the above definitions, the target entity
and the target
behavior can be used as nodes to create a knowledge map; for example, as shown
in FIG. 3, there
are nodes of two attributes in the knowledge map model, which are the target
entity node and the
target behavior node, and the edge that connects the target entity node and
the target behavior
node is the association relationship. As shown in FIG. 3, the white node in
the knowledge map
9
CA 3059709 2019-10-22
model may be, for example, a target entity node, and the black node may be,
for example, a
target behavior node.
[0065] In an embodiment, as shown in FIG. 3, in the knowledge map model,
the target entity
node and the target behavior node are connected by an edge; a target entity
node and another
target entity node are not directly connected; a target behavior node and
another target behavior
node are also not directly connected. Such settings in the knowledge map model
are in line with
the actual situation; for example, the target entity A is the XX user, the
target behavior B is the
data download behavior, the target behavior C is the data deletion behavior,
the target entity D is
the XX computer, and the XX user and the XX computer can be related to each
other via the data
download behavior. The data download behavior and the data deletion behavior
cannot directly
relate to each other; they need the target entity nodes for association.
[0066] In S206, a risk analysis of the target entity or the target behavior
is performed on the
basis of the knowledge map model.
[0067] In one embodiment, the step of performing risk analysis of the
target entity and the
target behavior through the knowledge map model comprises: determining a risk
value of the
target entity through the knowledge map model; and/or determining an abnormal
target entity
through the knowledge map model; and/or determining an abnormal target
behavior through the
knowledge map model.
[0068] In this case, the step of determining a risk value of the target
entity through the
knowledge map model comprises: acquiring a security level for each target
behavior in the
knowledge map model; determining the risk value of the target entity in the
knowledge map
model on the basis of the weight of the edge in the knowledge map model, the
security level of
the target behavior, and the out degree and/or in degree of each target entity
in a target entity set
in the knowledge map model.
[0069] In this case, the step of determining an abnormal target entity
through the knowledge
map model comprises: determining the target entity with a risk value greater
than a threshold;
determining a set of associated entities of the target entity; and determining
the target entity to be
an abnormal target entity, if the risk value of the target entity is greater
than the risk values of
every target entity in the set of associated entities.
[0070] In this case, the step of determining an abnormal target behavior
through the
knowledge map model comprises: determining the abnormal target entity;
determining risk
CA 3059709 2019-10-22
values of every target behavior associated with the abnormal target entity
through the knowledge
map model; and determining a target behavior corresponding to the maximum risk
value to be
the abnormal target behavior.
[0071] In one embodiment, the monitoring log data may also be acquired
periodically in the
form of a timed task to construct the knowledge map model for risk analysis.
100721 According to the risk analysis method provided by the present
disclosure, the target
entity and the target behavior are taken as nodes, and the association
relationship between the
target entity and the target behavior is taken as an edge to jointly form a
knowledge map model.
The manner in which the risk analysis of the target entity and the target
behavior is performed on
the basis of the knowledge map model can comprehensively consider enterprise
security, and can
also quickly target dangerous behaviors and dangerous targets in the event of
a security incident.
[0073] It should be understood that the present disclosure describes how to
make and use
particular examples, but the principles of the present disclosure are not
limited to the details of
the examples. Rather, these principles can be applied to many other
embodiments based on the
teachings of the present disclosure.
[0074] FIG. 4 is a schematic diagram of a risk analysis method according to
another
exemplary embodiment of the present disclosure. The risk analysis method 40
shown in FIG. 4 is
a detailed description of S206 "performing risk analysis of the target entity
and the target
behavior through the knowledge map model" in the risk analysis method 20 as
shown in FIG. 2.
[0075] As shown in FIG. 4, in S402, the risk value of the target entity is
determined by the
knowledge map model, for example, through the following steps: acquiring a
security level for
each target behavior in the knowledge map model; and determining the risk
value of the target
entity in the knowledge map model on the basis of the weight of the edge in
the knowledge map
model, the security level of the target behavior, and the out degree and/or in
degree of each target
entity in a target entity set in the knowledge map model.
[0076] In one embodiment, for each target entity Xj in the knowledge map
model, its risk
value can be calculated by the following formula:
ID (Y i)
RU) = Et9 (0 a (i) _____________________________
Ni
[0077] where:
[0078] R(j) is the risk value of Xj,
11
CA 3059709 2019-10-22
[0079] Yi is the i-th target behavior associated with the target entity Xj,
ID function for its in
degree
[0080] Ni is the number of target entities associated with this security
behavior
[0081] 0(i) is the connection strength between the target entity Xj and Yi
[0082] a(i) is the risk level of the i-th security risk
[0083] In S404, an abnormal target entity is determined by the knowledge
map model, for
example, through the following steps: determining the target entity with a
risk value greater than
a threshold; determining a set of associated entities of the target entity;
and determining the
target entity to be an abnormal target entity, if the risk value of the target
entity is greater than
the risk values of every target entity in the set of associated entities.
[0084] In an embodiment, the threshold may be, for example, an empirical
threshold T set by
experience, for each target entity Xj of R(j) > T, determining an associated
entity set SR of the
target entity. In this embodiment, the target entity in the set of associated
entities is a set of target
entities associated with the target behavior with the abnormal target entity:
{R(k)lj! = k, X1 Xk}
[0085] It is the risk value of multiple target entities Xk connected to Xj.
If R(j) satisfies the
following condition:
> max(Rk)
[0086] R(j) would be marked as the abnormal target entity.
[0087] If the risk value of the target entity is not greater than the risk
value of each of the
target entities in the set of associated entities, the target entity will not
be marked.
[0088] In one embodiment, a security event is defined as a set of target
behaviors of a target
entity that exceeds the range of security risk it can assume; for example,
after determining an
abnormal target entity, the abnormal target entity can be considered as
triggering a security
event.
[0089] In S406, an abnormal target behavior is determined by the knowledge
map model, for
example, through the steps of determining the abnormal target entity;
determining risk values of
every target behavior associated with the abnormal target entity through the
knowledge map
model; and determining a target behavior corresponding to the maximum risk
value to be the
abnormal target behavior.
12
CA 3059709 2019-10-22
[0090] For the abnormal target entity R(j), the impact of all target
behaviors on R(j) can be
calculated according to the following formula:
I D (Y i)
R (j) = E0 (i)a (i) __________________________
Ni
[0091] In addition, the target behavior that has the greatest impact on its
security risk can be
marked.
[0092] According to the risk analysis method of the present disclosure, the
knowledge map
technology is used to provide a quantitative reference value for the security
risk value of the
enterprise target entity.
[0093] According to the risk analysis method of the present disclosure,
when a security event
occurs, the target entity by which the security event is triggered can be
marked.
[0094] According to the risk analysis method of the present disclosure,
when a security event
occurs, it is possible to trace the security behavior of the enterprise target
entity that triggers the
security event.
[0095] A person skilled in the art will appreciate that all or part of the
steps to implement the
above described embodiments can be implemented as a computer program executed
by a CPU.
The above described functions defined by the above methods provided by the
present disclosure
can be executed when the computer program is executed by the CPU. The program
may be
stored in a computer readable storage medium, which may be a read only memory,
a magnetic
disk or an optical disk, or the like.
[0096] Further, it should be noted that the drawings described above are
merely illustrative
of the processes included in the method according to the exemplary embodiments
of the present
disclosure, and are not intended to be limiting. It is easy to understand that
the processing shown
in the above figures does not indicate or limit the chronological order of
these processes. In
addition, it is also easy to understand that these processes may be performed
synchronously or
asynchronously, for example, in a plurality of modules.
[0097] The following is a device embodiment of the present disclosure,
which may be used
to implement the method embodiments of the present disclosure. For details not
disclosed in the
device embodiments, please refer to the method embodiments of the present
disclosure.
13
CA 3059709 2019-10-22
[0098] FIG. 5 is a block diagram of a risk analysis device according to one
exemplary
embodiment of the present disclosure. A risk analysis device 50 includes an
extraction module
502, a model module 504, and an analysis module 506.
[0099] The extraction module 502 is used for acquiring a target entity, a
target behavior, and
an association relationship between the target entity and the target behavior;
more specifically,
including: extracting a user, a device, and a network address in a monitoring
log as the target
entity; extracting a predetermined behavior in the monitoring log as the
target behavior; and
extracting an operational behavior between the target entity and the target
behavior in the
monitoring log as the association relationship.
[0100] The model module 504 is used for using the target entity and the
target behavior as
nodes and using the association relationship between the target entity and the
target behavior as
an edge to jointly form a knowledge map model. In the knowledge map model, the
target entity
node and the target behavior node are connected by the edge, a target entity
node and another
target entity node are not directly connected; also, a target behavior node
and another target
behavior node are not directly connected.
[0101] The analysis module 506 is used for performing risk analysis for the
target entity and
the target behavior by using the knowledge map model; more specifically,
including:
determining a risk value of the target entity through the knowledge map model;
and/or
determining an abnormal target entity through the knowledge map model; and/or
determining an
abnormal target behavior through the knowledge map model.
[0102] According to the risk analysis device provided by the present
disclosure, the target
entity and the target behavior are taken as nodes, and the association
relationship between the
target entity and the target behavior is taken as an edge to jointly form a
knowledge map model.
The manner in which the risk analysis of the target entity and the target
behavior is performed on
the basis of the knowledge map model can comprehensively consider enterprise
security, and can
also quickly target dangerous behaviors and dangerous targets in the event of
a security incident.
[0103] FIG. 6 is a block diagram of an electronic device according to
another exemplary
embodiment of the present disclosure.
[0104] An electronic device 200 according to such an embodiment of the
present disclosure
is described below with reference to FIG. 6. The electronic device 200 shown
in FIG. 6 is merely
14
CA 3059709 2019-10-22
an example and should not impose any limitation on the function and scope of
the embodiments
of the present disclosure.
[0105] As shown in FIG. 6, the electronic device 200 is embodied in the
form of a general
purpose computing device. The components of the electronic device 200 may
include, but are not
limited to, at least one processing unit 210, at least one storage unit 220, a
bus 230 connecting
different system components (including the storage unit 220 and the processing
unit 210), a
display unit 240, and the like.
[0106] The storage unit stores program code, which may be executed by the
processing unit
210, such that the processing unit 210 performs the steps according to various
exemplary
embodiments of the present disclosure described in the electronic protocol
flow processing
method above in the present disclosure. For example, the processing unit 210
can perform the
steps as shown in FIG. 2, FIG. 4, etc.
[0107] The storage unit 220 may include a readable medium in the form of a
volatile storage
unit, such as a random access storage unit (RAM) 2201 and/or a cache storage
unit 2202, and
may further include a read only storage unit (ROM) 2203.
[0108] The storage unit 220 may also include a program/utility 2204 having
a set (at least
one) of the program modules 2205, including but not limited to: an operating
system, one or
more applications, other program modules, and programs data; each of these
examples or some
combination may include an implementation of a network environment.
[0109] The bus 230 may be one or more of several types of bus structures,
including a
memory unit bus or memory unit controller, a peripheral bus, a graphics
acceleration port, a
processing unit, or a local bus using any of a variety of bus structures.
[0110] The electronic device 200 can communicate with one or more external
devices 300
(for example, a keyboard, pointing device, a Bluetooth device, and the like)
and can also
communicate with one or more devices that enable the user to interact with the
electronic device
200, and/or with any device (for example, a router, a modem, and the like)
that enables the
electronic device 200 to communicate with one or more other computing devices.
This
communication can take place via an input/output (I/0) interface 250. In
addition, the electronic
device 200 may also communicate with one or more networks (for example, a
local area network
(LAN), a wide area network (WAN), and/or a public network, such as the
Internet) via a network
adapter 260. The network adapter 260 can communicate with other modules of
electronic device
CA 3059709 2019-10-22
200 via the bus 230. It should be understood that although not shown in the
figures, other
hardware and/or software modules may also be utilized in conjunction with
electronic device
200, including but not limited to: a microcode, a device driver, a redundant
processing unit, an
external disk drive array, a RAID system, a tape drive, a data backup storage
system, and the
like.
101111 Through the description of the above embodiments, a person skilled
in the art will
readily understand that the exemplary embodiments described herein may be
implemented by
software or by software in combination with necessary hardware. Therefore, the
technical
solution according to an embodiment of the present disclosure may be embodied
in the form of a
software product, which may be stored in a non-volatile storage medium (which
may be a CD-
ROM, a USB flash drive, a mobile hard disk, or the like) or on a network. A
number of
instructions may be included to cause a computing device (which may be a
personal computer, a
server, a network device, or the like) to perform the methods described above
in accordance with
embodiments of the present disclosure.
[0112] FIG. 7 is a schematic diagram showing a computer readable storage
medium
according to another exemplary embodiment of the present disclosure.
[0113] In reference to FIG. 7, a program product 400 for implementing the
above method is
shown. It may be a portable compact disk read only memory (CD-ROM) and
includes program
code and can be run on a terminal device such as a personal computer. However,
the program
product of the present disclosure is not limited thereto, and in this
document, the readable storage
medium may be any tangible medium that contains or stores a program that can
be used by or in
connection with an instruction execution system, apparatus, or device.
[0114] The program product can employ any combination of one or more
readable media.
The readable medium can be a readable signal medium or a readable storage
medium. The
readable storage medium can be, for example, but not limited to, an
electronic, magnetic, optical,
electromagnetic, infrared, or semiconductor system, apparatus, or device, or
any combination of
the above. More specific examples (non-exhaustive lists) of readable storage
media include:
electrical connections with one or more wires, portable disks, hard disks,
random access memory
(RAM), read only memory (ROM), erasable programmable read-only memory (EPROM
or flash
memory), optical fibers, portable compact disk read only memory (CD-ROM),
optical storage
devices, magnetic storage devices, or any suitable combination of the
foregoing.
16
CA 3059709 2019-10-22
[0115] The computer readable storage medium can include a data signal that
can be
transmitted in a baseband or as part of a carrier, in which readable program
code is carried. Such
propagated data signals can take a variety of forms including, but not limited
to, electromagnetic
signals, optical signals, or any suitable combination of the foregoing. The
readable storage
medium can also be any readable medium other than a readable storage medium
that can
transmit, propagate or transport a program for use by or in connection with an
instruction
execution system, apparatus or device. Program code embodied on a readable
storage medium
may be transmitted by any suitable medium, including but not limited to
wireless, wireline,
optical cable, RF, etc., or any suitable combination of the foregoing.
[0116] The program code for performing the operations of the present
disclosure may be
written by any combination of one or more programming languages, including an
object oriented
programming language, such as Java, C++, etc., also including conventional
procedural
programming languages, such as the "C" language or a similar programming
language. The
program code can execute entirely on a user computing device, partially on a
user device, as a
stand-alone software package, partly on a user computing device, partly on a
remote computing
device, or entirely on a remote computing device or server. In the case of a
remote computing
device, the remote computing device can be connected to the user computing
device via any kind
of network, including a local area network (LAN) or a wide area network (WAN),
or can be
connected to an external computing device (for example, connect via the
Internet via the service
provided by an Internet service provider).
[0117] The computer readable medium carries one or more programs that, when
executed by
one of the devices, can cause the computer readable medium to perform the
following functions:
acquiring a target entity, a target behavior, and an association relationship
between the target
entity and the target behavior; using the target entity and the target
behavior as nodes and using
the association relationship between the target entity and the target behavior
as an edge to jointly
form a knowledge map model; and performing risk analysis for the target entity
and the target
behavior by using the knowledge map model.
[0118] It will be understood by a person skilled in the art that the above
various modules
may be distributed in the device according to the description of the
embodiments, or may be
correspondingly changed in one or more devices different from the embodiment.
The modules of
17
CA 3059709 2019-10-22
the above embodiments may be combined into one module, or may be further split
into multiple
sub-modules.
[0119] Through the description of the above embodiments, a person skilled
in the art can
easily understand that the exemplary embodiments described herein may be
implemented by
software, or may be implemented by software in combination with necessary
hardware.
Therefore, the technical solution according to an embodiment of the present
disclosure may be
embodied in the form of a software product, which may be stored in a non-
volatile storage
medium (which may be a CD-ROM, a USB flash drive, a mobile hard disk, and the
like) or on a
network, including several instructions, such that the method according to an
embodiment of the
present disclosure is performed by a computing device (which may be a personal
computer, a
server, a mobile terminal, a network device, and the like).
[0120] The exemplary embodiments of the present disclosure have been
specifically shown
and described above. It should be understood that the present disclosure is
not limited to the
detailed structures, arrangements, or implementations described herein;
rather, the present
invention should encompass various modifications and equivalents of the
present invention as
defined in the claims.
18
CA 3059709 2019-10-22
