Analysis method, device, equipment and medium of access path

Abstract

The embodiment of the invention discloses an access path analysis method, an access path analysis device, computer equipment and a computer-readable storage medium. Among them, the analysis method of the access path includes: obtaining the login log from the log library; using the decision tree algorithm to perform association analysis on the login log, and constructing a log decision tree model; according to the log type association of the login log in the log decision tree model, supplementing access path to obtain all access paths; use the clustering algorithm K-means to perform cluster analysis on all access paths; output abnormal access paths and access path baselines according to the cluster analysis results. The present invention uses a decision tree algorithm and a clustering algorithm K-means to realize access path analysis and more effective discovery of abnormal access paths, improve the accuracy of abnormal discovery, dig out hidden access channels, and then realize the audit of abnormal behaviors, improving The accuracy of access traceability is guaranteed.

Description

technical field [0001] The present invention relates to the technical field of information security management, in particular to an access path analysis method, an access path analysis device, computer equipment, and a computer-readable storage medium. Background technique [0002] In order to protect the safety of production data within the enterprise, the enterprise establishes a complete log audit system to technically ensure the compliance of operations and behaviors, so as to reduce the pressure on audit administrators and eliminate the security risks of production data. The audit system audits the necessary behaviors in the maintenance process of each business system by collecting and processing the log information of various hosts, network devices, security devices, databases, middleware and application systems, so as to realize the checkable and controllable operation behavior. [0003] Enterprises carry out IT information system security construction in accordance w...

AI Technical Summary

Problems solved by technology

[0005] Existing access path analysis is mainly based on resources and system login logs, by analyzing the source and destination addresses in the logs, according to the access rule dictionary formulated in advance, and auditing through keyword matching and statistical comparison, and these audit methods The audit rules, audit strategies, and sample data relied on are mainly formulated or set by auditors’ judgment and past experience, which greatly reduces accuracy and flexibility, and cannot cope with malicious access with rich means, resulting in a large number of missed audits It is far from being able to meet the audit requirements, and the following shortcomings are common:

[0006] 1) Insufficient traceability:

[0007] For multi-level jump access, the accurate source address cannot be obtained, so the source address cannot be accurately audited

[0008] 2) The audit found that the accuracy of the abnormal path is not enough:

[0009] The production environment is complicated, and it is not black and white in many cases. Therefore, the current mainstream analysis of black and white lists based on source IP addresses directly affects the accuracy of the judgment basis, because the analysis basis is mainly based on manual experience. set, so the reliability is not that high

[0010] 3) Unable to mine hidden security channels:

[0011] In actual production, the network environment is complex. Sometimes a network policy change will affect many network channels and cause some security risks. Some hidden channels have been opened maliciously or have been used. Due to the existing audit analysis, it is impossible to complete the traceability of the access path. , so the complete access path cannot be obtained, and the mining of hidden security channels cannot be realized

Images