A smart sense component-based user behavior risk analysis method and system
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SUZHOU YUNZHISHEN TECH CO LTD
- Filing Date
- 2023-04-04
- Publication Date
- 2026-06-09
AI Technical Summary
When existing users use the SDP client, they cannot promptly trace and monitor when their digital assets are threatened.
By obtaining the built-in RootCa in the DeepCloud SDP client and writing it into the terminal's trusted certificate list, the DNS service is started to resolve user access information to DeepWeb. DeepWeb records and forwards user request data to RealServer. The SmartSense component analyzes and evaluates the HTTP response body data and makes risk control decisions.
It enables real-time monitoring and risk control of user behavior, and can trace, analyze and alert when user digital assets are threatened, providing multi-layered protection.
Smart Images

Figure CN116566649B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of user behavior risk analysis technology, and in particular to a user behavior risk analysis method and system based on the SmartSense component. Background Technology
[0002] Software-Defined Perimeter (SDP) is a network security architecture that provides security protection for the OSI seven-layer protocol stack. SDP consists of three main components: the SDP controller, the SDP client, and the SDP gateway. SDP enables asset hiding and establishes a trusted connection using a single data packet through separate control and data planes before allowing clients to connect to the hidden assets. Zero-trust networks implemented using SDP can defend against new variations of old attack methods, improving the security challenges posed by the increasingly complex and expanding attack surface.
[0003] SmartSense is a reverse proxy and user behavior analysis service that combines on-premises SDP tunneling. It provides HTTP / HTTPS services through the DeepWeb open request entry point, enabling DNS resolution of domain names and automatically proxying to the origin server. The DeepWeb reverse proxy module unpacks user HTTP request packets, analyzes the request content, and then reassembles the new request packets based on the user's request content before sending them to the real server. At this point, the origin has become the DeepWeb reverse proxy; the destination is the real server. The reverse proxy module can obtain the full content of the user request and the response body. DeepWeb then sends the user request response body to the SmartSense module for analysis.
[0004] When existing users use the SDP client, they cannot promptly trace and monitor when their digital assets are threatened. Summary of the Invention
[0005] Based on this, and in response to the aforementioned technical problems, a method and system for user behavior risk analysis based on the SmartSense component is provided to solve the problem that users' digital assets cannot be traced and monitored in a timely manner when using existing SDP clients.
[0006] Firstly, a method for user behavior risk analysis based on the SmartSense component, the method comprising:
[0007] In response to the user's first input, the system receives the user's login to the DeepCloud SDP client, obtains the RootCa built into the DeepCloud SDP client, and writes the RootCa into the terminal's trusted certificate list.
[0008] The DNS service is started, responding to the user's second input, receiving the access information accessed by the user, and resolving the domain name corresponding to the access information to DeepWeb. DeepWeb obtains the user's request data based on the user's access information.
[0009] The DeepWeb records the target message of the user's access information and changes the destination address of the target message to the address of the RealServer actual server;
[0010] The DeepWeb sends the actual RealServer service to the SmartSense component based on different Content-Type HTTP responsebody data;
[0011] The SmartSense component performs analysis and assessment of the HTTP responsebody data, makes risk control decisions, and outputs the risk control decisions.
[0012] Optionally, in the above scheme, the step of responding to the user's first input, receiving the user's login to the DeepCloud SDP client, obtaining the built-in RootCa of the DeepCloud SDP client, and writing the RootCa into the terminal trusted certificate list includes: the user logging into the DeepCloud SDP client, the DeepCloud SDP client obtaining the built-in RootCa and writing it into the terminal trusted certificate list.
[0013] In the above scheme, optionally, starting the DNS service, responding to the user's second input, receiving the access information accessed by the user, and resolving the domain name corresponding to the access information to DeepWeb, includes: the client starting the DNS service on port 53 of 127.0.0.1, resolving the domain name of the application or website to DeepWeb when the user accesses the application or website, and DeepWeb acting as a proxy for the user's request data.
[0014] In the above scheme, optionally, DeepWeb obtains the user's request data based on the user's access information, and DeepWeb issues a server certificate via a self-signed RootCab for the HTTPS request during the TLS handshake phase.
[0015] In the above scheme, optionally further, the target message of DeepWeb recording the user's access information includes the source IP address, destination IP address, protocol number, source port, destination port, service type, and interface index of the user's access information.
[0016] In the above scheme, optionally, the SmartSense component performs line analysis and evaluation on the HTTP response body data, makes risk control decisions, and outputs the risk control decisions, which include: issuing an alarm or blocking the user.
[0017] Secondly, a user behavior risk analysis system based on SmartSense components, the system comprising:
[0018] Login module: In response to the user's first input, it receives the user's login to the DeepCloud SDP client, obtains the RootCa built into the DeepCloud SDP client, and writes the RootCa into the terminal's trusted certificate list;
[0019] Access module: Used to start DNS service, respond to the user's second input, receive the access information accessed by the user, and resolve the domain name corresponding to the access information to DeepWeb. DeepWeb obtains the user's request data based on the user's access information.
[0020] Recording module: Used by DeepWeb to record the target message of the user's access information and change the destination address of the target message to the address of the actual server, RealServer;
[0021] Forwarding module: Used by DeepWeb to send the actual service of RealServer to the SmartSense component according to different Content-Type HTTP responsebody data;
[0022] Decision module: Used by the SmartSense component to perform risk control decisions on the HTTP responsebody data analysis and evaluation, and output the risk control decisions.
[0023] Thirdly, a computer device includes a memory and a processor, the memory storing a computer program, the processor executing the computer program to perform the following steps:
[0024] In response to the user's first input, the system receives the user's login to the DeepCloud SDP client, obtains the RootCa built into the DeepCloud SDP client, and writes the RootCa into the terminal's trusted certificate list.
[0025] The DNS service is started, responding to the user's second input, receiving the access information accessed by the user, and resolving the domain name corresponding to the access information to DeepWeb. DeepWeb obtains the user's request data based on the user's access information.
[0026] The DeepWeb records the target message of the user's access information and changes the destination address of the target message to the address of the RealServer actual server;
[0027] The DeepWeb sends the actual RealServer service to the SmartSense component based on different Content-Type HTTP responsebody data;
[0028] The SmartSense component performs analysis and assessment of the HTTP responsebody data, makes risk control decisions, and outputs the risk control decisions.
[0029] Fourthly, a computer-readable storage medium having a computer program stored thereon, the computer program performing the following steps when executed by a processor:
[0030] In response to the user's first input, the system receives the user's login to the DeepCloud SDP client, obtains the RootCa built into the DeepCloud SDP client, and writes the RootCa into the terminal's trusted certificate list.
[0031] The DNS service is started, responding to the user's second input, receiving the access information accessed by the user, and resolving the domain name corresponding to the access information to DeepWeb. DeepWeb obtains the user's request data based on the user's access information.
[0032] The DeepWeb records the target message of the user's access information and changes the destination address of the target message to the address of the RealServer actual server;
[0033] The DeepWeb sends the actual RealServer service to the SmartSense component based on different Content-Type HTTP responsebody data;
[0034] The SmartSense component performs analysis and assessment of the HTTP responsebody data, makes risk control decisions, and outputs the risk control decisions.
[0035] The present invention has at least the following beneficial effects:
[0036] This invention, based on further analysis and research into existing technical problems, recognizes the issue of timely tracing and monitoring when user digital assets are threatened in existing SDP clients. This invention addresses this by obtaining the built-in RootCa from the DeepCloud SDP client after the user logs in, writing the RootCa into the terminal's trusted certificate list, starting a DNS service, receiving the user's access information, and resolving the domain name corresponding to the access information to DeepWeb. DeepWeb then obtains the user's request data based on the access information, records the target message of the user's access information, and changes the destination address of the target message to the address of the RealServer. DeepWeb then sends the RealServer's HTTP response body data according to different Content-Types to the SmartSense component. The SmartSense component analyzes and evaluates the HTTP response body data, makes risk control decisions, and outputs these decisions. This invention proxies user HTTP requests in the SmartSense scenario and collects and analyzes user behavior data. When user access is risky or abnormal, it issues access alerts or blocks access. When user digital assets are threatened, the system is traceable, monitorable, analyzable, and alertable. Attached Figure Description
[0037] Figure 1 A flowchart illustrating a user behavior risk analysis method based on the SmartSense component provided in one embodiment of the present invention;
[0038] Figure 2 This is a schematic diagram illustrating the overall process of a SmartSense-based user behavior risk analysis method according to an embodiment of the present invention.
[0039] Figure 3 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0040] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0041] The user behavior risk analysis method based on the SmartSense component provided in this application, such as Figure 1 As shown, it includes the following steps:
[0042] In response to the user's first input, the system receives the user's login to the DeepCloud SDP client, obtains the RootCa built into the DeepCloud SDP client, and writes the RootCa into the terminal's trusted certificate list.
[0043] The DNS service is started, responding to the user's second input, receiving the access information accessed by the user, and resolving the domain name corresponding to the access information to DeepWeb. DeepWeb obtains the user's request data based on the user's access information.
[0044] The DeepWeb records the target message of the user's access information and changes the destination address of the target message to the address of the RealServer actual server;
[0045] The DeepWeb sends the actual RealServer service to the SmartSense component based on different Content-Type HTTP responsebody data;
[0046] The SmartSense component performs analysis and assessment of the HTTP responsebody data, makes risk control decisions, and outputs the risk control decisions.
[0047] In one embodiment, the step of responding to a user's first input, receiving the user's login to the DeepCloud SDP client, obtaining the DeepCloud SDP client's built-in RootCa, and writing the RootCa into the terminal's trusted certificate list includes: the user logging into the DeepCloud SDP client, the DeepCloud SDP client obtaining the built-in RootCa and writing it into the terminal's trusted certificate list.
[0048] In one embodiment, starting the DNS service, in response to a second user input, receiving access information accessed by the user, and resolving the domain name corresponding to the access information to DeepWeb, includes: the client starting a DNS service on port 53 of 127.0.0.1, resolving the domain name of the application or website to DeepWeb when the user accesses the application or website, and DeepWeb acting as a proxy for the user's request data.
[0049] In one embodiment, DeepWeb obtains the user's request data based on the user's access information, and DeepWeb issues a server certificate via a self-signed RootCab during the TLS handshake phase for HTTPS requests.
[0050] In one embodiment, the DeepWeb records the user's access information in a target message, which includes the user's access information's source IP address, destination IP address, protocol number, source port, destination port, service type, and interface index.
[0051] In one embodiment, the SmartSense component performs line analysis and assessment on the HTTP responsebody data, makes risk control decisions, and outputs the risk control decisions, which include: issuing an alarm or blocking the user.
[0052] In this embodiment, after a user logs into the DeepCloud SDP client, the built-in RootCa of the DeepCloud SDP client is obtained and written into the terminal's trusted certificate list. The DNS service is then started to receive the user's access information, and the domain name corresponding to the access information is resolved to DeepWeb. DeepWeb obtains the user's request data based on the access information, records the target packet of the user's access information, and changes the destination address of the target packet to the address of the RealServer actual server. DeepWeb sends the RealServer actual service's HTTP response body data according to different Content-Types to the SmartSense component. The SmartSense component analyzes and evaluates the HTTP response body data, makes risk control decisions, and outputs the risk control decisions. By implementing proxying of user HTTP requests and collecting and analyzing user behavior data in the SmartSense scenario, access alerts or blocking are triggered when user access is risky or abnormal. This allows for traceability, monitoring, analysis, and alerting when user digital assets are threatened. In this embodiment, the self-signed certificate is marked as a trusted certificate by the SDP client; and in the SmartSense scenario, the proxy of user HTTP requests is implemented and user behavior data is collected and analyzed. When user access is risky or abnormal, access is alerted or blocked.
[0053] In one embodiment, such as Figure 2As shown, SmartSense user behavior collection and analysis includes the following steps: Users log into the DeepCloud SDP client, which embeds RootCab and writes it to the trusted certificate list; the client starts a DNS service on port 53 (127.0.0.1). When users access applications or websites, the domain name is resolved to DeepWeb, which proxies the user's request data. DeepWeb issues a server certificate using a self-signed RootCab during the TLS handshake phase for HTTPS requests; after receiving the client's request, DeepWeb records relevant messages such as (source IP address, destination IP address, protocol number, source port, destination port, service type, and interface index) and changes the destination address of the message to the address of the actual RealServer server. DeepWeb sends the HTTP response body data to the SmartSense component based on different Content-Types for the actual RealServer service; the SmartSense component analyzes and assesses the HTTP response body data to make risk control decisions.
[0054] The method described in this embodiment adds an extra layer of protection to digital assets and has the following advantages: data is accurate down to the specific user, time, route, and the actual content and frequency of access; digital assets can be traced, monitored, analyzed, and alerted when threatened.
[0055] It should be understood that, although Figure 1 The steps in the flowchart are shown sequentially as indicated by the arrows, but these steps are not necessarily executed in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order in which these steps are executed, and they can be performed in other orders. Figure 1 At least some of the steps in the process may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but may be executed at different times. The execution order of these steps or stages is not necessarily sequential, but may be executed in turn or alternately with other steps or at least some of the steps or stages in other steps.
[0056] In one embodiment, a user behavior risk analysis system based on the SmartSense component is provided, including the following program modules:
[0057] Login module: In response to the user's first input, it receives the user's login to the DeepCloud SDP client, obtains the RootCa built into the DeepCloud SDP client, and writes the RootCa into the terminal's trusted certificate list;
[0058] Access module: Used to start DNS service, respond to the user's second input, receive the access information accessed by the user, and resolve the domain name corresponding to the access information to DeepWeb. DeepWeb obtains the user's request data based on the user's access information.
[0059] Recording module: Used by DeepWeb to record the target message of the user's access information and change the destination address of the target message to the address of the actual server, RealServer;
[0060] Forwarding module: Used by DeepWeb to send the actual service of RealServer to the SmartSense component according to different Content-Type HTTP responsebody data;
[0061] Decision module: Used by the SmartSense component to perform risk control decisions on the HTTP responsebody data analysis and evaluation, and output the risk control decisions.
[0062] Specific limitations regarding the SmartSense component-based user behavior risk analysis system can be found in the limitations of the SmartSense component-based user behavior risk analysis method described above, and will not be repeated here. Each module in the aforementioned SmartSense component-based user behavior risk analysis system can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the computer device's memory as software, so that the processor can call and execute the corresponding operations of each module.
[0063] In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as follows: Figure 3As shown, the computer device includes a processor, memory, communication interface, display screen, and input system connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, carrier networks, NFC (Near Field Communication), or other technologies. When executed by the processor, the computer program implements a user behavior risk analysis method based on the SmartSense component. The display screen can be an LCD screen or an e-ink screen. The input system can be a touch layer covering the display screen, buttons, a trackball, or a touchpad on the computer device's casing, or an external keyboard, touchpad, or mouse.
[0064] Those skilled in the art will understand that Figure 3 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0065] In one embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program relating to all or part of the processes in the methods of the above embodiments.
[0066] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon relating to all or part of the processes in the methods of the above embodiments.
[0067] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, storage, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, or optical storage, etc. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM can be in various forms, such as static random access memory (SRAM) or dynamic random access memory (DRAM), etc.
[0068] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0069] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are relatively specific and detailed, they should not be construed as limiting the scope of the invention patent. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this patent application should be determined by the appended claims.
Claims
1. A user behavior risk analysis method based on the SmartSense component, characterized in that, The method includes: In response to the user's first input, the system receives the user's login to the DeepCloud SDP client, obtains the DeepCloud SDP client's built-in Root Ca, and writes the Root Ca into the terminal's trusted certificate list. The DNS service is started, responding to the user's second input, receiving the access information accessed by the user, and resolving the domain name corresponding to the access information to DeepWeb. DeepWeb obtains the user's request data based on the user's access information. The DeepWeb records the target message of the user's access information and changes the destination address of the target message to the address of the RealServer actual server; The DeepWeb sends the actual RealServer service to the SmartSense component based on different Content-Type HTTP responsebody data; The SmartSense component performs line analysis and evaluation on the HTTP response body data, makes risk control decisions, and outputs the risk control decisions. The DeepWeb obtains the user's request data based on the user's access information, and issues a server certificate through a self-signed Root Certificate for the HTTPS request during the TLS handshake phase. The DeepWeb records the user's access information in the target message, which includes the source IP address, destination IP address, protocol number, source port, destination port, service type, and interface index of the user's access information.
2. The method according to claim 1, characterized in that, The step of responding to the user's first input, receiving the user's login to the DeepCloud SDP client, obtaining the DeepCloud SDP client's built-in Root Ca, and writing the Root Ca into the terminal's trusted certificate list includes: the user logging into the DeepCloud SDP client, the DeepCloud SDP client obtaining the built-in Root Ca and writing it into the terminal's trusted certificate list.
3. The method according to claim 2, characterized in that, The step of starting the DNS service, in response to the user's second input, receiving the access information accessed by the user, and resolving the domain name corresponding to the access information to DeepWeb, includes: the client starting the DNS service on port 53 of 127.0.0.1, resolving the domain name of the application or website to DeepWeb when the user accesses the application or website, and DeepWeb acting as a proxy for the user's request data.
4. The method according to claim 1, characterized in that, The SmartSense component performs line analysis and assessment on the HTTP response body data, makes risk control decisions, and outputs the risk control decisions, which include: issuing an alarm or blocking the user.
5. A user behavior risk analysis system based on the SmartSense component, characterized in that, The system includes: Login module: In response to the user's first input, it receives the user's login to the DeepCloud SDP client, obtains the DeepCloud SDP client's built-in Root Ca, and writes the Root Ca into the terminal's trusted certificate list; Access module: Used to start DNS service, respond to the user's second input, receive the access information accessed by the user, and resolve the domain name corresponding to the access information to DeepWeb. DeepWeb obtains the user's request data based on the user's access information. Recording module: Used by DeepWeb to record the target message of the user's access information and change the destination address of the target message to the address of the actual server, RealServer; Forwarding module: Used by DeepWeb to send the actual service of RealServer to the SmartSense component according to different Content-Type HTTP response body data; Decision module: Used by the SmartSense component to perform risk control decisions on the HTTP response body data through line analysis and evaluation, and output the risk control decisions; The DeepWeb obtains the user's request data based on the user's access information, and issues a server certificate through a self-signed Root Certificate for the HTTPS request during the TLS handshake phase. The DeepWeb records the user's access information in the target message, which includes the source IP address, destination IP address, protocol number, source port, destination port, service type, and interface index of the user's access information.
6. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 4.
7. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 4.