A request exception monitoring method based on a strong isolation device
By acquiring node path information and behavioral similarity of target data access requests, and dynamically adjusting the data cache window and dwell time threshold of the strong isolation device, the problem of insufficient monitoring accuracy in existing technologies is solved, and more efficient anomaly monitoring is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- POWER DISPATCHING CONTROL CENT OF GUANGDONG POWER GRID CO LTD
- Filing Date
- 2026-02-12
- Publication Date
- 2026-06-05
AI Technical Summary
Existing technologies struggle to effectively capture the dynamic transfer characteristics of data access requests in highly isolated network environments, leading to missed or false alarms. Furthermore, relying on static thresholds results in poor monitoring accuracy in highly dynamic environments.
By obtaining the node path information of the target data access request, adjusting the data cache window of the strong isolation device, and dynamically adjusting the dwell time threshold by combining the path node matching degree and behavior similarity, anomaly monitoring is performed.
It significantly improves the accuracy and efficiency of anomaly monitoring, overcomes the limitation that static rules cannot reflect changes over time, and enhances the monitoring capability for complex and ever-changing environments.
Smart Images

Figure CN122160771A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data processing technology, and more specifically to a method for monitoring request anomalies based on a strong isolation device. Background Technology
[0002] With the continuous improvement of information technology and mobility in power distribution networks, the transmission of data access requests from mobile terminals to a strongly isolated network environment, and then the forwarding of these secure data access requests to the core business system for data access, has become a crucial technology for ensuring data security. During the forwarding process of these data access requests, anomaly monitoring of the data access requests received by the strongly isolated network environment is of great significance for ensuring data security.
[0003] Existing technologies primarily rely on static access control policies or preset behavioral rules for anomaly detection. However, methods based on static access control policies struggle to effectively capture the dynamic transfer characteristics of access requests between nodes, especially when facing complex and ever-changing internal attack paths, leading to false negatives or missed detections. Methods based on behavioral rules often focus on the access behavior of individual nodes or simple sequential associations, neglecting the logical connections between node transfer behaviors, resulting in limited ability to identify logically related anomaly requests.
[0004] Meanwhile, the aforementioned existing technologies often rely on fixed thresholds set by experience when identifying anomalies in nodes, and cannot adaptively adjust the thresholds according to dynamic changes in requests, resulting in poor accuracy in anomaly detection in highly dynamic data access environments. Summary of the Invention
[0005] To address the aforementioned technical problems, this invention discloses a request anomaly monitoring method based on a strong isolation device, which improves the accuracy of anomaly monitoring for data access requests in a strong isolation environment.
[0006] To achieve the above objectives, this invention discloses a request anomaly monitoring method based on a strong isolation device, comprising: Obtain the target node path information of the target data access request within the strong isolation device. The target node path information includes the number of target nodes, the set of inheritance information between target nodes, the set of target node identifiers, and the set of target node dwell time. Adjust the data cache window of the strong isolation device according to the target node path information and obtain the preceding data access request cached by the strong isolation device. Obtain the path information of the preceding node in the preceding data access request. The path information of the preceding node includes the number of preceding nodes, the set of inheritance information between preceding nodes, the set of preceding node identifiers, and the set of preceding node dwell time. The path node matching degree between the preceding data access request and the target data access request is obtained based on the target node identifier set, the preceding node identifier set, the number of target nodes, and the number of preceding nodes. The path behavior similarity between the preceding data access request and the target data access request is obtained based on the target node identifier set, the preceding node identifier set, the target node inheritance information set, and the preceding node inheritance information set. The dwell time threshold of the target data access request is determined based on the path node matching degree and the path behavior similarity, so as to obtain the abnormal monitoring results of the target data access request based on the dwell time threshold, the target node dwell time set and the predecessor node dwell time set.
[0007] It should be noted that the strong isolation device is a setting used to establish strict isolation boundaries between different security domains to achieve network security. It is used to review and forward all incoming and outgoing data access requests. The target data access request is the current data access request sent by the mobile terminal to the strong isolation device and processed and monitored by the strong isolation device, which reflects the user's intention to access specific data. The data cache window refers to the time range limit for the strong isolation device to temporarily store data access requests. By dynamically adjusting this window, it is possible to selectively cache preceding data access requests that are temporally adjacent to the target request, based on the characteristics of the current target request. The preceding data access request refers to a data access request initiated by the same terminal before the target data access request and cached by the strong isolation device. The target node path information and the preceding node path information refer to the detailed information set of each node traversed when the data access request is sent into the strong isolation device. Specifically, the target node number or preceding node number represents the number of nodes the request passes through; the target node inheritance information set or the preceding node inheritance information set represents the set of permission or status inheritance relationships involved when the target data access request or preceding data access request jumps between different target nodes; the target node identifier set or the preceding node identifier set represents the set of unique identifiers of each node traversed by the target data access request or preceding data access request; and the target node path information is also included in the detailed information. The node dwell time set or the preceding node dwell time set represents the set of time the target data access request or the preceding data access request stays on each target node; the path node matching degree refers to an indicator that measures the similarity between the preceding data access request and the target data access request on the node path, used to quantify the overlap of the path structure; the path behavior similarity refers to an indicator that measures the similarity between the preceding data access request and the target data access request in terms of behavioral logic between nodes, used to quantify the consistency of the state transition mode of the request between different nodes; the dwell time threshold is used as a reference standard to determine whether the dwell time of the data access request on a specific node is abnormal. The anomaly monitoring result refers to the judgment conclusion obtained after comprehensively evaluating the target data access request based on the dwell time threshold, the target node dwell time set, and the preceding node dwell time set.
[0008] This invention discloses a request anomaly monitoring method based on a strong isolation device. The method adjusts the data cache window of the strong isolation device according to the target node path information of the target data access request, thereby acquiring the preceding data access request adjacent to the target data access request, so that subsequent anomaly monitoring of the target data access request can be performed based on the preceding data access request. During the anomaly monitoring process, based on the node identifiers of different nodes and the number of nodes corresponding to different requests, a path node matching degree representing the similarity of node transfer logic between preceding and following requests can be obtained. Based on the permission inheritance information of different nodes and the node identifiers of different nodes, a path behavior similarity representing the similarity of node transfer behavior between preceding and following requests can be obtained. Then, based on the path node matching degree and path behavior similarity, the dwell time threshold used for anomaly monitoring judgment is adjusted. Finally, the accuracy of data access request anomaly monitoring is improved by adaptively and precisely adjusting the dwell time threshold and the dwell time of nodes for different requests.
[0009] As a preferred example, obtaining the target node path information for the target data access request within the strong isolation device includes: Obtain the target node jump path including several target nodes from the target data access request, and extract the number of target nodes, the target access sequence number of each target node, the target entry time of each target node, the target exit time of each target node, and the target node identifier of each target node from the target node jump path. Based on the target entry time and target exit time corresponding to each target node, the single target node dwell time of each target node is obtained, so as to obtain the target node dwell time set of the target node jump path based on all the single target node dwell times; Query the preset permission inheritance relationship mapping table according to the identifier of each target node to obtain the target permission inheritance information of each target node; Based on the target access sequence number and the target permission inheritance information, obtain the target node inheritance information between any two adjacent target nodes, and obtain the target node inheritance information set of the target node jump path based on all the target node inheritance information.
[0010] The above solution comprehensively and accurately acquires the target node path information of the target data access request to support subsequent anomaly monitoring. Specifically, by calculating the dwell time of each target node, dynamic analysis of the request behavior is performed, overcoming the limitation that static rules cannot reflect time changes. Furthermore, a pre-defined permission inheritance mapping table is used to obtain the permission inheritance relationship between adjacent nodes, representing the dynamic transfer characteristics and logical connections between nodes, thus addressing the problem of existing technologies neglecting behavioral connections between nodes. This accurate and comprehensive path information provides a solid data foundation for the subsequent calculation of path node matching degree, path behavior similarity, and dwell time thresholds, thereby significantly improving the accuracy of anomaly monitoring.
[0011] As a preferred example, the step of adjusting the data cache window of the strong isolation device according to the target node path information and obtaining the preceding data access request cached by the strong isolation device includes: Extract the terminal identifier of the target data access request from the target node jump path and determine the first target node among the multiple target nodes according to each target access sequence number; Based on the target entry time corresponding to the first target node and the terminal identifier, obtain the historical data access request of the target data access request; Obtain cross-session data access requests of the historical data access request and the target data access request, and obtain the request behavior similarity between the target data access request and the historical data access request based on the cross-session data access requests and a preset session behavior analysis model; The permission inheritance mapping table is queried based on the identifier of each target node to obtain the permission level of each target node; The path complexity of the target node jump path is obtained based on the number of target nodes, the preset path complexity classification rules, all the permission levels, and all the target access sequence numbers; Based on the path complexity and the similarity of the request behavior, the data cache window of the strong isolation device is adjusted to the target cache window, so that the strong isolation device caches the preceding data access request of the target data access request according to the target cache window and the terminal identifier.
[0012] The above scheme precisely associates historical data access requests from the same terminal with the current target data access request through terminal identification, effectively eliminating interference from irrelevant terminal data and ensuring the accuracy and relevance of historical data retrieval. Furthermore, it utilizes a pre-built session behavior analysis model to calculate the similarity between request behaviors, thereby uncovering behavioral patterns of the same terminal across different requests and improving the ability to identify potential abnormal behaviors. Based on the target node identifier and permission inheritance relationship mapping table, the path complexity representing the potential risks of the data access path can be obtained, providing a multi-dimensional risk assessment basis for anomaly monitoring. Finally, by dynamically adjusting the data cache window after comprehensively considering request behavior similarity and path complexity, the strong isolation device can cache the most relevant and valuable preceding data related to the current target data access request, enabling subsequent analysis based on high-quality, highly relevant preceding data and improving the accuracy of anomaly monitoring.
[0013] As a preferred example, obtaining the path complexity of the target node jump path based on the number of target nodes, a preset path complexity grading rule, all the permission levels, and all the target access sequence numbers includes: Extract the isolation domain identifier of each target node from the jump path of the target node; The successor target node of each target node is determined according to the target access sequence number of each target node; Based on the permission level of each target node, the inheritance information between target nodes of each target node, the permission level of each subsequent target node, and the inheritance information between target nodes of each subsequent target node, multiple jump points in the jump path of the target node are obtained. Based on the target access sequence number and the isolation domain identifier of each jump point, obtain the number of region crossings of the target node jump path; The path complexity of the target node jump path is obtained by querying a preset path complexity classification table based on the number of times the region is traversed, the number of all the jump points, and the number of target nodes.
[0014] The above scheme extracts the isolation domain identifier of each target node, providing a basis for subsequent detection of cross-domain behavior. It then determines the subsequent target nodes of each target node based on the access sequence number, establishing a continuous relationship in the node sequence. This ensures that the analysis covers all potential transfer points and avoids missing critical path features due to missing sequence information. Based on the permission level of each target node and the inheritance information between target nodes, as well as the permission level of each subsequent target node and the inheritance information between target nodes of each subsequent target node, it identifies points of permission or domain change by comparing the permissions and inheritance relationships of adjacent nodes, capturing dynamic transfer logic and overcoming the deficiency of existing technologies that neglect behavioral connections between nodes. Finally, it obtains the number of region traversals based on the target access sequence number and isolation domain identifier of each hop point, quantifying the actual cross-domain behavior, reflecting the true complexity of the path, and improving the accuracy of path risk identification. Finally, the path complexity is obtained by querying the preset path complexity classification table based on the number of region crossings, the number of all jump points, and the number of target nodes. The complexity level is adaptively determined by combining multiple dynamic factors, replacing the fixed threshold, to ensure that the complexity calculation adapts to the highly dynamic environment, thereby supporting the precise adjustment of the cache window and improving the accuracy of obtaining preceding data access requests.
[0015] As a preferred example, adjusting the data cache window of the strong isolation device to the target cache window based on the path complexity and the request behavior similarity includes: When the similarity of the request behavior is greater than a preset similarity threshold and the path complexity is greater than a preset complexity threshold, the product of the number of target nodes and the preset temporary storage time window baseline value is obtained, and the product is used as the target cache window of the strong isolation device. When the similarity of the request behavior is less than or equal to the similarity threshold or the path complexity is less than or equal to the complexity threshold, the temporary storage time window baseline value is used as the target cache window of the strong isolation device.
[0016] When the above scheme identifies request behavior similarity exceeding a preset similarity threshold and path complexity exceeding a preset complexity threshold, indicating a potentially high risk, it uses the product of the target node number and a preset temporary storage time window baseline value as the target cache window for the strong isolation device. This allows the strong isolation device to acquire preceding data access requests over a longer period, providing richer and more comprehensive historical behavior data for determining subsequent path node matching, path behavior similarity, and dwell time thresholds, significantly improving the accuracy of anomaly detection. Conversely, when request behavior similarity is less than or equal to the similarity threshold or path complexity is less than or equal to the complexity threshold, using the temporary storage time window baseline value as the target cache window for the strong isolation device effectively avoids unnecessary resource consumption, optimizes cache resource allocation, and improves the efficiency of anomaly detection.
[0017] As a preferred example, obtaining the preceding node path information of the preceding data access request includes: The preceding node jump path, which includes several preceding nodes, is obtained from the preceding data access request. The preceding node jump path is then used to extract the number of preceding nodes, the preceding access sequence number corresponding to each preceding node, the preceding entry time of each preceding node, the preceding exit time of each preceding node, and the preceding node identifier of each preceding node. Based on the preceding entry time and the preceding exit time corresponding to each preceding node, the single preceding node dwell time of each preceding node is obtained, so as to obtain the set of preceding node dwell times of the preceding node jump path based on all the single preceding node dwell times. Query the preset permission inheritance relationship mapping table according to the identifier of each of the preceding nodes to obtain the preceding permission inheritance information of each of the preceding nodes; Based on the preceding access sequence number and the preceding permission inheritance information, obtain the preceding node inheritance information between any two adjacent preceding nodes, and obtain the preceding node inheritance information set of the preceding node jump path based on all the preceding node inheritance information.
[0018] The above solution provides accurate data for subsequent path analysis by comprehensively and accurately acquiring the path information of preceding nodes in the preceding data access request. Specifically, by calculating the dwell time of each preceding node, dynamic analysis of request behavior is performed, overcoming the limitation that static rules cannot reflect time changes. Furthermore, a pre-defined permission inheritance mapping table is used to obtain the permission inheritance relationship between adjacent nodes, representing the dynamic transfer characteristics and logical connections between nodes, thus addressing the problem of existing technologies neglecting behavioral connections between nodes. This accurate and comprehensive path information provides a solid data foundation for the subsequent calculation of path node matching degree, path behavior similarity, and dwell time thresholds, thereby significantly improving the accuracy of anomaly detection.
[0019] As a preferred example, the step of obtaining the path node matching degree between the preceding data access request and the target data access request based on the target node identifier set, the preceding node identifier set, the number of target nodes, and the number of preceding nodes includes: Based on the target access sequence number, the preceding access sequence number, the target node identifier, and the preceding node identifier, obtain the number of duplicate nodes in the target node jump path. When the number of target nodes is greater than or equal to the number of preceding nodes, the path ratio of the number of duplicate nodes in the path to the number of target nodes is obtained, and the path ratio is used as the path node matching degree between the preceding data access request and the target data access request.
[0020] The above scheme obtains the number of duplicate nodes in the path by comprehensively considering the target access sequence number, the preceding access sequence number, the target node identifier, and the preceding node identifier. This ensures accurate identification of duplicate nodes in the node jump path and avoids matching bias caused by relying on only a single feature. Furthermore, when the number of target nodes is greater than or equal to the number of preceding nodes, the ratio of the number of duplicate nodes in the path to the number of target nodes is used as the matching degree. This normalization method considers the impact of path length differences, ensuring that the matching degree can reasonably reflect similarity even when the target path is long. This not only improves the accuracy of path node matching but also provides a more reliable and refined foundation for subsequent anomaly monitoring, thereby improving the overall accuracy of anomaly monitoring.
[0021] As a preferred example, the step of obtaining the number of duplicate nodes in the path of the target node jump path based on each target access sequence number, each preceding access sequence number, each target node identifier, and each preceding node identifier includes: For any target node, the target preceding node corresponding to the target node is determined from all preceding nodes according to the target access sequence number of the target node and each preceding access sequence number. When the predecessor node identifier of the target node is consistent with the target node identifier, the target node is determined to be a path duplicate node, and the number of all path duplicate nodes is taken as the path duplicate node count.
[0022] The above scheme determines the target preceding node in the preceding data access request for each target node based on the target access sequence number and the preceding access sequence number, avoiding erroneous judgments due to different node positions and ensuring the consistency of node order. Furthermore, the process of identifying duplicate paths by comparing the preceding node identifier of the target preceding node with the target node identifier of the target node combines a dual verification mechanism of order and identifier, significantly improving the accuracy of duplicate node identification. Finally, the total number of duplicate paths is used as the path duplicate node count, providing more accurate basic data for subsequent calculations of the path node matching degree between the preceding and target data access requests, thereby effectively improving the accuracy and reliability of anomaly monitoring results based on path node matching degree.
[0023] As a preferred example, the step of obtaining the path behavior similarity between the preceding data access request and the target data access request based on the target node identifier set, the preceding node identifier set, the target node inheritance information set, and the preceding node inheritance information set includes: Based on the inheritance information between target nodes and between predecessor nodes of each repeated node in the path, the number of permission-repeating nodes in the jump path of the target node is determined. Obtain the permission ratio of the number of duplicate permission nodes to the number of duplicate path nodes, and use the permission ratio as the path behavior similarity between the preceding data access request and the target data access request.
[0024] The above scheme, based on identifying duplicate nodes in the path, further filters out duplicate nodes with consistent permission inheritance behavior, thereby accurately quantifying the deep consistency of the behavioral patterns of two requests. By calculating the permission ratio of the number of duplicate permission nodes to the number of duplicate path nodes, deep consistency is transformed into a standardized path behavior similarity index, making the identification of request behavior patterns more accurate and comprehensive. This significantly improves the ability to detect anomalies in complex and variable internal attack paths, thereby enhancing the accuracy of abnormal data access request monitoring.
[0025] As a preferred example, the step of determining the dwell time threshold of the target data access request based on the path node matching degree and the path behavior similarity, and obtaining the anomaly monitoring result of the target data access request based on the dwell time threshold, the target node dwell time set, and the preceding node dwell time set, includes: The preset duration threshold is adjusted based on the path node matching degree and the path behavior similarity to obtain the dwell time threshold. Based on the dwell time of the target node and the dwell time of the preceding node of each repeated node in the path, obtain the duration difference of each repeated node in the path. Based on the comparison result between each duration difference and the dwell time threshold, obtain the node anomaly monitoring result of each path repeating node in the target data access request, so as to obtain the anomaly monitoring result of the target data access request based on all the node anomaly monitoring results.
[0026] The above scheme dynamically adjusts the dwell time threshold by combining path node matching degree and path behavior similarity. This allows the threshold to adaptively change according to the path characteristics and behavioral logic of the current data access request, avoiding false positives or false negatives that may occur with static thresholds in complex and changing environments. For duplicate path nodes, the dwell time difference between the target request and the preceding request is accurately calculated, providing fine-grained node-level time difference data for anomaly detection. Finally, by comparing these duration differences with the dynamically adjusted dwell time threshold, the dwell behavior of each duplicate path node in the target data access request can be accurately judged, thereby improving the accuracy of the anomaly monitoring results for the entire request. Attached Figure Description
[0027] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0028] Figure 1 This is a flowchart illustrating a request anomaly monitoring method based on a strong isolation device disclosed in an embodiment of the present invention; Figure 2 This is a schematic diagram of a request anomaly monitoring system based on a strong isolation device disclosed in an embodiment of the present invention. Detailed Implementation
[0029] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0030] Reference Figure 1 To improve the accuracy of anomaly detection for data access requests in a strongly isolated environment, this embodiment discloses a request anomaly detection method based on a strongly isolated device, which mainly includes: Step 101: Obtain the target node path information of the target data access request within the strong isolation device. The target node path information includes the number of target nodes, the set of inheritance information between target nodes, the set of target node identifiers, and the set of target node dwell time.
[0031] Step 102: Adjust the data cache window of the strong isolation device according to the target node path information and obtain the preceding data access request cached by the strong isolation device.
[0032] Step 103: Obtain the path information of the preceding node for the preceding data access request. The path information of the preceding node includes the number of preceding nodes, the set of inheritance information between preceding nodes, the set of preceding node identifiers, and the set of preceding node dwell time.
[0033] Step 104: Obtain the path node matching degree between the preceding data access request and the target data access request based on the target node identifier set, the preceding node identifier set, the number of target nodes, and the number of preceding nodes.
[0034] Step 105: Obtain the path behavior similarity between the preceding data access request and the target data access request based on the target node identifier set, the preceding node identifier set, the target node inheritance information set, and the preceding node inheritance information set.
[0035] Step 106: Determine the dwell time threshold of the target data access request based on the path node matching degree and the path behavior similarity, so as to obtain the abnormal monitoring results of the target data access request based on the dwell time threshold, the target node dwell time set and the preceding node dwell time set.
[0036] In this embodiment, the strong isolation device is a setting to establish strict isolation boundaries between different security domains to achieve network security, used to review and forward all incoming and outgoing data access requests; the target data access request is the current data access request sent by the mobile terminal to the strong isolation device, and processed and monitored by the strong isolation device, used to reflect the user's intention to access specific data; the data cache window refers to the time range limit for the strong isolation device to temporarily store data access requests; by dynamically adjusting this window, it is possible to selectively cache preceding data access requests that are temporally adjacent to the target request according to the characteristics of the current target request; the preceding data access request refers to a data access request initiated by the same terminal before the target data access request and cached by the strong isolation device. The target node path information and the preceding node path information refer to the detailed information set of each node traversed when the data access request is sent into the strong isolation device. Specifically, the target node number or preceding node number represents the number of nodes the request passes through; the target node inheritance information set or the preceding node inheritance information set represents the set of permission or status inheritance relationships involved when the target data access request or preceding data access request jumps between different target nodes; the target node identifier set or the preceding node identifier set represents the set of unique identifiers of each node traversed by the target data access request or preceding data access request; and the target node path information is also included in the detailed information. The node dwell time set or the preceding node dwell time set represents the set of time the target data access request or the preceding data access request stays on each target node; the path node matching degree refers to an indicator that measures the similarity between the preceding data access request and the target data access request on the node path, used to quantify the overlap of the path structure; the path behavior similarity refers to an indicator that measures the similarity between the preceding data access request and the target data access request in terms of behavioral logic between nodes, used to quantify the consistency of the state transition mode of the request between different nodes; the dwell time threshold is used as a reference standard to determine whether the dwell time of the data access request on a specific node is abnormal. The anomaly monitoring result refers to the judgment conclusion obtained after comprehensively evaluating the target data access request based on the dwell time threshold, the target node dwell time set, and the preceding node dwell time set.
[0037] In this embodiment, step 101 includes: Step 1011: Obtain the target node jump path including several target nodes from the target data access request, and extract the number of target nodes, the target access sequence number of each target node, the target entry time of each target node, the target exit time of each target node, and the target node identifier of each target node from the target node jump path.
[0038] Step 1012: Based on the target entry time and target exit time corresponding to each target node, obtain the single target node dwell time of each target node, so as to obtain the target node dwell time set of the target node jump path based on all the single target node dwell times.
[0039] Step 1013: Query the preset permission inheritance relationship mapping table according to the identifier of each target node to obtain the target permission inheritance information of each target node.
[0040] Step 1014: Obtain the target node inheritance information between any two adjacent target nodes according to the target access sequence number and the target permission inheritance information, so as to obtain the target node inheritance information set of the target node jump path according to all the target node inheritance information.
[0041] In this embodiment, the target node jump path records all the nodes traversed by the target data access request from initiation to completion, along with the node information of each node. The node information for each node includes a target access sequence number, a target entry time, a target exit time, and a target node identifier. The target entry time represents the time when the target data access request arrives at the node; the target exit time represents the time when the target data access request leaves the node; the target node identifier represents the unique identifier of the node; the number of target nodes represents the total number of target nodes in the target node jump path; and the target access sequence number represents the access order of each node within the target node jump path.
[0042] In this embodiment, based on the target entry time and the target exit time corresponding to each target node, the single target node dwell time, which represents the dwell time of the target data access request on each node, is obtained. For example, if the target entry time is T_in and the target exit time is T_out, then the single target node dwell time is T_out - T_in. All the calculated single target node dwell times can be aggregated to form the target node dwell time set of the target node jump path. The preset permission inheritance relationship mapping table is queried according to the identifier of each target node to obtain the target permission inheritance information of each target node. Based on the target access order number and the target permission inheritance information, the target node inheritance information between any two adjacent target nodes is obtained. The target node inheritance information set for the target node jump path is then obtained based on all the target node inheritance information. The target node inheritance information is used to represent the permission transfer relationship between any two adjacent target nodes. For example, if the first node is a parent node and the second node is a child node, then the target node inheritance information between the two nodes is a valid inheritance relationship. The preset permission inheritance relationship mapping table represents a table that uses the target node identifier as an index and stores information such as the set of permissions possessed by each node, the permissions it can inherit, or the permissions it can grant to other nodes. When a target node identifier is obtained, a query request is sent to the preset permission inheritance relationship mapping table to obtain the target permission inheritance information corresponding to that target node.
[0043] In this embodiment, in the strong isolation device, the acquisition of the target node jump path can be achieved through a request tracking component deployed in the strong isolation device. The request tracking component is automatically activated when the user terminal initiates a target data access request, continuously recording the jump trajectory of the target data access request between different nodes. It extracts the total number of target nodes traversed by the target data access request from the jump trajectory, i.e., the number of target nodes, and obtains the target access sequence number, target entry time, target exit time, and target node identifier for each target node. The target node identifier uses a unified encoding rule, with each target node corresponding to a unique encoding value, i.e., a unique target node identifier. When the target data access request jumps from one target node to another, the target exit time of the previous target node and the target entry time of the next target node are captured simultaneously. The single-target node dwell time of each target node is obtained by subtracting the target entry time of the target node from its target exit time, reflecting the operation time of the target data access request at that target node.
[0044] In this embodiment, a preset permission inheritance relationship mapping table is pre-stored in the configuration database within the strong isolation device. The preset permission inheritance relationship mapping table uses node identifiers as index keys, and each record contains the permission type and permission level for each node. The permission type includes whether each node corresponds to a parent node or a child node, or whether each node corresponds to a management node or an operation node, etc. Furthermore, the rules for permission flow in the normal access path are defined based on the inheritance relationship between different nodes, such as permission flow from parent node to child node or from operation node to management node, etc.
[0045] This embodiment calculates the dwell time of each target node to dynamically analyze request behavior, overcoming the limitation that static rules cannot reflect time changes. Furthermore, a pre-defined permission inheritance mapping table is used to obtain the permission inheritance relationship between adjacent nodes, representing the dynamic transfer characteristics and logical connections between nodes, thus addressing the problem of existing technologies neglecting behavioral connections between nodes. This precise and comprehensive path information provides a solid data foundation for subsequent calculations of path node matching degree, path behavior similarity, and dwell time thresholds, thereby significantly improving the accuracy of anomaly detection.
[0046] In this embodiment, step 102 includes: Step 1021: Extract the terminal identifier of the target data access request from the target node jump path and determine the first target node among the multiple target nodes according to each target access sequence number.
[0047] Step 1022: Obtain the historical data access request of the target data access request based on the target entry time corresponding to the first target node and the terminal identifier.
[0048] Step 1023: Obtain cross-session data access requests of the historical data access request and the target data access request, so as to obtain the request behavior similarity between the target data access request and the historical data access request based on the cross-session data access requests and the preset session behavior analysis model.
[0049] Step 1024: Query the permission inheritance relationship mapping table according to the identifier of each target node to obtain the permission level of each target node.
[0050] Step 1025: Obtain the path complexity of the target node jump path based on the number of target nodes, the preset path complexity classification rules, all the permission levels and all the target access sequence numbers.
[0051] Step 1026: Adjust the data cache window of the strong isolation device to the target cache window according to the path complexity and the similarity of the request behavior, so that the strong isolation device caches the preceding data access request of the target data access request according to the target cache window and the terminal identifier.
[0052] In this embodiment, the terminal identifier is used to associate the historical behavior of a specific user or device, while the first target node marks the starting point of the request path and is the basis for subsequent historical data and cross-session data association. The strong isolation device maintains a historical request database, which records multiple historical data access requests generated by the same terminal identifier during past accesses, as well as the historical node jump path information for each historical data access request; wherein the content of the historical node jump path information is consistent with the content of the target node jump path information; the request behavior similarity refers to the degree of similarity in behavioral patterns between the current target data access request and its historical data access requests, used to participate in the dynamic adjustment of the data cache window; the permission level refers to the security level or access permission hierarchy of each node in the permission system, usually represented by a numerical value or level identifier, used to evaluate the security of the node jump path, calculate path complexity, and as a basis for determining permission inheritance relationships. The basis for compliance; the preset path complexity grading rule is used to quantify the complexity of a path into a comparable path complexity level, providing a basis for adjusting the cache window; the path complexity refers to a comprehensive indicator that quantifies the complexity of the jump path of the target data access request within the strong isolation device, used to reflect the potential risk level of the request behavior, so as to adjust the window; the data cache window refers to the time range limit for the strong isolation device to temporarily store data access requests, and the cached data is both relevant to the currently received data access request and does not excessively occupy resources, providing effective historical behavior data for subsequent anomaly monitoring; the preceding data access request refers to a data access request initiated by the same terminal and cached by the strong isolation device before the target data access request.
[0053] This embodiment identifies the unique identifier of the initiating terminal from the currently monitored target data access requests, and obtains data access requests originating from the same terminal based on the unique identifier. When determining the first target node among multiple target nodes based on each target access sequence number, the starting node of the request in the entire access path is determined. Specifically, by parsing the header or payload information of the target data access request, a predefined terminal identifier is extracted, such as the device address and user identifier for the terminal device. Simultaneously, based on the access sequence number of each target node in the target node jump path, the target node with the smallest number is determined as the first target node, or all target nodes in the target node jump path are traversed, and the target node with the earliest entry time is selected as the first target node of the target node jump path.
[0054] When obtaining historical data access requests for target data access requests based on the target entry time and terminal identifier corresponding to the first target node, the historical data access requests that match the current terminal identifier and whose last accessed node's departure time is earlier than the target entry time of the first target node are retrieved from the historical records based on the identified terminal and request starting point. The historical data access requests and the target data access requests are then arranged in chronological order according to timestamps to obtain cross-session data access requests.
[0055] When obtaining the request behavior similarity between target data access requests and historical data access requests based on cross-session data access requests and a preset session behavior analysis model, the aim is to identify and analyze the correlation between target data access requests and historical data access requests across different sessions, and quantify their behavioral similarity to capture long-term or complex attack patterns. Specifically, when performing data identification through the cross-session data access requests, the behavioral feature vector of the cross-session data access requests is first extracted. The behavioral feature vector includes the jump point access path of the cross-session data access requests, the difference distribution of dwell time between each node, and the permission inheritance relationship between nodes. The behavioral feature vector is then input into a pre-established cross-session behavior analysis model. The cross-session behavior analysis model uses a support vector machine as a classifier, employs a radial basis function kernel function, and achieves multi-classification through a one-to-one strategy. Using historically labeled normal session behavior features and abnormal session behavior features as training samples, the behavioral feature vector is classified and judged, and the request behavior similarity between the target data access request and the historical data access request is output. The request behavior similarity is divided into three levels: high consistency, medium consistency, and low consistency.
[0056] In this embodiment, the construction of the behavior feature vector is the core step in cross-session behavior analysis. This vector contains feature data in three dimensions. The jump point access path is a path constructed based on the access order of each jump point. If two adjacent target nodes belong to different isolation domains and the permission level of the latter node is higher than that of the former node, then this node pair is marked as a jump point, and all jump points are concatenated according to the access order to obtain the jump point access path. The isolation domain identifier of each target node is obtained from the target node jump path; the isolation domain identifier represents the isolation domain in which each node belongs. The permission level of each target node is obtained according to the preset permission inheritance relationship mapping table; the permission level is a specific numerical value. The difference distribution of dwell time between nodes refers to the difference in dwell time between adjacent nodes. The permission inheritance relationship between nodes is obtained by acquiring the target node inheritance information or historical node inheritance information corresponding to any node, comparing the target node inheritance information or historical node inheritance information with the standard access path pre-stored in the mapping table, and outputting the deviation degree between the current access path and the standard path.
[0057] In this embodiment, the cross-conversation behavior analysis model uses a support vector machine (SVM) as a classifier to determine behavior consistency. The SVM separates samples of different categories by finding the optimal classification hyperplane in the feature space. During the training phase, historical labeled data is used as training samples. Normal conversation behavior features are labeled as positive samples, and abnormal conversation behavior features are labeled as negative samples. A classification decision function is established by learning the distribution boundaries of the two types of samples.
[0058] The core adaptive adjustment mechanism involves adjusting the data cache window of the strong isolation device to align with the target cache window based on path complexity and request behavior similarity. This allows the strong isolation device to cache preceding data access requests based on the target cache window and terminal identifier. The mechanism dynamically sets the size of the time window used by the strong isolation device to cache preceding data access requests based on the complexity of the current request and its similarity to historical behavior. This ensures that the cache window can flexibly adapt to different request scenarios, thereby more accurately capturing the historical context related to the current request.
[0059] In this embodiment, a preset adjustment strategy table or function is used. If the adjustment strategy table or function indicates that the cache window can be small when the request behavior similarity is high and the path complexity is low, and the cache window can be appropriately increased if the request behavior similarity is low (potential anomalies) or the path complexity is high (complex behavior), then the cache window can be increased to capture longer-term historical behavior for analysis. The target cache window can be a time length (e.g., seconds, minutes) or a number of requests. Another implementation method is to use adaptive algorithms such as reinforcement learning to dynamically optimize the mapping relationship between path complexity, request behavior similarity, and the target cache window based on historical monitoring results. The terminal identifier is used here to ensure that the preceding data access requests for the cache are for historical behavior of the same terminal.
[0060] In this embodiment, the above steps accurately associate historical data access requests from the same terminal with the current target data access request using terminal identifiers, effectively eliminating interference from irrelevant terminal data and ensuring the accuracy and relevance of historical data retrieval. Furthermore, a pre-built session behavior analysis model is used to calculate the similarity between request behaviors to uncover behavioral patterns of the same terminal across different requests, thereby improving the ability to identify potential abnormal behaviors. Based on the target node identifier and permission inheritance relationship mapping table, the path complexity representing the potential risks of the data access path can be obtained, providing a multi-dimensional risk assessment basis for anomaly monitoring. Finally, by dynamically adjusting the data cache window after comprehensively considering request behavior similarity and path complexity, the strong isolation device can cache the most relevant and valuable preceding data related to the current target data access request, enabling subsequent analysis based on high-quality, highly relevant preceding data and improving the accuracy of anomaly monitoring.
[0061] In this embodiment, step 1025 includes: Step 10251: Extract the isolation domain identifier of each target node from the target node jump path.
[0062] Step 10252: Determine the successor target node for each target node according to the target access sequence number of each target node.
[0063] Step 10253: Based on the permission level of each target node, the inheritance information between target nodes of each target node, the permission level of each subsequent target node, and the inheritance information between target nodes of each subsequent target node, obtain multiple jump points in the jump path of the target node.
[0064] Step 10254: Based on the target access sequence number and the isolation domain identifier of each jump point, obtain the number of region crossings of the target node jump path.
[0065] Step 10255: Based on the number of times the region is traversed, the number of all the jump points, and the number of target nodes, query the preset path complexity classification table to obtain the path complexity of the target node jump path.
[0066] In this embodiment, the isolation domain identifier of each target node is extracted from the target node's jump path. The isolation domain identifier is used to identify the security domain or logical partition to which the target node belongs. In a strongly isolated environment, different isolation domains may have different security policies and access permissions. Extracting the isolation domain identifier is fundamental to subsequent analysis of cross-domain behavior. Specifically, it can be obtained by querying a pre-configured node-isolation domain mapping table. For example, each node is assigned a unique isolation domain identifier when it registers with the system; querying this mapping table based on the node identifier will yield the corresponding isolation domain identifier.
[0067] Secondly, the successor target node for each target node is determined based on its access sequence number. The target access sequence number indicates the access order of the target node within the jump path of the target data access request. Determining the successor target node establishes a continuous relationship between node sequences, thereby enabling the analysis of transition behavior between nodes. Specifically, this can be achieved by traversing the node sequence in the target node's jump path; for the current node, its next node in the sequence is its successor target node. For example, if the node sequence is N1, N2, N3, then the successor node of N1 is N2, and the successor node of N2 is N3.
[0068] Next, based on the permission level of each target node, the inheritance information between target nodes of each target node, the permission level of each subsequent target node, and the inheritance information between target nodes of each subsequent target node, multiple transition points in the target node jump path are obtained. A transition point refers to a pair of nodes in the node jump path where the permission level, permission inheritance relationship, or isolation domain changes between adjacent nodes. Identifying transition points helps capture key behaviors of request transfers between different security contexts. Specifically, for each pair of adjacent nodes (current node and subsequent node) in the path, their permission levels can be compared. If the permission level changes (e.g., from low permission to high permission, or from high permission to low permission), the node pair is marked as a transition point. Alternatively, nodes can be identified according to a preset set of transition rules, such as: the current node has a higher permission level than the subsequent node, the current node and the subsequent node belong to different isolation domains, or the inheritance information between the target nodes of the current node is incompatible with the inheritance information between the target nodes of the subsequent node. When adjacent nodes satisfy any of these rules, they are identified as transition points.
[0069] Then, based on the target access sequence number and isolation domain identifier of each hop point, the number of region traversals for the target node's jump path is obtained. The number of region traversals refers to the number of times the target data access request jumps between different isolation domains. This reflects the frequency and complexity of request flow between different security zones and is an important indicator for assessing path risk. Specifically, all identified hop points can be traversed. For each hop point, if its two adjacent nodes have different isolation domain identifiers, the region traversal count is incremented. Alternatively, a set of visited isolation domains can be maintained. When processing a hop point, if the isolation domain identifier of the subsequent node is not in this set, it indicates a new region traversal has occurred, and the isolation domain identifier is added to the set, while simultaneously incrementing the region traversal count.
[0070] Finally, the path complexity of the target node jump path is obtained by querying the preset path complexity classification table based on the number of region traversals, the total number of jump points, and the number of target nodes. Path complexity is a comprehensive indicator that measures the complexity of the jump path for a target data access request within a strongly isolated device, and is used to guide the adjustment of the data cache window. Specifically, the preset path complexity classification table can be a multi-dimensional lookup table, whose input parameters include the number of region traversals, the number of jump points, and the number of target nodes, and whose output is the corresponding path complexity level (e.g., low, medium, high). The system looks up the corresponding complexity in the table based on the calculated values of these three parameters. Alternatively, the preset path complexity classification table can also be defined by a series of rules or functions. For example, a formula can be set to perform a weighted sum of the number of region traversals, the number of jump points, and the number of target nodes, and then determine the path complexity level based on the interval in which the total score falls.
[0071] This embodiment extracts the isolation domain identifier of each target node, providing a basis for subsequent detection of cross-domain behavior. It determines the subsequent target nodes of each target node based on the access sequence number, establishing a continuous relationship in the node sequence. This ensures that the analysis covers all potential transfer points, avoiding the omission of critical path features due to missing sequence information. Based on the permission level of each target node and the inheritance information between target nodes, as well as the permission level of each subsequent target node and the inheritance information between target nodes of each subsequent target node, it identifies points of permission or domain change by comparing the permissions and inheritance relationships of adjacent nodes, capturing dynamic transfer logic and overcoming the deficiency of existing technologies that neglect behavioral connections between nodes. Then, it obtains the number of region traversals based on the target access sequence number and isolation domain identifier of each hop point, quantifying the actual cross-domain behavior, reflecting the true complexity of the path, and improving the accuracy of path risk identification. Finally, it queries a preset path complexity classification table based on the number of region traversals, the number of all hop points, and the number of target nodes to obtain the path complexity. It adaptively determines the complexity level by integrating multiple dynamic factors, replacing a fixed threshold, ensuring that complexity calculation adapts to highly dynamic environments, thereby supporting precise adjustment of the cache window and improving the accuracy of obtaining preceding data access requests.
[0072] In this embodiment, step 1026 includes: Step 10261: When the similarity of the request behavior is greater than a preset similarity threshold and the path complexity is greater than a preset complexity threshold, obtain the product of the number of target nodes and the preset temporary storage time window baseline value, and use the product as the target cache window of the strong isolation device.
[0073] Step 10262: When the similarity of the request behavior is less than or equal to the similarity threshold or the path complexity is less than or equal to the complexity threshold, the temporary storage time window baseline value is used as the target cache window of the strong isolation device.
[0074] In this embodiment, request behavior similarity is used to quantify the similarity in behavioral patterns between the current target data access request and its historical data access requests. This similarity can be a value between 0 and 1, where a higher value indicates a more similar behavioral pattern.
[0075] This embodiment calculates similarity by comparing multiple dimensions, such as the order of node accesses in the request sequence, the type of resources accessed, and the frequency or time interval of operations. Specifically, sequence alignment-based algorithms (such as edit distance and longest common subsequence) can be used to measure the structural similarity of the request path, or machine learning models (such as recurrent neural networks and Transformer models) can be used to encode the request behavior sequence and calculate the cosine similarity between its embedding vectors. The similarity threshold is a preset cutoff value used to judge the similarity of request behaviors. When the similarity of request behaviors is higher than this threshold, the request behaviors are considered to have high similarity; conversely, the similarity is considered to be low. This threshold can be set according to system security policies, historical data analysis results, or expert experience.
[0076] Path complexity is an indicator that measures the complexity of the path a target data access request takes within a strongly isolated device. It comprehensively considers factors such as the number of nodes involved in the path, the number of permission transitions, and cross-isolation domain access. Higher path complexity usually means more abnormal request behavior or greater potential risks.
[0077] This embodiment can obtain path complexity by weighted summation of factors such as the number of jumps to different security domains, the number of privilege escalations, or the frequency of access to sensitive resources within the path. Alternatively, it can classify paths into low, medium, and high complexity levels using preset path complexity grading rules. A complexity threshold is a preset boundary value used to determine the level of path complexity. When the path complexity exceeds this threshold, the path is considered to have high complexity; conversely, it is considered to have low complexity. This threshold can be set based on the security protection level of the strong isolation device, the sensitivity of the business system, or the tolerance for abnormal behavior.
[0078] The target node count refers to the total number of independent nodes traversed by a target data access request within a strongly isolated device. Each node represents an access point in the request path. This value directly reflects the length of the request path. For example, if a request sequentially accesses three different service modules, the target node count is 3. This value is typically obtained directly by parsing the logs or trace information of the target data access request.
[0079] The baseline cache window is a fundamental unit of time used to determine the size of the data cache window for a strong isolation device. It represents the length of time the strong isolation device needs to cache historical data under default or low-complexity conditions. This baseline can be a fixed time period, such as 5 minutes, 10 minutes, or 1 hour, configured by the system administrator based on experience or system performance requirements. It can also be a dynamic average calculated based on statistical data such as average request processing time and average session duration. The target cache window for the strong isolation device refers to the time span of the cache area used by the device to store and analyze historical data access requests. The size of this window directly affects the scope and depth of anomaly monitoring. A larger cache window can capture historical behavior over a longer time range, helping to discover more complex, cross-time-period anomaly patterns; while a smaller cache window saves storage and computing resources. Adjusting the target cache window aims to dynamically balance monitoring accuracy and resource consumption based on the characteristics of the requests.
[0080] In this embodiment, when a request behavior similarity greater than a preset similarity threshold and a path complexity greater than a preset complexity threshold are identified as indicating a potentially high risk, the target cache window of the strong isolation device is used as the product of the number of target nodes and a preset temporary storage time window baseline value. This allows the strong isolation device to acquire preceding data access requests over a longer period, providing richer and more comprehensive historical behavior data for determining subsequent path node matching, path behavior similarity, and dwell time thresholds, significantly improving the accuracy of anomaly detection. Conversely, when the request behavior similarity is less than or equal to the similarity threshold or the path complexity is less than or equal to the complexity threshold, using the temporary storage time window baseline value as the target cache window of the strong isolation device effectively avoids unnecessary resource consumption, optimizes cache resource allocation, and improves the efficiency of anomaly detection.
[0081] In this embodiment, step 103 includes: Step 1031: Obtain the preceding node jump path including several preceding nodes from the preceding data access request, and extract the number of preceding nodes, the preceding access sequence number corresponding to each preceding node, the preceding entry time of each preceding node, the preceding exit time of each preceding node, and the preceding node identifier of each preceding node from the preceding node jump path.
[0082] Step 1032: Based on the preceding entry time and the preceding exit time corresponding to each preceding node, obtain the single preceding node dwell time of each preceding node, so as to obtain the preceding node dwell time set of the preceding node jump path based on all the single preceding node dwell times.
[0083] Step 1033: Query the preset permission inheritance relationship mapping table according to the identifier of each predecessor node to obtain the predecessor permission inheritance information of each predecessor node.
[0084] Step 1034: Obtain the inheritance information between any two adjacent preceding nodes based on the preceding access sequence number and the preceding permission inheritance information, so as to obtain the set of preceding node inheritance information for the preceding node jump path based on all the preceding node inheritance information.
[0085] In this embodiment, the purpose of obtaining the preceding node jump path, which includes several preceding nodes, from the preceding data access request, and extracting the number of preceding nodes, the preceding access sequence number corresponding to each preceding node, the preceding entry time, the preceding departure time, and the preceding node identifier from the preceding node jump path, is to parse the original preceding data access request to identify its internal components, especially the sequence of accessed nodes. In this embodiment, the strong isolation device records the internal node traversal log of all data access requests, and then the log parser extracts the required information from these logs, including the number of preceding nodes, the preceding access sequence number, the preceding entry time, the preceding departure time, and the preceding node identifier.
[0086] When obtaining the dwell time of a single preceding node based on the preceding entry time and the preceding exit time of each preceding node, and then obtaining the dwell time set of preceding nodes for the preceding node jump path based on all the dwell times of single preceding nodes, its function is to quantify the dwell time on each preceding node, which is crucial for behavior analysis. In this embodiment, for each preceding node, its preceding exit time is directly subtracted from its preceding entry time to calculate the dwell time of that preceding node, and all calculated dwell times of single preceding nodes are aggregated to form a set of preceding node dwell times.
[0087] When querying the preset permission inheritance relationship mapping table based on the identifier of each predecessor node to obtain the predecessor permission inheritance information of each predecessor node, the purpose is to introduce a security context and understand the permissions associated with each predecessor node and their relationship in the predefined hierarchical structure. In this embodiment, the preset permission inheritance relationship mapping table can be stored in a database or configuration file. A query is initiated on the storage medium based on the identifier of the predecessor node to obtain the corresponding predecessor permission inheritance information.
[0088] When obtaining the inheritance information between any two adjacent preceding nodes based on the preceding access sequence number and the preceding permission inheritance information, and obtaining the set of preceding node inheritance information for the preceding node jump path based on all the preceding node inheritance information, the purpose is to capture the transition logic or behavior flow between consecutive preceding nodes. In this embodiment, inference is made based on predefined rules or state machines. For example, if preceding node A (with permission P1) is followed by preceding node B (with permission P2), and P2 is a sub-permission of P1, then the inheritance information may indicate permission upgrade or normal inheritance.
[0089] This embodiment provides accurate data for subsequent path analysis by comprehensively and accurately acquiring the path information of preceding nodes in the preceding data access request. Specifically, by calculating the dwell time of each preceding node, dynamic analysis of the request behavior is performed, overcoming the limitation that static rules cannot reflect time changes. Furthermore, a preset permission inheritance mapping table is used to obtain the permission inheritance relationship between adjacent nodes, representing the dynamic transfer characteristics and logical connections between nodes, thus addressing the problem of existing technologies neglecting behavioral connections between nodes. This accurate and comprehensive path information provides a solid data foundation for the subsequent calculation of path node matching degree, path behavior similarity, and dwell time thresholds, thereby significantly improving the accuracy of anomaly detection.
[0090] In this embodiment, step 104 includes: Step 1041: Based on the target access sequence number, the preceding access sequence number, the target node identifier, and the preceding node identifier, obtain the number of duplicate nodes in the target node jump path.
[0091] Step 1042: When the number of target nodes is greater than or equal to the number of preceding nodes, obtain the path ratio of the number of duplicate nodes in the path to the number of target nodes, and use the path ratio as the path node matching degree between the preceding data access request and the target data access request.
[0092] In this embodiment, the number of duplicate nodes in the target node's jump path is obtained to identify nodes in the target data access request's jump path that are consistent in both node identifier and access order with the preceding data access request's jump path. By quantifying the number of duplicate nodes, the similarity between the two paths can be preliminarily assessed. In this embodiment, each preceding node in the preceding data access request's jump path is traversed, and based on its preceding node identifier and preceding access order number, a search is performed in the target data access request's jump path. When a target node with the same position, the same number, and the same identifier representing the same node is found, the target node is marked as a duplicate node, and its count is accumulated.
[0093] When the number of target nodes is greater than or equal to the number of preceding nodes, the path ratio of the number of duplicate paths to the number of target nodes is obtained. This path ratio is used as the path node matching degree between the preceding data access request and the target data access request, thus converting the identified number of duplicate paths into a standardized matching metric. Calculating the ratio of duplicate paths to the number of target nodes when the number of target nodes is greater than or equal to the number of preceding nodes is chosen to reasonably reflect the degree of overlap of preceding paths within the target path when the target path is used as a reference benchmark. It should be noted that when the number of preceding nodes is greater than the number of target nodes, the path ratio of duplicate paths to the number of preceding nodes is obtained, and this path ratio is used as the path node matching degree between the preceding data access request and the target data access request.
[0094] This embodiment obtains the number of duplicate nodes in the path by comprehensively considering the target access sequence number, the preceding access sequence number, the target node identifier, and the preceding node identifier. This ensures accurate identification of duplicate nodes in the node jump path and avoids matching bias caused by relying on only a single feature. Furthermore, when the number of target nodes is greater than or equal to the number of preceding nodes, the ratio of the number of duplicate nodes in the path to the number of target nodes is used as the matching degree. This normalization method considers the impact of path length differences, ensuring that the matching degree can reasonably reflect similarity even when the target path is long. This not only improves the accuracy of path node matching but also provides a more reliable and refined foundation for subsequent anomaly monitoring, thereby improving the overall accuracy of anomaly monitoring.
[0095] In this embodiment, step 1041 includes: Step 1041: For any target node, determine the target preceding node corresponding to the target node from all preceding nodes according to the target access sequence number of the target node and each preceding access sequence number.
[0096] Step 1042: When the predecessor node identifier of the target node is consistent with the target node identifier, the target node is determined to be a path duplicate node, and the number of all path duplicate nodes is taken as the path duplicate node count.
[0097] This embodiment traverses each target node in the target node's jump path and, for each target node's access sequence number, searches for a preceding node with the same access sequence number in the preceding node's jump path as the target preceding node. Alternatively, for each target node in the target path, it searches for a node with the corresponding access sequence number in the mapping relationship of the preceding path as the target preceding node. This method ensures that when comparing target nodes and preceding nodes, not only node identifiers are considered, but also their positions or orders in their respective paths, effectively avoiding misjudgments that may occur based solely on identifier matching.
[0098] The core of determining whether a target node is a duplicate node lies in combining sequence matching and content matching. In this embodiment, after determining the preceding node of the target, the identifier of the preceding node is directly compared with the target node identifier. If the two are exactly the same, the target node is determined to be a duplicate node. Finally, the number of all nodes determined to be duplicate nodes is taken as the number of duplicate nodes, providing quantitative basic data for subsequent path node matching degree calculation.
[0099] This embodiment determines the target preceding node in the preceding data access request for each target node based on the target access sequence number and the preceding access sequence number, avoiding erroneous judgments due to different node positions and ensuring the consistency of node order. Furthermore, the process of identifying duplicate paths by comparing the preceding node identifier of the target preceding node with the target node identifier of the target node combines a dual verification mechanism of order and identifier, significantly improving the accuracy of duplicate node identification. Finally, the total number of duplicate paths is used as the path duplicate node count, providing more accurate basic data for subsequent calculation of the path node matching degree between the preceding data access request and the target data access request, thereby effectively improving the accuracy and reliability of anomaly monitoring results based on path node matching degree.
[0100] In this embodiment, step 105 includes: Step 1051: Determine the number of permission-repeating nodes in the target node jump path based on the inheritance information between target nodes and the inheritance information between predecessor nodes for each repeating node in the path.
[0101] Step 1052: Obtain the permission ratio of the number of duplicate permission nodes to the number of duplicate path nodes, and use the permission ratio as the path behavior similarity between the preceding data access request and the target data access request.
[0102] In this embodiment, the inheritance information between target nodes and between preceding nodes refers to the transfer relationship of permissions or roles between adjacent nodes in the data access path. This reflects whether the permissions held by a request are maintained, upgraded, downgraded, or otherwise changed when the request flows between different nodes, thus revealing the deep behavioral logic of the request. Path duplicate nodes refer to nodes in the path of the target data access request that have the same node identifier as those in the path of the preceding data access request and correspond in access order. These nodes represent resources or functionalities accessed jointly in both request paths.
[0103] The number of nodes with duplicate permissions refers to the number of nodes among all nodes with duplicate paths whose inherited information between target nodes is consistent with the inherited information between their corresponding predecessor nodes. It quantifies the consistency of permission behavior between two request paths on nodes they access. For example, for each node with duplicate paths, you can directly compare whether the inherited information between its target nodes is completely identical with the inherited information between its corresponding predecessor nodes; if they are identical, then count them.
[0104] The permission ratio is the ratio between the number of nodes with duplicate permissions and the number of nodes with duplicate paths. It measures the degree of consistency in permission inheritance behavior among common nodes in two request paths. For example, the permission ratio can be obtained by directly dividing the number of nodes with duplicate permissions by the number of nodes with duplicate paths. Path behavior similarity is an indicator that measures the similarity of permission inheritance behavior patterns between preceding and target data access requests during node transitions. It reflects the degree of matching between the two requests in terms of path structure and permission flow logic. In this embodiment, the calculated permission ratio is directly used as the path behavior similarity.
[0105] This embodiment, based on identifying duplicate nodes in the path, further filters out duplicate nodes with consistent permission inheritance behavior, thereby accurately quantifying the deep consistency of two requests in terms of behavioral patterns. By calculating the permission ratio of the number of duplicate permission nodes to the number of duplicate path nodes, deep consistency is transformed into a standardized path behavior similarity index, making the identification of request behavior patterns more accurate and comprehensive. This significantly improves the ability to detect anomalies in complex and variable internal attack paths, thereby enhancing the accuracy of abnormal data access request monitoring.
[0106] In this embodiment, step 106 includes: Step 1061: Adjust the preset duration threshold base value according to the path node matching degree and the path behavior similarity to obtain the dwell time threshold.
[0107] Step 1062: Obtain the duration difference of each repeated node in the path based on the dwell time of the target node and the dwell time of the preceding node for each repeated node in the path.
[0108] Step 1063: Based on the comparison result between each duration difference and the dwell time threshold, obtain the node anomaly monitoring result of each path repeating node in the target data access request, so as to obtain the anomaly monitoring result of the target data access request based on all the node anomaly monitoring results.
[0109] In this embodiment, the path node matching degree reflects the degree of overlap between the target data access request and the preceding data access request in the node sequence, while the path behavior similarity characterizes the degree of similarity between the target data access request and the preceding data access request in the behavioral logic between nodes; the duration threshold benchmark value is a preset time quantity, which serves as the initial reference point for adjusting the dwell time threshold. Adjusting the duration threshold benchmark value to obtain the dwell time threshold aims to enable the threshold to dynamically adapt to the characteristics of the current request.
[0110] In this embodiment, the dwell time threshold can be calculated by weighted summation based on path node matching degree and path behavior similarity, i.e.: Dwell Time Threshold = W1 * Path Node Matching Degree + W2 * Path Behavior Similarity + C, where W1 and W2 are weight coefficients, and C is a constant term. Alternatively, a multidimensional lookup table can be constructed, using path node matching degree and path behavior similarity as input, to directly retrieve the corresponding dwell time threshold. Furthermore, a machine learning model can be used to learn the mapping relationship between path node matching degree, path behavior similarity, and reasonable dwell time thresholds by training on historical data, thereby predicting the dwell time threshold for the current request. The final dwell time threshold is a dynamic standard used to determine whether the node dwell time is abnormal. It is no longer fixed but adaptively determined based on the similarity characteristics between the current target data access request and historical preceding data access requests, thus more accurately reflecting the expected behavior of the current request.
[0111] Secondly, when obtaining the duration difference for each path-repeating node, a path-repeating node refers to a node with the same node identifier and access order in both the node jump path of the target data access request and the node jump path of the preceding data access request. The target node dwell time refers to the length of time a specific target node takes from entry to exit in the target data access request, calculated using the target entry time and target exit time. The preceding dwell time refers to the length of time taken from entry to exit for the path-repeating node corresponding to the target node dwell time in the preceding data access request. The duration difference is the absolute value of the difference between the dwell time of the same path-repeating node in the target data access request and its dwell time in the preceding data access request.
[0112] Finally, when obtaining the anomaly monitoring results for the target data access request, the comparison result refers to the comparison between the calculated duration difference and the dynamically determined dwell time threshold. For example, it can be determined whether the absolute value of the duration difference exceeds the dwell time threshold, or whether the duration difference falls within a preset normal range (defined by the dwell time threshold). The node anomaly monitoring result indicates whether the dwell behavior of a specific path repeating node in the target data access request deviates from expectations. For example, if the duration difference exceeds the dwell time threshold, the node may be judged as anomaly; otherwise, it is judged as normal. The anomaly monitoring result is the final anomaly judgment for the entire target data access request, which can be comprehensively judged based on the node anomaly monitoring results of all path repeating nodes. For example, if any path repeating node is judged as anomaly, the entire target data access request is judged as anomaly; or, a threshold for the number of anomaly nodes can be set, and the entire request is judged as anomaly only when the number of anomaly nodes exceeds this threshold.
[0113] This embodiment dynamically adjusts the dwell time threshold by combining path node matching degree and path behavior similarity. This allows the threshold to adaptively change based on the path characteristics and behavioral logic of the current data access request, avoiding false positives or false negatives that might occur with static thresholds in complex and changing environments. For duplicate path nodes, the dwell time difference between the target request and its preceding requests is precisely calculated, providing fine-grained node-level time difference data for anomaly detection. Finally, by comparing these duration differences with the dynamically adjusted dwell time threshold, the dwell behavior of each duplicate path node in the target data access request can be accurately judged, thereby improving the accuracy of the overall request anomaly monitoring results.
[0114] On the other hand, refer to Figure 2 This embodiment also discloses a request anomaly monitoring system based on a strong isolation device, which mainly includes a real-time analysis module 201, a pre-order retrieval module 202, a pre-order analysis module 203, a path analysis module 204, a permission analysis module 205, and an anomaly monitoring module 206.
[0115] The real-time analysis module 201 is used to obtain the target node path information of the target data access request in the strong isolation device. The target node path information includes the number of target nodes, the set of inheritance information between target nodes, the set of target node identifiers, and the set of target node dwell time. The preceding retrieval module 202 is used to adjust the data cache window of the strong isolation device according to the target node path information and obtain the preceding data access request cached by the strong isolation device. The preceding analysis module 203 is used to obtain the preceding node path information of the preceding data access request. The preceding node path information includes the number of preceding nodes, the inheritance information set between preceding nodes, the preceding node identifier set, and the preceding node residence time set. The path analysis module 204 is used to obtain the path node matching degree between the preceding data access request and the target data access request based on the target node identifier set, the preceding node identifier set, the number of target nodes and the number of preceding nodes; The permission analysis module 205 is used to obtain the path behavior similarity between the preceding data access request and the target data access request based on the target node identifier set, the preceding node identifier set, the target node inheritance information set, and the preceding node inheritance information set. The anomaly monitoring module 206 is used to determine the dwell time threshold of the target data access request based on the path node matching degree and the path behavior similarity, so as to obtain the anomaly monitoring result of the target data access request based on the dwell time threshold, the target node dwell time set and the preceding node dwell time set.
[0116] This embodiment discloses a request anomaly monitoring method and system based on a strong isolation device. The method adjusts the data cache window of the strong isolation device according to the target node path information of the target data access request, thereby obtaining the preceding data access request adjacent to the target data access request, so that subsequent anomaly monitoring of the target data access request can be performed based on the preceding data access request. During the anomaly monitoring process, based on the node identifiers of different nodes and the number of nodes corresponding to different requests, a path node matching degree representing the similarity of node transfer logic between preceding and following requests can be obtained. Based on the permission inheritance information of different nodes and the node identifiers of different nodes, a path behavior similarity representing the similarity of node transfer behavior between preceding and following requests can be obtained. Then, based on the path node matching degree and path behavior similarity, the dwell time threshold used for anomaly monitoring judgment is adjusted. Finally, the accuracy of data access request anomaly monitoring is improved by adaptively and precisely adjusting the dwell time threshold and the dwell time of nodes for different requests.
[0117] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above descriptions are merely specific embodiments of the present invention and are not intended to limit the scope of protection of the present invention. In particular, it should be noted that any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention for those skilled in the art.
Claims
1. A request anomaly monitoring method based on a strong isolation device, characterized in that, include: Obtain the target node path information of the target data access request within the strong isolation device. The target node path information includes the number of target nodes, the set of inheritance information between target nodes, the set of target node identifiers, and the set of target node dwell time. Adjust the data cache window of the strong isolation device according to the target node path information and obtain the preceding data access request cached by the strong isolation device. Obtain the path information of the preceding node in the preceding data access request. The path information of the preceding node includes the number of preceding nodes, the set of inheritance information between preceding nodes, the set of preceding node identifiers, and the set of preceding node dwell time. The path node matching degree between the preceding data access request and the target data access request is obtained based on the target node identifier set, the preceding node identifier set, the number of target nodes, and the number of preceding nodes. The path behavior similarity between the preceding data access request and the target data access request is obtained based on the target node identifier set, the preceding node identifier set, the target node inheritance information set, and the preceding node inheritance information set. The dwell time threshold of the target data access request is determined based on the path node matching degree and the path behavior similarity, so as to obtain the abnormal monitoring results of the target data access request based on the dwell time threshold, the target node dwell time set and the predecessor node dwell time set.
2. The request anomaly monitoring method based on a strong isolation device according to claim 1, characterized in that, The acquisition of the target node path information for the target data access request within the strong isolation device includes: Obtain the target node jump path including several target nodes from the target data access request, and extract the number of target nodes, the target access sequence number of each target node, the target entry time of each target node, the target exit time of each target node, and the target node identifier of each target node from the target node jump path. Based on the target entry time and target exit time corresponding to each target node, the single target node dwell time of each target node is obtained, so as to obtain the target node dwell time set of the target node jump path based on all the single target node dwell times; Query the preset permission inheritance relationship mapping table according to the identifier of each target node to obtain the target permission inheritance information of each target node; Based on the target access sequence number and the target permission inheritance information, obtain the target node inheritance information between any two adjacent target nodes, and obtain the target node inheritance information set of the target node jump path based on all the target node inheritance information.
3. The request anomaly monitoring method based on a strong isolation device according to claim 2, characterized in that, The step of adjusting the data cache window of the strong isolation device according to the target node path information and obtaining the preceding data access request cached by the strong isolation device includes: Extract the terminal identifier of the target data access request from the target node jump path and determine the first target node among the multiple target nodes according to each target access sequence number; Based on the target entry time corresponding to the first target node and the terminal identifier, obtain the historical data access request of the target data access request; Obtain cross-session data access requests of the historical data access request and the target data access request, and obtain the request behavior similarity between the target data access request and the historical data access request based on the cross-session data access requests and a preset session behavior analysis model; The permission inheritance mapping table is queried based on the identifier of each target node to obtain the permission level of each target node; The path complexity of the target node jump path is obtained based on the number of target nodes, the preset path complexity classification rules, all the permission levels, and all the target access sequence numbers; Based on the path complexity and the similarity of the request behavior, the data cache window of the strong isolation device is adjusted to the target cache window, so that the strong isolation device caches the preceding data access request of the target data access request according to the target cache window and the terminal identifier.
4. The request anomaly monitoring method based on a strong isolation device according to claim 3, characterized in that, The step of obtaining the path complexity of the target node jump path based on the number of target nodes, a preset path complexity grading rule, all the permission levels, and all the target access sequence numbers includes: Extract the isolation domain identifier of each target node from the jump path of the target node; The successor target node of each target node is determined according to the target access sequence number of each target node; Based on the permission level of each target node, the inheritance information between target nodes of each target node, the permission level of each subsequent target node, and the inheritance information between target nodes of each subsequent target node, multiple jump points in the jump path of the target node are obtained. Based on the target access sequence number and the isolation domain identifier of each jump point, obtain the number of region crossings of the target node jump path; The path complexity of the target node jump path is obtained by querying a preset path complexity classification table based on the number of times the region is traversed, the number of all the jump points, and the number of target nodes.
5. The request anomaly monitoring method based on a strong isolation device according to claim 3, characterized in that, Adjusting the data cache window of the strong isolation device to the target cache window based on the path complexity and the similarity of the request behavior includes: When the similarity of the request behavior is greater than a preset similarity threshold and the path complexity is greater than a preset complexity threshold, the product of the number of target nodes and the preset temporary storage time window baseline value is obtained, and the product is used as the target cache window of the strong isolation device. When the similarity of the request behavior is less than or equal to the similarity threshold or the path complexity is less than or equal to the complexity threshold, the temporary storage time window baseline value is used as the target cache window of the strong isolation device.
6. The request anomaly monitoring method based on a strong isolation device according to claim 1, characterized in that, The step of obtaining the preceding node path information of the preceding data access request includes: The preceding node jump path, which includes several preceding nodes, is obtained from the preceding data access request. The preceding node jump path is then used to extract the number of preceding nodes, the preceding access sequence number corresponding to each preceding node, the preceding entry time of each preceding node, the preceding exit time of each preceding node, and the preceding node identifier of each preceding node. Based on the preceding entry time and the preceding exit time corresponding to each preceding node, the single preceding node dwell time of each preceding node is obtained, so as to obtain the set of preceding node dwell times of the preceding node jump path based on all the single preceding node dwell times. Query the preset permission inheritance relationship mapping table according to the identifier of each of the preceding nodes to obtain the preceding permission inheritance information of each of the preceding nodes; Based on the preceding access sequence number and the preceding permission inheritance information, obtain the preceding node inheritance information between any two adjacent preceding nodes, and obtain the preceding node inheritance information set of the preceding node jump path based on all the preceding node inheritance information.
7. A request anomaly monitoring method based on a strong isolation device according to any one of claims 2-6, characterized in that, The step of obtaining the path node matching degree between the preceding data access request and the target data access request based on the target node identifier set, the preceding node identifier set, the number of target nodes, and the number of preceding nodes includes: Based on the target access sequence number, the preceding access sequence number, the target node identifier, and the preceding node identifier, obtain the number of duplicate nodes in the target node jump path. When the number of target nodes is greater than or equal to the number of preceding nodes, the path ratio of the number of duplicate nodes in the path to the number of target nodes is obtained, and the path ratio is used as the path node matching degree between the preceding data access request and the target data access request.
8. The request anomaly monitoring method based on a strong isolation device according to claim 7, characterized in that, The step of obtaining the number of duplicate nodes in the path of the target node jump path based on each target access sequence number, each preceding access sequence number, each target node identifier, and each preceding node identifier includes: For any target node, the target preceding node corresponding to the target node is determined from all preceding nodes according to the target access sequence number of the target node and each preceding access sequence number. When the predecessor node identifier of the target node is consistent with the target node identifier, the target node is determined to be a path duplicate node, and the number of all path duplicate nodes is taken as the path duplicate node count.
9. The request anomaly monitoring method based on a strong isolation device according to claim 8, characterized in that, The step of obtaining the path behavior similarity between the preceding data access request and the target data access request based on the target node identifier set, the preceding node identifier set, the target node inheritance information set, and the preceding node inheritance information set includes: Based on the inheritance information between target nodes and between predecessor nodes of each repeated node in the path, the number of permission-repeating nodes in the jump path of the target node is determined. Obtain the permission ratio of the number of duplicate permission nodes to the number of duplicate path nodes, and use the permission ratio as the path behavior similarity between the preceding data access request and the target data access request.
10. The request anomaly monitoring method based on a strong isolation device according to claim 8, characterized in that, The step of determining the dwell time threshold of the target data access request based on the path node matching degree and the path behavior similarity, and obtaining the abnormal monitoring results of the target data access request based on the dwell time threshold, the target node dwell time set, and the preceding node dwell time set, includes: The preset duration threshold is adjusted based on the path node matching degree and the path behavior similarity to obtain the dwell time threshold. Based on the dwell time of the target node and the dwell time of the preceding node of each repeated node in the path, obtain the duration difference of each repeated node in the path. Based on the comparison result between each duration difference and the dwell time threshold, obtain the node anomaly monitoring result of each path repeating node in the target data access request, so as to obtain the anomaly monitoring result of the target data access request based on all the node anomaly monitoring results.