An online electronic archive security assessment system and method

Abstract

This invention relates to the field of information security assessment technology, specifically to an online electronic archive security assessment system and method. The system includes a behavior record generation module, an access rhythm characterization module, a sensitive point identification module, a path penetration analysis module, and a security risk aggregation module. In this invention, data pairs are generated by binding time and permissions to construct behavior sequences. These sequences are combined with operation paths and permission fields to form access feature structures. Behavior intensity and permission fluctuations are identified based on rhythm changes. Field sensitivity and path hierarchy are extracted to determine access content features. Unauthorized access is identified by combining permission span and operation sequence. Chained call paths are extracted by aggregating permission tags and access sequences. This enables the linked identification of high-frequency triggers, permission changes, and access to sensitive fields, enhancing the depth of analysis and risk perception capabilities for complex permission behaviors.

Description

Technical Field

[0001] This invention relates to the field of information security assessment technology, and in particular to an online electronic archive security assessment system and method. Background Technology

[0002] Information security assessment technology involves a comprehensive analysis and assessment of the security of computer systems, network communications, data storage, and transmission. Its core aspects include risk identification, vulnerability detection, security policy evaluation, access control analysis, and verification of the effectiveness of data protection mechanisms. This technology systematically assesses the threats and vulnerabilities of information systems by constructing security assessment models, establishing quantitative standards, and utilizing assessment tools, providing a basis for security hardening. It is widely used in the security management of government systems, financial institutions, medical information platforms, cloud computing environments, and data-intensive enterprises and institutions. Traditional online electronic record security assessment systems refer to systems that evaluate the integrity, availability, and confidentiality of electronic records stored digitally in a network environment through a pre-set risk indicator system and assessment process. These systems typically use manually set record security level standards, combined with static access log comparisons and pre-set security rule tables for risk assessment. They often use database queries to collect access behavior records of electronic records and perform rule matching and hierarchical analysis at fixed intervals to assess the security status of electronic records during transmission, storage, and access.

[0003] Traditional online electronic record security assessment systems build risk judgment models based on static rules. Access behavior monitoring relies on preset log fields and fixed periodic tasks, lacking a mechanism for extracting real-time operation characteristics. This makes it difficult to identify permission anomalies caused by frequent operations. Access record processing does not consider the contextual relationships between behavior sequences, resulting in a one-sided trend in behavior characteristics. The system has limited accuracy in identifying complex permission chain access and lacks aggregate analysis methods for multi-level access paths and cross-level permission behaviors. The assessment results fail to reflect potential risk chains and dynamic operation triggering conditions, limiting the system's ability to perceive high-frequency unauthorized access risks and sensitive field call behaviors. Summary of the Invention

[0004] To address the technical problems existing in the prior art, embodiments of the present invention provide an online electronic archive security assessment system and method.

[0005] On the one hand, an online electronic record security assessment system is provided, which includes: The behavior record generation module collects access behavior logs from online electronic archive access terminal devices, extracts the time identifier and permission level information of each access operation, performs binding processing of execution time and permission, parses the operation path and permission fields in the access content, and constructs a set of access behavior records. Based on the set of access behavior records, the access rhythm characterization module calculates the time interval and permission level difference between adjacent access operations, counts the behavior density and permission change number in continuous access, determines whether the access operation is triggered continuously, and filters to obtain a set of access rhythm segments. The sensitive point identification module analyzes the file field type and file access path depth in the access operation based on the behavior density and permission change number in the access rhythm segment set, determines whether there is access content containing sensitive field names and multi-level call behavior, and extracts the sensitive access segment set. The path penetration analysis module compares the execution order and permission span of operation instructions within the path based on the combination of file access paths and permission levels in the sensitive access segment set, identifies whether there is unauthorized use behavior in continuous operations, and constructs a permission level penetration path set. The security risk collection module determines whether there is a multi-node linked file access chain based on the field content, access order and permission tags in the permission level penetration path set, extracts the operation path including multi-permission chain access behavior, and constructs the electronic file security assessment result.

[0006] As a further aspect of the present invention, the access behavior record set includes time identifier pairs, permission level pairs, operation path information, and permission field information; the access rhythm segment set includes access time interval, permission difference magnitude, behavior density index, and permission change frequency; the sensitive access segment set includes sensitive field names, number of call levels, and file path depth; the permission level penetration path set includes permission span range, operation sequence structure, and path permission combination; and the electronic archive security assessment result includes chained access paths, number of linked nodes, and permission tag sequence.

[0007] As a further aspect of the present invention, the identification of whether there is unauthorized use behavior in continuous operation refers to determining whether there is behavior of executing high-privilege instructions despite insufficient user permissions in continuous access operation.

[0008] As a further aspect of the present invention, the extraction of operation paths including multi-permission chained access behaviors refers to extracting access paths that form a complete chain from access behaviors involving permission level linkage operations.

[0009] As a further aspect of the present invention, the behavior record generation module includes: The access log collection submodule collects access behavior logs from online electronic archive access terminals, extracts the operation time and permission level information for each access, combines them to form time and permission field pairs, and generates a raw time and permission dataset. The permission binding processing submodule binds the operation time field to the permission level field based on the original time permission dataset, and establishes a mapping relationship between the operation path field and the permission field to generate a set of access permission tag pairs. The behavior record construction submodule parses the operation path and permission tags according to the access permission tag set, extracts the path field structure and combines and binds the permission information, establishes a behavior record unit with a standard path index, and obtains a structured access behavior record set.

[0010] As a further aspect of the present invention, the access rhythm characterization module includes: The time difference calculation submodule extracts the timestamp field from adjacent access behavior data pairs based on the structured access behavior record set, calculates the time interval value between each pair of access operations, calls the access order index to perform sequence restoration processing, establishes the access behavior time sequence structure, and generates an operation time interval sequence. The permission difference statistics submodule calls the permission level field in the operation time interval sequence and access behavior data pair to calculate the permission level difference between adjacent access pairs, counts the number of permission level changes and operation density in continuous access, constructs a permission change statistics structure, and obtains the access permission change parameter set. The access segment filtering submodule determines whether the operation density exceeds the preset high-frequency access threshold based on the access permission change parameter set, detects whether the number of permission level changes in a continuous operation segment is higher than the set change benchmark, filters operation segments that meet the conditions, establishes a mapping between access segment time boundaries and behavior tags, and obtains a set of access rhythm segments.

[0011] As a further aspect of the present invention, the sensitive point identification module includes: The field type identification submodule extracts the file field content from the access rhythm segment based on the access rhythm segment set, performs matching detection on the field name information, determines whether there are field items in the preset sensitive field list, filters access entries including sensitive field markers, and generates a sensitive field matching marker set; The access depth detection submodule calls the sensitive field matching tag set, extracts the file path field in the corresponding access behavior, performs structural parsing on the path structure hierarchy, counts the number of hierarchical nodes in the path field, determines whether it exceeds the preset multi-level access depth threshold, and obtains a multi-level path recognition result set. The sensitive segment extraction submodule filters the marked access rhythm segments based on the multi-layer path identification result set, extracts access segments that simultaneously meet the sensitive field matching and preset path depth threshold conditions, constructs a structured segment index table and attaches sensitive identifiers to obtain a set of sensitive access segments.

[0012] As a further aspect of the present invention, the path penetration analysis module includes: The operation sequence extraction submodule extracts the operation instruction sequence in each access path based on the combination of file access paths and permission levels in the sensitive access segment set, restores the operation sequence according to the timestamp field, and generates an access path instruction sequence set. The permission span calculation submodule calls the permission level field in the access path instruction sequence set, identifies the permission level difference between adjacent operations in the sequence, calculates the permission level span value in each access path, establishes an index structure between path and span, and obtains the path permission span dataset. The unauthorized path identification submodule compares the permission level span value in the access path with the preset permission upper limit threshold based on the path permission span dataset, determines whether there is access behavior that exceeds the permission range, filters access paths that meet the unauthorized judgment rules, establishes a path-permission level mapping table, and obtains a set of permission level penetration paths.

[0013] As a further aspect of the present invention, the security risk collection module includes: The access link identification submodule extracts the node field in each path based on the access field content, operation order and permission tag in the permission level penetration path set, determines whether there is a link structure in the operation sequence that is continuously associated between multiple access nodes through permission tags, and generates a multi-node access link set. The chain behavior extraction submodule calls the multi-node access link set, filters the path sequence in which the permission label changes in a cascading manner, marks the position of permission label change for the access operation in the link in sequence, extracts the chain path structure that meets the multi-permission jump condition, and obtains the multi-permission chain path set. The risk outcome construction submodule, based on the multi-permission chain path set, statistically summarizes the fields of permission jump frequency, number of access paths and operation scope in the chain, constructs a permission jump density matrix and an access impact map between nodes, integrates the hierarchical penetration and permission coverage of the access chain, and obtains the electronic file security assessment result.

[0014] On the other hand, an online electronic record security assessment method, which is performed based on the aforementioned online electronic record security assessment system, includes the following steps: S1: Collect access behavior logs from online electronic archive access terminal devices, extract the time identifier and permission level information of each access operation, perform binding processing of execution time and permission, parse the operation path and permission fields in the access content, and construct a set of access behavior records; S2: Based on the access behavior record set, calculate the time interval and permission level difference between adjacent access operations, count the behavior density and permission change number in continuous access, determine whether the access operation is triggered continuously, and filter to obtain a set of access rhythm segments. S3: Based on the behavior density and permission change quantity in the access rhythm segment set, analyze the file field type and file access path depth in the access operation, determine whether there is access content containing sensitive field names and multi-level call behavior, and extract the sensitive access segment set. S4: Based on the combination of file access paths and permission levels in the set of sensitive access segments, compare the execution order and permission span of operation instructions within the path, identify whether there is unauthorized use behavior in continuous operations, and construct a set of permission level penetration paths; S5: Based on the field content, access order and permission tags in the permission level penetration path set, determine whether there is a multi-node linked file access chain, extract the operation path including multi-permission chain access behavior, and construct the electronic file security assessment result.

[0015] The beneficial effects of the technical solutions provided in the embodiments of the present invention include at least the following: By binding time and permissions to generate data pairs to construct behavior sequences, and combining operation paths and permission fields to form access feature structures, the intensity of behavior and permission fluctuations are identified based on rhythm changes. Field sensitivity and path hierarchy are extracted to determine access content features. By combining permission span and operation sequence, signs of unauthorized access are identified. Permission tags and access sequence are aggregated to extract chained call paths, enabling the linked identification of high-frequency triggers, permission changes and access to sensitive fields, thereby enhancing the depth of analysis and risk perception capabilities for complex permission behaviors. Attached Figure Description

[0016] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0017] Figure 1 This is a schematic diagram of the system of the present invention; Figure 2 This is a flowchart of the behavior record generation module in this invention; Figure 3This is a flowchart of the access to the rhythm characterization module in this invention; Figure 4 This is a flowchart of the sensitive point identification module in this invention; Figure 5 This is a flowchart of the path penetration analysis module in this invention; Figure 6 This is a flowchart of the safety risk collection module in this invention. Detailed Implementation

[0018] The technical solution of the present invention will now be described with reference to the accompanying drawings.

[0019] In embodiments of the present invention, words such as "exemplarily," "for example," etc., are used to indicate that something is an example, illustration, or description. Any embodiment or design described as "exemplary" in the present invention should not be construed as being more preferred or advantageous than other embodiments or designs. Specifically, the use of the word "exemplary" is intended to present the concept in a concrete manner. Furthermore, in embodiments of the present invention, the meaning expressed by "and / or" can be both, or either one.

[0020] In the embodiments of this invention, the terms "image" and "picture" may sometimes be used interchangeably. It should be noted that, without emphasizing the distinction between them, they convey the same meaning. Similarly, the terms "of," "corresponding (relevant)," and "corresponding" may sometimes be used interchangeably. It should be noted that, without emphasizing the distinction between them, they convey the same meaning.

[0021] In this embodiment of the invention, sometimes a subscript such as W1 may be written in a non-subscript form such as W1. When the difference is not emphasized, the meaning they express is the same.

[0022] To make the technical problems, technical solutions and advantages of the present invention clearer, a detailed description will be given below in conjunction with the accompanying drawings and specific embodiments.

[0023] This invention provides an online electronic record security assessment system, such as... Figure 1 The diagram shown illustrates an online electronic record security assessment system, which includes: The behavior record generation module collects access behavior logs from online electronic archive access terminal devices, extracts the time identifier and permission level information of each access operation, performs time permission binding processing to obtain access behavior data pairs, and constructs an access behavior record set by parsing the operation path and permission fields in the access content. The access rhythm characterization module calculates the time interval and permission level difference between adjacent access operations based on access behavior data pairs in the access behavior record set, counts the behavior density and permission change number in continuous access, and determines whether the access operation belongs to a high-frequency continuous triggering filter access rhythm segment set. The sensitive point identification module analyzes the file field type and file access path depth in the access operation based on the behavior density and permission change number in the access rhythm segment set, determines whether there is access content including sensitive field names and multi-level call behavior, and extracts the sensitive access segment set. The path penetration analysis module compares the execution order and permission span of operation instructions within the path based on the combination of file access paths and permission levels in the sensitive access segment set, identifies whether there is unauthorized use behavior in continuous operations, and establishes a permission level penetration path set. The security risk collection module determines whether there is a multi-node linked file access chain based on the field content, access order and permission tags in the permission level penetration path set, extracts the operation path including multi-permission chain access behavior, and constructs the electronic file security assessment result.

[0024] The set of access behavior records includes time stamp pairs, permission level pairs, operation path information, and permission field information. The set of access rhythm segments includes access time intervals, permission difference magnitudes, behavior density indicators, and permission change frequency. The set of sensitive access segments includes sensitive field names, number of call levels, and file path depth. The set of permission level penetration paths includes permission span ranges, operation sequence structures, and path permission combinations. The electronic archive security assessment results include chained access paths, number of linked nodes, and permission tag sequences.

[0025] Specifically, such as Figure 2 As shown, the behavior recording generation module includes: The access log collection submodule collects access behavior logs from online electronic archive access terminals, extracts the operation time and permission level information for each access, combines them to form time and permission field pairs, and generates a raw time and permission dataset. First, a non-intrusive traffic monitoring probe is deployed on the core server of the electronic records management system, focusing on capturing data packets around the clock on the access ports for archived files (typically port 80 for HTTP or port 443 for HTTPS). Whenever an access request to the archive database is detected, the collector immediately parses the protocol headers of the transport and application layers, extracting the operation timestamp accurate to milliseconds (e.g., "January 3, 2025, 09:30:01.125 milliseconds"), the client IP address initiating the request, the target Uniform Resource Locator (URL) path, and the SessionID that uniquely identifies the user session. Simultaneously, a submodule calls the authentication service of the access control system through a dedicated internal interface, querying the user account's permission level at the current moment based on the captured SessionID. In this embodiment, the system quantifies permissions into integer values ​​from 1 to 10, where 1 represents basic permission to browse the public directory, and 10 represents the highest administrator permission to modify and export core data. The collector uses the timestamp "09:30:01:125" as the operation time field and the queried permission value "3" as the permission level field. The two are combined to form a time and permission field pair, which is then stored in the original time and permission dataset.

[0026] The permission binding processing submodule binds the operation time field to the permission level field based on the original time permission dataset, and establishes a mapping relationship between the operation path field and the permission field to generate a set of access permission tag pairs. The module reads the original time-based permission dataset and cleans and correlates each record. First, it categorizes discrete log entries based on SessionID. For consecutive operations within the same session, it rigidly locks the operation time field with the permission level field to ensure the uniqueness of the permission status at each point in time. Next, the module standardizes the URL path, removing dynamic parameters and redundant protocol prefixes to extract the clean operation path field (e.g., " / archive / financial / 2024 / report.pdf"). The module then establishes a mapping index, binding "time-permission" data pairs to this standardized path to generate a set of access permission tag pairs. In this set, each data entry contains three-dimensional information: time, standardized path, and corresponding permission level.

[0027] The behavior record construction submodule parses the operation path and permission tag according to the access permission tag set, extracts the path field structure and combines and binds the permission information, establishes behavior record units with standard path index, and obtains a set of structured access behavior records. The access permission tag set is further encapsulated in a structured manner. A submodule parses the operation path string, identifies the hierarchical structure within the path, and appends permission tags to the corresponding path nodes, forming a weighted path tree structure. Simultaneously, a unique action sequence number (ActionID) is assigned to each independent access action, establishing a standardized unit with the standard path as the core index, mounting operation time, permission level, and user identity information. After processing, the system outputs a structured access behavior record set. This set transforms the originally chaotic log stream into an ordered sequence of standard behavior objects that can be directly invoked by algorithms, providing a solid data foundation for subsequent rhythm analysis.

[0028] Specifically, such as Figure 3 As shown, the access rhythm characterization module includes: The time difference calculation submodule is based on a set of structured access behavior records. It extracts the timestamp field from adjacent access behavior data pairs, calculates the time interval between each pair of access operations, calls the access order index to perform sequence restoration processing, establishes the access behavior time sequence structure, and generates an operation time interval sequence. First, a specific user session is identified (assuming the session identifier is SESS_User_A), and a set of access behavior data arranged in chronological order within that session is extracted. Assume the extracted timestamps of three consecutive operations are: the first operation at 10:00:01:000, the second operation at 10:00:01:200, and the third operation at 10:00:01:800. The submodule performs a difference operation to calculate the time interval between adjacent operations: subtracting the first time from the second time yields an interval of 0.2 seconds; subtracting the second time from the third time yields an interval of 0.6 seconds. The submodule performs this calculation on the entire session sequence to establish the access behavior time sequence structure, generating a sequence of operation time intervals consisting of values ​​such as 0.2 seconds and 0.6 seconds.

[0029] The permission difference statistics submodule calls the permission level field in the operation time interval sequence and access behavior data pair, calculates the permission level difference between adjacent access pairs, counts the number of permission level changes and operation density in continuous access, constructs a permission change statistics structure, and obtains the permission change parameter set. Assume the permission levels corresponding to the three operations above are as follows: first permission 2 (normal browsing), second permission 5 (confidential query), and third permission 2 (normal browsing). The submodule calculates the absolute value of the permission level difference between adjacent access pairs: the first change is 5 minus 2 equals 3, and the second change is also 5 minus 2 equals 3. Then, the submodule sets a statistical time window, for example, a window length of 5 seconds. Within this 5-second window, it counts the cumulative number of permission changes and calculates the operation density. Assume that 10 operations are recorded within the monitored 5-second window, and permissions change 8 times (i.e., adjacent permission values ​​are unequal 8 times). The operation density is calculated by dividing the total number of operations by the time difference between the first and last operations. Assuming the time difference is 4 seconds, the density is 10 divided by 4, which equals 2.5 operations per second. The submodule integrates the calculated permission difference sequence, the 8 changes, and the density of 2.5 operations per second to construct a permission change statistical structure, obtaining the access permission change parameter set.

[0030] The access segment filtering submodule determines whether the operation density exceeds the preset high-frequency access threshold based on the set of access permission change parameters, detects whether the number of permission level changes in a continuous operation segment is higher than the set change benchmark, filters operation segments that meet the conditions, establishes a mapping between access segment time boundaries and behavior tags, and obtains a set of access rhythm segments. The preset high-frequency access threshold is 1.5 times per second, and the permission change baseline is 5 times per segment. The submodule compares the actual calculated value with the threshold: the detected density of 2.5 is greater than the threshold of 1.5, and the number of permission changes (8 times) is greater than the baseline of 5 times. Since both conditions are met simultaneously, the submodule determines that the operations within this time period belong to an abnormal rhythm of high frequency and drastic permission fluctuations. The submodule then locks this time period (i.e., from 10:00:01 to 10:00:05), extracts all behavior records within this interval, establishes time boundary markers, and finally outputs a set of access rhythm segments containing the abnormal segment data.

[0031] Specifically, such as Figure 4 As shown, the sensitive point identification module includes: The field type identification submodule extracts the file field content from the access rhythm fragment set, performs matching detection on the field name information, determines whether there are field items in the preset sensitive field list, filters access entries including sensitive field tags, and generates a sensitive field matching tag set; The system reads data from the set of access rhythm segments and extracts the metadata fields of the access target for the marked abnormal segments. Assume the extracted file name is "2025 Annual_National Defense Project_Core Personnel Salary Table.xls". The system has a pre-defined list of sensitive fields containing keywords such as "national defense", "confidential", "salary", and "top secret". The submodule uses a string matching algorithm to compare the extracted file name with the sensitive list one by one. In this example, the file name matches both "national defense" and "salary". The submodule then marks the access entry as "sensitive content" and generates a sensitive field matching tag set.

[0032] The access depth detection submodule calls the sensitive field matching tag set, extracts the file path field in the corresponding access behavior, performs structural parsing on the path structure hierarchy, counts the number of hierarchical nodes in the path field, determines whether it exceeds the preset multi-level access depth threshold, and obtains the multi-level path recognition result set. The submodule extracts the corresponding file storage path field, for example, the path is " / root / database / archive / 2025 / project_alpha / finance / salary". The submodule parses this path string, calculating the number of hierarchical nodes using forward slashes as delimiters. After parsing, the path contains 7 nodes: "root", "database", "archive", "2025", "project_alpha", "finance", and "salary". The system's preset multi-level access depth threshold is 5 levels, designed to identify deep directory exploration behavior. The submodule compares the actual depth of 7 (5) with the threshold of 5. Since 7 is greater than 5, it determines that the access behavior has penetrated into the system's core storage area. Based on this, the submodule generates a multi-level path identification result set.

[0033] The sensitive segment extraction submodule filters the marked access rhythm segments based on the multi-layer path identification result set, extracts access segments that simultaneously meet the sensitive field matching and preset path depth threshold conditions, constructs a structured segment index table and attaches sensitive identifiers to obtain a set of sensitive access segments. The system comprehensively filters the marked access frequency segments. The system logic requires that the target segment must simultaneously possess the characteristics of "content sensitivity" and "deep access path." The submodule performs an intersection operation on the results of the first two steps: since the segment contains sensitive words such as "national defense" and "salary," and its access path depth of 7 exceeds the threshold of 5, it meets all filtering conditions. The submodule upgrades this segment from a common frequency anomaly to a sensitive security event, constructs a structured table containing complete index information, and adds a highlighting mark, ultimately obtaining a set of sensitive access segments. The data in this set clearly points to potentially risky behaviors that are both high-frequency operations and involve deeply sensitive data.

[0034] Specifically, such as Figure 5 As shown, the path penetration analysis module includes: The operation sequence extraction submodule extracts the operation instruction sequence in each access path based on the combination of file access paths and permission levels in the sensitive access fragment set, restores the operation sequence according to the timestamp field, and generates an access path instruction sequence set. Based on a set of sensitive access fragments, the submodule focuses on reconstructing the specific attack or unauthorized operation chain. For the aforementioned locked session, the submodule rigorously sorts the operation instructions according to millisecond-level timestamps, reconstructing the operation sequence: Step A (at 10:00:01:200, permission level 2, read directory), Step B (at 10:00:01:500, permission level 6, attempt unauthorized preview), and Step C (at 10:00:01:800, permission level 9, execute core export). The submodule strings these steps together to generate a precise set of access path instruction sequences, clearly demonstrating the attacker's meticulously planned operation trajectory.

[0035] The permission span calculation submodule calls the permission level field in the access path instruction sequence set, identifies the permission level difference between adjacent operations in the sequence, calculates the permission level span value in each access path, establishes an index structure between the path and the span, and obtains the path permission span dataset. The module iterates through the instruction sequence, calculating the jump range of permission levels. For step A to step B, the permission jumps from 2 to 6, so the single-step jump is 6 minus 2 equals 4; for step B to step C, the permission jumps from 6 to 9, so the single-step jump is 9 minus 6 equals 3. Simultaneously, the submodule calculates the maximum permission jump within the entire path, which is the highest permission value 9 minus the lowest permission value 2, resulting in a cumulative jump value of 7. The submodule records the single-step jumps (values ​​4 and 3) and the cumulative jump (value 7), establishing an index structure between the path and the jump values ​​to obtain the path permission jump dataset.

[0036] The unauthorized path identification submodule compares the permission level span value in the access path with the preset permission upper limit threshold based on the path permission span dataset to determine whether there is access behavior that exceeds the permission range, filters access paths that meet the unauthorized judgment rules, establishes a path-permission level mapping table, and obtains a set of permission level penetration paths. Risk assessment is performed based on the path permission span dataset. The system presets normal business logic permission fluctuation thresholds: a single-step span limit of 3 and a cumulative span limit of 5. The submodule compares the actual calculated values ​​with the thresholds: the actual single-step span of 4 is greater than the threshold of 3, and the actual cumulative span of 7 is greater than the threshold of 5. This indicates that there is permission escalation behavior beyond the normal business scope in this access path, which is highly likely to be achieved through vulnerability exploitation or unauthorized privilege escalation. The submodule filters out this path that meets the characteristics of privilege escalation, records the specific nodes where the privilege escalation occurred (i.e., steps A to B and steps A to C), establishes a mapping table between path IDs and permission levels, and finally obtains a set of permission level penetration paths.

[0037] Specifically, such as Figure 6 As shown, the security risk collection module includes: The access link identification submodule extracts the node fields in each path based on the access field content, operation order and permission tags in the permission level penetration path set, determines whether there is a link structure in the operation sequence that is continuously associated between multiple access nodes through permission tags, and generates a multi-node access link set. Based on the access field content, operation order, and permission tags in the permission level penetration path set, the complete record structure of each permission penetration path is first called to extract the field information of each behavior unit in the path, and the file path field and timestamp field corresponding to each operation are extracted one by one. Combined with the permission level field in the behavior record, a triple structure "node path-operation time-permission tag" is formed. Then, the operation time between adjacent nodes is sorted to determine whether they are consecutive operations. By comparing whether the time difference is less than a set threshold (e.g., set to 2 seconds), it is determined that there is direct operation logic between nodes. The permission tag field is further called for matching to compare whether there are the same or related permission tags between the preceding and following nodes. For example, if the preceding node has the permission tag "RW3" and the following node has "RW4", it is determined to be a permission jump cascading behavior. The tag comparison is performed using string similarity functions (such as Jaccard distance) or field prefix and suffix judgment. If the permission tags meet the condition that the field overlap exceeds 60% in the structure, it is considered that there is a relationship, and the chain relationship between nodes is recorded. Taking a practical example, if a user executes a read operation at 10:00:01 to access a file under the path " / root / archive / 2025 / finance / " with a permission level of 3, and then accesses the path " / root / archive / 2025 / finance / salary.xls" at 10:00:02 with a permission level of 4, and the prefixes "RW3" and "RW4" are the same, then this link is recorded as a linked access chain node. After analyzing the consecutive access nodes in all paths, the set of nodes that meet the criteria of continuous operation, tag correlation, and time continuity is integrated into a link unit structure. A record table is constructed using "path node number - permission jump direction - operation time difference," and finally, a set of multi-node access links is output.

[0038] The chain behavior extraction submodule calls the multi-node access link set, filters the path sequence where the permission label changes in a cascading manner, marks the position of permission label change for the access operation in the link in turn, extracts the chain path structure that meets the multi-permission jump condition, and obtains the multi-permission chain path set. The process involves calling a multi-node access link set, sequentially traversing the node sequence in each link, extracting the permission tags corresponding to each node in the operation sequence of each link, and calling a position mapping function to mark the position index of each node in the link (e.g., the first node is index 0, the second is index 1, and so on). The difference between the permission tag of each node and the permission tag of the previous node is judged. If there is a change in value or structure, a "tag change" mark is added at that position. For example, if the previous node is "R3" and the current node is "RW5", the difference value is 2, and the change point is recorded. During execution, the numerical projection function of the permission tags is called to map the tags to comparable values ​​(e.g., "R3" is mapped to 3, "RW5" is mapped to 5), and a threshold comparison method is used to determine the jump magnitude. The judgment threshold for multi-permission jumps is set to 1 (i.e., a tag value change ≥ 1 is considered a jump). If multiple consecutive jumps between nodes exceed this threshold, and the tag changes have structural similarity (e.g., consecutive "RW3→RW4→RW5"), then the path is selected as a path structure that satisfies the multi-permission jump condition. Suppose there exists a link path with node permission labels "R2→RW3→RW4→RW6", and operation intervals of 1.2 seconds, 1.1 seconds, and 1.5 seconds respectively. The entire path sequence satisfies the following: 1) Operation times are continuous with intervals less than 2 seconds; 2) Permission label values ​​change by +1, +1, and +2 respectively, all greater than the jump threshold; 3) Permission label structures are similar, with the same prefix "RW". Therefore, this path satisfies the multi-permission jump rule and is added to the multi-permission chain path set. The final output generates a chain behavior data table based on link number, node index, permission jump value, and label structure characteristics.

[0039] The risk outcome construction submodule, based on the multi-permission chain path set, statistically summarizes the fields of permission jump frequency, number of access paths and operation scope in the chain, constructs a permission jump density matrix and an access impact map between nodes, integrates the hierarchical penetration and permission coverage of the access chain, and obtains the electronic file security assessment results. Based on the multi-permission chain path set, firstly, the number of locations where permission jumps occur in each link is counted, and the jump frequency value (e.g., jump count / link length) is recorded. For example, if a link has 6 nodes, and 4 of them are permission change points, the frequency is 4 / 6 = 0.667. The jump frequency threshold (set to 0.5) is used to determine whether it is a high-frequency chain. If the frequency exceeds 0.5, the link is classified as a high-jump chain. Secondly, the total number of access paths in the link set is counted. For example, if there are 120 links in total, and 35 of them meet the multi-permission jump requirement, the jump path ratio is 35 / 120 = 0.292. Regarding the operation range field statistics, the file path accessed by each node in the link is extracted, and the path depth is counted. The path depth is the number of levels separated by " / " in the path. Combined with the number of jump nodes, an access range index is generated. For example, if a chain path has 5 operation nodes, and the path levels are 4, 5, 5, 6, and 5 respectively, with an average level of 5, it indicates that the access level is relatively deep. Based on this, a permission jump density matrix is ​​constructed. The horizontal axis represents the link number, the vertical axis represents the node index, and the matrix values ​​are jump frequency or permission span values ​​(e.g., "node 3 jumps by 2"), used to analyze high-risk jump areas in the links. Simultaneously, a node access impact graph is constructed. Edge weights between nodes are based on permission span values, and path weights are based on jump frequency. The PageRank algorithm is used to derive high-impact nodes in the graph structure, but the impact score is approximated in the description using a combination of node in-degree and jump amplitude. For example, if node N3 receives access from 3 nodes with an average jump amplitude of 3, then the node impact score is 3×3=9. Integrating the above indicators, the hierarchy depth, jump frequency, permission span, and number of paths for each link are weighted and summarized (e.g., weights of 0.3, 0.3, 0.2, and 0.2 respectively), and a total score is calculated. Links with scores greater than a set risk judgment threshold (e.g., 6.0) are marked as high-risk links, and the final electronic record security assessment result is output.

[0040] The online electronic record security assessment method is performed based on the aforementioned online electronic record security assessment system and includes the following steps: S1: Collect access behavior logs from online electronic archive access terminal devices, extract the time identifier and permission level information of each access operation, perform binding processing of execution time and permission, parse the operation path and permission fields in the access content, and construct a set of access behavior records; S2: Based on the set of access behavior records, calculate the time interval and permission level difference between adjacent access operations, count the behavior density and permission change number in continuous access, determine whether the access operation is triggered continuously, and filter to obtain a set of access rhythm segments. S3: Based on the behavior density and number of permission changes in the access rhythm segment set, analyze the file field type and file access path depth in the access operation, determine whether there is access content containing sensitive field names and multi-level call behavior, and extract the sensitive access segment set. S4: Based on the combination of file access paths and permission levels in the sensitive access fragment set, compare the execution order and permission span of operation instructions within the path, identify whether there is unauthorized use behavior in continuous operations, and construct a permission level penetration path set; S5: Based on the field content, access order and permission tags in the permission level penetration path set, determine whether there is a multi-node linked file access chain, extract the operation path including multi-permission chain access behavior, and construct the electronic file security assessment result.

[0041] The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

1. An online electronic archive security assessment system, characterized in that, include: The behavior record generation module collects access behavior logs from online electronic archive access terminal devices, extracts the time identifier and permission level information of each access operation, performs binding processing of execution time and permission, parses the operation path and permission fields in the access content, and constructs a set of access behavior records. Based on the set of access behavior records, the access rhythm characterization module calculates the time interval and permission level difference between adjacent access operations, counts the behavior density and permission change number in continuous access, determines whether the access operation is triggered continuously, and filters to obtain a set of access rhythm segments. The sensitive point identification module analyzes the file field type and file access path depth in the access operation based on the behavior density and permission change number in the access rhythm segment set, determines whether there is access content containing sensitive field names and multi-level call behavior, and extracts the sensitive access segment set. The path penetration analysis module compares the execution order and permission span of operation instructions within the path based on the combination of file access paths and permission levels in the sensitive access segment set, identifies whether there is unauthorized use behavior in continuous operations, and constructs a permission level penetration path set. The security risk collection module determines whether there is a multi-node linked file access chain based on the field content, access order and permission tags in the permission level penetration path set, extracts the operation path including multi-permission chain access behavior, and constructs the electronic file security assessment result.

2. The online electronic archive security assessment system according to claim 1, characterized in that: The set of access behavior records includes time identifier pairs, permission level pairs, operation path information, and permission field information. The set of access rhythm segments includes access time intervals, permission difference magnitudes, behavior density indicators, and permission change frequency. The set of sensitive access segments includes sensitive field names, number of call levels, and file path depth. The set of permission level penetration paths includes permission span ranges, operation sequence structures, and path permission combinations. The electronic archive security assessment results include chained access paths, number of linked nodes, and permission tag sequences.

3. The online electronic archive security assessment system according to claim 1, characterized in that: The identification of unauthorized use in continuous operations refers to determining whether there is any behavior in continuous access operations where the user has insufficient permissions but executes high-privilege instructions.

4. The online electronic archive security assessment system according to claim 1, characterized in that: The extraction includes the operation path of multi-permission chained access behavior, which refers to extracting the access path that forms a complete chain from access behaviors involving permission level linkage operations.

5. The online electronic archive security assessment system according to claim 1, characterized in that, The behavior record generation module includes: The access log collection submodule collects access behavior logs from online electronic archive access terminals, extracts the operation time and permission level information for each access, combines them to form time and permission field pairs, and generates a raw time and permission dataset. The permission binding processing submodule binds the operation time field to the permission level field based on the original time permission dataset, and establishes a mapping relationship between the operation path field and the permission field to generate a set of access permission tag pairs. The behavior record construction submodule parses the operation path and permission tags according to the access permission tag set, extracts the path field structure and combines and binds the permission information, establishes a behavior record unit with a standard path index, and obtains a structured access behavior record set.

6. The online electronic archive security assessment system according to claim 5, characterized in that, The access rhythm characterization module includes: The time difference calculation submodule extracts the timestamp field from adjacent access behavior data pairs based on the structured access behavior record set, calculates the time interval value between each pair of access operations, calls the access order index to perform sequence restoration processing, establishes the access behavior time sequence structure, and generates an operation time interval sequence. The permission difference statistics submodule calls the permission level field in the operation time interval sequence and access behavior data pair to calculate the permission level difference between adjacent access pairs, counts the number of permission level changes and operation density in continuous access, constructs a permission change statistics structure, and obtains the access permission change parameter set. The access segment filtering submodule determines whether the operation density exceeds the preset high-frequency access threshold based on the access permission change parameter set, detects whether the number of permission level changes in a continuous operation segment is higher than the set change benchmark, filters operation segments that meet the conditions, establishes a mapping between access segment time boundaries and behavior tags, and obtains a set of access rhythm segments.

7. The online electronic archive security assessment system according to claim 1, characterized in that, The sensitive point identification module includes: The field type identification submodule extracts the file field content from the access rhythm segment based on the access rhythm segment set, performs matching detection on the field name information, determines whether there are field items in the preset sensitive field list, filters access entries including sensitive field markers, and generates a sensitive field matching marker set; The access depth detection submodule calls the sensitive field matching tag set, extracts the file path field in the corresponding access behavior, performs structural parsing on the path structure hierarchy, counts the number of hierarchical nodes in the path field, determines whether it exceeds the preset multi-level access depth threshold, and obtains a multi-level path recognition result set. The sensitive segment extraction submodule filters the marked access rhythm segments based on the multi-layer path identification result set, extracts access segments that simultaneously meet the sensitive field matching and preset path depth threshold conditions, constructs a structured segment index table and attaches sensitive identifiers to obtain a set of sensitive access segments.

8. The online electronic archive security assessment system according to claim 1, characterized in that, The path penetration analysis module includes: The operation sequence extraction submodule extracts the operation instruction sequence in each access path based on the combination of file access paths and permission levels in the sensitive access segment set, restores the operation sequence according to the timestamp field, and generates an access path instruction sequence set. The permission span calculation submodule calls the permission level field in the access path instruction sequence set, identifies the permission level difference between adjacent operations in the sequence, calculates the permission level span value in each access path, establishes an index structure between path and span, and obtains the path permission span dataset. The unauthorized path identification submodule compares the permission level span value in the access path with the preset permission upper limit threshold based on the path permission span dataset, determines whether there is access behavior that exceeds the permission range, filters access paths that meet the unauthorized judgment rules, establishes a path-permission level mapping table, and obtains a set of permission level penetration paths.

9. The online electronic archive security assessment system according to claim 1, characterized in that, The security risk collection module includes: The access link identification submodule extracts the node field in each path based on the access field content, operation order and permission tag in the permission level penetration path set, determines whether there is a link structure in the operation sequence that is continuously associated between multiple access nodes through permission tags, and generates a multi-node access link set. The chain behavior extraction submodule calls the multi-node access link set, filters the path sequence in which the permission label changes in a cascading manner, marks the position of permission label change for the access operation in the link in sequence, extracts the chain path structure that meets the multi-permission jump condition, and obtains the multi-permission chain path set. The risk outcome construction submodule, based on the multi-permission chain path set, statistically summarizes the fields of permission jump frequency, number of access paths and operation scope in the chain, constructs a permission jump density matrix and an access impact map between nodes, integrates the hierarchical penetration and permission coverage of the access chain, and obtains the electronic file security assessment result.

10. A method for online electronic record security assessment, characterized in that, The online electronic record security assessment system according to any one of claims 1-9 includes the following steps: S1: Collect access behavior logs from online electronic archive access terminal devices, extract the time identifier and permission level information of each access operation, perform binding processing of execution time and permission, parse the operation path and permission fields in the access content, and construct a set of access behavior records; S2: Based on the access behavior record set, calculate the time interval and permission level difference between adjacent access operations, count the behavior density and permission change number in continuous access, determine whether the access operation is triggered continuously, and filter to obtain a set of access rhythm segments. S3: Based on the behavior density and permission change quantity in the access rhythm segment set, analyze the file field type and file access path depth in the access operation, determine whether there is access content containing sensitive field names and multi-level call behavior, and extract the sensitive access segment set. S4: Based on the combination of file access paths and permission levels in the set of sensitive access segments, compare the execution order and permission span of operation instructions within the path, identify whether there is unauthorized use behavior in continuous operations, and construct a set of permission level penetration paths; S5: Based on the field content, access order and permission tags in the permission level penetration path set, determine whether there is a multi-node linked file access chain, extract the operation path including multi-permission chain access behavior, and construct the electronic file security assessment result.

Images