A user operation safety determination method applied to an internal network
By constructing an entity-identity mapping set and employing data cleaning techniques, the problem of accurate identification of user operation behavior in the internal network was solved, enabling efficient security event tracking and user behavior determination.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XINGTANG TELECOMM TECH CO LTD
- Filing Date
- 2025-01-14
- Publication Date
- 2026-07-14
AI Technical Summary
In existing technologies, it is difficult to accurately identify user behavior within an internal network, especially when multiple users share the same IP address, leading to misjudgments and difficulties in tracking security incidents.
By constructing an entity-identity mapping set, cleaning network traffic and behavior log data, and using unique identity identifiers to associate each operation record with the user, user operation data is established, forming a security event association graph, enabling accurate user behavior determination.
It improves the accuracy of user behavior determination, enabling rapid and effective tracking of the source and scope of impact of security incidents and reducing misjudgments.
Smart Images

Figure CN122394824A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of user behavior determination technology, and in particular to a method for determining the security of user operations applied to internal networks. Background Technology
[0002] Whether on an external or internal network, user behavior patterns directly impact network system security. For example, improper user actions (clicking malicious links, downloading infected attachments, or using weak passwords) can create security vulnerabilities, providing attackers with opportunities to easily bypass security defenses and launch attacks. To ensure network security and stability, the need to detect illegal attacks, unauthorized access, and data breaches is becoming increasingly urgent. Analyzing user behavior can effectively detect and prevent network security threats.
[0003] In existing technologies, most methods use network IP address information as the identity information of the user subject, and then analyze user behavior based on IP address information. However, this method is difficult to accurately identify the attacker's identity information, especially in internal network environments where multiple users may use multiple terminal devices with different IPs. Therefore, one IP address may be associated with multiple users or devices, which makes it difficult to distinguish the behavior of different users based on IP, and it is easy to make misjudgments, thus wrongly marking normal users as high-risk users.
[0004] Therefore, there is a need to provide a method for determining the security of user operations in internal networks, so as to effectively detect user behavior. Summary of the Invention
[0005] Based on the above analysis, the embodiments of the present invention aim to provide a user operation security determination method for internal networks, in order to solve the problem that existing internal networks cannot accurately identify user operation behavior.
[0006] This invention provides a method for determining user operation security in an internal network, comprising:
[0007] Acquire internal network system data, which includes entity information data, identity information data, and internal network monitoring data;
[0008] An information mapping set is constructed based on the entity information data and the identity information data;
[0009] User operation data is obtained by cleaning the internal network monitoring data based on the information mapping set.
[0010] Based on the user operation data, it is determined whether the user operation is a safe operation.
[0011] Based on further improvements to the above method, the entity information data includes entity type, entity identifier, entity name, and additional attributes, wherein the entity type includes a terminal; the identity information data includes a unique identity identifier, affiliated organization, and additional attributes; the internal network monitoring data includes network traffic data and behavior log data, wherein the network traffic data includes source IP, source port, destination IP, destination port, protocol, network packet size, and attribute characteristics of each layer of protocols, and the behavior log data includes the behavior subject, operation type, behavior object, operation time, operation content, and operation result.
[0012] A further improvement to the above method, the step of constructing an information mapping set based on the entity information data and the identity information data, includes:
[0013] For each piece of data in the entity information data, perform the following operation:
[0014] Determine whether the additional attributes of the entity information data contain the unique identity identifier in the identity information data. If they do, construct a first entity-identity mapping based on the association between the entity information data and the unique identity identifier. The first entity-identity mapping includes the unique identity identifier, entity name, entity identifier, and entity type.
[0015] Using the entity type, entity identifier, or entity name in the entity information data as keywords, the internal network monitoring data is matched to the matching information data set. If the matching information data set is not empty, the matching information data of the last operation is obtained from the matching information data set based on the user operation time. The unique identity identifier in the matching information data is obtained. Then, a second entity-identity mapping is constructed based on the association between the entity information data and the unique identity identifier. The second entity-identity mapping includes the unique identity identifier, entity name, entity identifier, and entity type.
[0016] If the first entity-identity mapping exists but the second entity-identity mapping does not exist, then the first entity-identity mapping is included as an information mapping data in the information mapping set. If the first entity-identity mapping does not exist but the second entity-identity mapping exists, then the second entity-identity mapping is included as an information mapping data in the information mapping set. If both the first and second entity-identity mappings exist, then the first entity-identity mapping and the second entity-identity mapping are compared for consistency. If they are consistent, then either the first entity-identity mapping or the second entity-identity mapping is included as an information mapping data in the information mapping set. If they are inconsistent, then the second entity-identity mapping is included as an information mapping data in the information mapping set.
[0017] A further improvement to the above method, the step of cleaning the internal network monitoring data based on the information mapping set to obtain user operation data, includes:
[0018] For any piece of network traffic data, perform the following operation:
[0019] Convert it into a data format containing source IP, source port, destination IP, destination port, protocol type, and additional attributes;
[0020] The source IP is used as the first matching network keyword and matched with the entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the information mapping data containing the entity identifier is used as the first network entity information data.
[0021] The destination IP and / or destination port are used as the second matching network keyword and matched with the entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the information mapping data containing the entity identifier is used as the second network entity information data.
[0022] Replace the source IP in the network traffic data with the unique identifier of the first network entity information data, and replace the destination IP and destination port in the network traffic data with the unique identifier of the second network entity information data.
[0023] The replaced network traffic data is used as a user operation data.
[0024] A further improvement to the above method, the step of cleaning the internal network monitoring data based on the information mapping set to obtain user operation data, further includes:
[0025] For any single behavior log entry, perform the following operation:
[0026] Convert it into a data format containing subject name, subject IP, object name, object IP, operation type, operation time, operation content, operation result, and additional attributes;
[0027] The entity name and entity IP are used as the first matching keywords to match the entity name and entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the unique identifier in the information mapping data containing the entity name and entity identifier is used as the unique identifier of the first line of entity information data.
[0028] The object name and object IP are used as the second matching behavior keywords and matched with the entity name and entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the unique identifier in the information mapping data containing the entity name and entity identifier is used as the unique identifier of the entity information data in the second behavior.
[0029] Replace the subject name and subject IP in the behavior log data with the unique identifier of the first line of entity information data, and replace the object name and object IP in the behavior log data with the unique identifier of the second line of entity information data.
[0030] The replaced behavior log data is used as a single user action data.
[0031] Based on the above method, if no data is matched in the mapping set, the corresponding network traffic data or behavior log data will be stored in the exception queue.
[0032] The system periodically polls the abnormal data queue in the abnormal queue and performs matching on the newly generated internal network monitoring data using the first matching network keyword, the second matching network keyword, or the first matching behavior keyword and the second matching behavior keyword. If no data is matched within a preset time, the matching is performed manually.
[0033] Based on the above method, further improvements are made to the data after acquiring user operation data, in order to form an analysis dataset.
[0034] A further improvement to the above method, the step of determining whether a user's operation is a safe operation based on the user operation data, includes: performing statistical analysis on the analysis dataset using a unique identity identifier as a keyword to obtain behavioral parameters corresponding to each unique identity identifier, wherein the behavioral parameters include behavior type, behavior frequency, behavior extreme value, and behavior time interval; comparing the behavioral parameters with the corresponding normal behavior baseline parameters, and if there is a deviation, it is considered that the entity corresponding to the unique identity identifier has a security risk.
[0035] Based on a further improvement of the above method, the step of performing statistical analysis on the analysis dataset using the unique identity identifier as a keyword includes: using the unique identity identifier as a search keyword to perform forward or backward chained searches on the analysis dataset to obtain all security data associated with it, and drawing a security event association map in a graph format.
[0036] Based on further improvements to the above method, the terminal includes a server, network equipment, and security equipment, and the additional attributes of the entity information data include operating system and access network type.
[0037] Compared with the prior art, the present invention can achieve at least one of the following beneficial effects:
[0038] This invention provides a method for determining user operation security in internal networks. Based on data within the internal network, it establishes a connection between entities (e.g., terminals) and unique user identifiers within the network system. Any network traffic data or behavior log data can be transformed based on this connection, thereby clearly identifying the user corresponding to each operation within the internal network system. Compared to existing technologies that determine user behavior based on IP addresses, this invention's solution can find the corresponding user for every operation record in the internal network. Therefore, the method proposed in this invention has higher accuracy in determining user behavior and avoids false positives. Furthermore, the association graph constructed using unique user identifiers helps system administrators track the source and scope of security incidents more quickly and efficiently.
[0039] In this invention, the above-described technical solutions can be combined with each other to achieve more preferred combinations. Other features and advantages of this invention will be set forth in the following description, and some advantages may become apparent from the description or be learned by practicing the invention. The objects and other advantages of this invention can be realized and obtained from what is particularly pointed out in the description and drawings. Attached Figure Description
[0040] The accompanying drawings are for illustrative purposes only and are not intended to limit the invention. Throughout the drawings, the same reference numerals denote the same parts.
[0041] Figure 1 This is an example diagram of a user operation security determination method applied to an internal network, as described in an embodiment of the present invention. Detailed Implementation
[0042] Preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form part of this application and are used together with the embodiments of the present invention to illustrate the principles of the present invention, but are not intended to limit the scope of the present invention.
[0043] An intranet is a private network established within an organization or enterprise. Intranets are typically not directly connected to the public internet, but are isolated from the external network through security measures such as firewalls to protect the security of internal resources and data. Common intranets include: Local Area Networks (LANs), Wireless Local Area Networks (WLANs), Virtual Private Networks (VPNs), Storage Area Networks (SANs), and Industrial Control System Networks (ICS). This invention does not limit the type of intranet; as long as it meets the definition of an intranet, the method proposed in this invention can be used to determine user operation security.
[0044] In existing technologies, for internal networks such as enterprise LANs, enterprise intranets, and industrial control system networks, one terminal often corresponds to multiple users. Each user's operation is essentially reflected in the IP address of that terminal. However, it is difficult to determine the operation behavior of a certain user based on the IP address, making it difficult to trace the source when a security incident occurs. Therefore, there is a need to provide a method for determining user behavior of intranet users.
[0045] A specific embodiment of the present invention discloses a user operation security determination method applied to an internal network, such as... Figure 1 As shown, it includes:
[0046] S1: Obtain internal network system data, which includes entity information data, identity information data, and internal network monitoring data.
[0047] Entity information data includes entity type, entity identifier, entity name, and additional attributes. Entity type refers to terminals (e.g., servers, network devices, security devices), application systems, etc.; entity identifier refers to the descriptive information corresponding to the terminal, application system, etc., used to distinguish different internal network objects, such as the IP address and / or port of the terminal or application system; entity name refers to the general name of the entity type. This invention does not limit the specific content of the entity name, as long as the established entity name reflects the nature and function of the object; additional attributes refer to the unique attributes of objects within the system. The purpose of establishing this field is to store information in the object that does not conform to the aforementioned fields. For example, the additional attributes of a terminal include the operating system, access network type, etc. Understandably, all hardware terminals within the internal network system can be described using the above four features. If a certain feature is missing in the current internal entity information data, its content can be set to empty. The purpose of this method is to standardize the entity information in the internal network system data to facilitate subsequent matching processing.
[0048] Identity information data includes a unique identifier, organizational affiliation, and additional attributes. The unique identifier is used to identify each user within the system; each user's unique identifier is different, such as a user ID or employee number. The organizational affiliation mainly refers to the user's role information, such as their department or company; this field is established to better distinguish between users. Additional attributes are similar to the additional attribute types in entity information data; these are used to place certain information based on actual needs. For example, personnel information additional attributes include gender, age, and job title.
[0049] Internal network monitoring data includes network traffic data and behavior log data. Network traffic data includes source IP, source port, destination IP, destination port, protocol, network packet size, and attribute characteristics of each layer of the protocol. The behavior log data includes the subject of the behavior, operation type, object of the behavior, operation time, operation content, and operation result. The content contained in the network traffic data and behavior log data has a well-known meaning in the art, and will not be explained in this invention.
[0050] S2: Construct an information mapping set based on the entity information data and the identity information data, including: For each piece of data in the entity information data, perform the following operations:
[0051] A1: Determine whether the additional attributes of the entity information data contain the unique identity identifier in the identity information data. If so, construct a first entity-identity mapping based on the association between the entity information data and the unique identity identifier. The first entity-identity mapping includes the unique identity identifier, entity name, entity identifier, and entity type.
[0052] As can be seen from step S1, in some scenarios, the additional attributes will contain identity information data. Therefore, when constructing the information mapping set, it is necessary to first determine whether there is a unique identity identifier in the additional attributes. If it exists, the first entity-identity mapping is constructed; if it does not exist, no processing is performed.
[0053] A2: Using the entity type, entity identifier, or entity name in the entity information data as keywords, match the internal network monitoring data to the matching information data set. If the matching information data set is not empty, obtain the matching information data of the last operation in the matching information data set based on the user operation time, obtain the unique identity identifier in the matching information data, and construct a second entity-identity mapping based on the association between the entity information data and the unique identity identifier. The second entity-identity mapping includes the unique identity identifier, entity name, entity identifier, and entity type.
[0054] During the matching process between entity information data and internal network monitoring data, the matching method for each field can be set according to actual business needs. For example, matching can be performed first by entity type. If a matching result exists, the matching ends. If no matching result exists, entity identifier matching is performed. Then, the matching of entity name is determined based on whether the matching result of entity identifier exists. Alternatively, matching can be performed by entity type and entity identifier, entity identifier and entity name, etc., to achieve matching of two keywords together. For example, matching can be performed first by entity identifier, and then the matching result of entity identifier exists is determined based on whether the matching of entity name exists.
[0055] After obtaining the matching results, the operation data in the matching results are sorted according to the operation time. The matching data of the last operation is taken as the final result. The unique identity identifier in the final result is extracted, and then a second entity-identity mapping is established with the unique identity identifier, entity name, entity identifier, and entity type.
[0056] A3: If the first entity-identity mapping exists but the second entity-identity mapping does not exist, then the first entity-identity mapping is used as an information mapping data in the information mapping set; if the first entity-identity mapping does not exist but the second entity-identity mapping exists, then the second entity-identity mapping is used as an information mapping data in the information mapping set; if both the first and second entity-identity mappings exist, then compare whether the first entity-identity mapping and the second entity-identity mapping are consistent. If they are consistent, then either the first entity-identity mapping or the second entity-identity mapping is used as an information mapping data in the information mapping set; if they are inconsistent, then the second entity-identity mapping is used as an information mapping data in the information mapping set.
[0057] For example, when the first entity-identity mapping and the second entity-identity mapping are inconsistent, the first entity-identity mapping can also be stored for internal network system ledger correction. For instance, the ledger records user A performing an operation on entity A, but due to some special reasons, the information mapping set records user B performing an operation on entity A. When the internal network system administrator discovers the inconsistency, it is convenient to trace the source and verify security issues.
[0058] S3: Based on the information mapping set, perform data cleaning on the internal network monitoring data to obtain user operation data, including:
[0059] For any piece of network traffic data, perform the following operation:
[0060] B1: Convert it into a data format containing source IP, source port, destination IP, destination port, protocol type, and additional attributes.
[0061] B2: Use the source IP as the first matching network keyword and match it with the entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the information mapping data containing the entity identifier is used as the first network entity information data.
[0062] B3: Use the destination IP and / or destination port as the second matching network keyword and match it with the entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the information mapping data containing the entity identifier is used as the second network entity information data.
[0063] B4: Replace the source IP in the network traffic data with the unique identifier of the first network entity information data, and replace the destination IP and destination port in the network traffic data with the unique identifier of the second network entity information data.
[0064] B5: Use the replaced network traffic data as a user operation data.
[0065] For any single behavior log entry, perform the following operation:
[0066] C1: Convert it into a data format including subject name, subject IP, object name, object IP, operation type, operation time, operation content, operation result, and additional attributes.
[0067] C2: Use the entity name and entity IP as the first matching keywords to match the entity name and entity identifier of each piece of information mapping data in the mapping set. If the match is successful, use the unique identifier in the information mapping data containing the entity name and entity identifier as the unique identifier of the first line of entity information data.
[0068] C3: Use the object name and object IP as the second matching action keywords, and match them with the entity name and entity identifier of each piece of information mapping data in the mapping set. If the match is successful, use the unique identifier in the information mapping data containing the entity name and entity identifier as the unique identifier of the entity information data in the second action.
[0069] C4: Replace the subject name and subject IP in the behavior log data with the unique identifier of the first line of entity information data, and replace the object name and object IP in the behavior log data with the unique identifier of the second line of entity information data.
[0070] C5: Use the replaced behavior log data as a single user action data.
[0071] This invention provides corresponding data cleaning methods for both network traffic data and behavior log data. After performing the above cleaning operations, each piece of data in the internal network monitoring data is given a unique identifier and a direct link to the system operation. That is, each user operation can be traced back to the corresponding user. Therefore, after processing the internal network monitoring data using the method proposed in this invention, it can assist in the tracing and source identification of security incidents, and support the discovery of potential correlations, thereby effectively tracing the source, scope of impact, and chain of evidence of security incidents.
[0072] Furthermore, if no data is matched in the mapping set for network traffic data or behavior log data, the corresponding network traffic data or behavior log data is stored in an anomaly queue. The anomaly queue is periodically polled, and newly generated internal network monitoring data is matched against first and second matching network keywords or first and second matching behavior keywords. If no data is matched within a preset time, manual verification is performed. For example, for critical network activity behavior log data, such as application access behavior, if no object matching the identity feature attributes is found, it is included in the anomaly queue. The anomaly queue is periodically polled, and newly generated behavior logs are further filtered. If no match is found, the range of behavior log types is expanded to find highly relevant data, which is then manually verified. If no match is found using the above methods, the security data is filtered out without further processing.
[0073] S4: Determine whether a user operation is a safe operation based on the user operation data, including:
[0074] S41: After acquiring user operation data, standardize the data to form an analysis dataset.
[0075] Data standardization can be achieved through methods such as Min-Max standardization, Z-score standardization, decimal scaling, mean normalization, vector normalization, and exponential transformation. These methods adjust data to a common scale or range for better comparison and analysis. Understandably, outliers need to be handled before standardization, and over-standardization should be avoided to prevent loss of data characteristics or excessive influence from extreme values.
[0076] S42: Perform statistical analysis on the dataset using the unique identity identifier as the keyword to obtain the behavioral parameters corresponding to each unique identity identifier. The behavioral parameters include behavioral type, frequency of occurrence of behavior, extreme value of occurrence of behavior, and time interval of occurrence of behavior.
[0077] The statistical analysis of the dataset using unique identity identifiers as keywords includes: performing statistical analysis on the dataset, characterizing the behavior of each entity, and statistically analyzing the dataset using unique identity identifiers as keywords. The characterization angles include behavior type, behavior frequency, behavior extreme values, and behavior time interval.
[0078] The statistical analysis of the dataset using the unique identity identifier as a keyword also includes: using the unique identity identifier as a search keyword to perform forward or backward chained searches on the dataset to obtain all security data associated with it, and drawing a security event association graph in the form of a graph or representing the sequence of user operation behaviors in the form of a time axis.
[0079] S43: Compare the behavioral parameters with the corresponding normal behavioral baseline parameters. If there is a deviation, the entity corresponding to the unique identity is considered to have a security risk.
[0080] After obtaining the behavioral parameters of each user in S42, for a given user, these parameters can be compared with baseline parameters of normal behavior determined based on experience or business needs to determine the user's behavioral security risk. For example, the behavioral profile results are compared with the baseline parameters of normal behavior; if there is a deviation, the behavior or entity is considered to potentially pose a security risk.
[0081] For suspicious behavior, relevant management personnel can directly obtain the corresponding entity based on the unique identifier in the behavior, and then check whether the operation is a security event through the security event association graph; for the entity, it can be directly checked and determined.
[0082] Compared to existing technologies, this embodiment provides a user operation security determination method for internal networks. Based on data within the internal network, it establishes a connection between entities (e.g., terminals) and unique user identifiers within the internal network system. Network traffic data or behavior log data can be transformed based on this connection, thereby clearly defining the user corresponding to each operation within the internal network system. Compared to existing technologies that determine user behavior based on IP addresses, the technical solution of this invention can find the corresponding user for all operation records within the internal network. Therefore, the method proposed in this invention has higher accuracy in determining user behavior and avoids false judgments. Furthermore, the association graph constructed using unique user identifiers facilitates faster and more efficient tracking of the source and scope of security incidents by system management accounts.
[0083] Those skilled in the art will understand that all or part of the processes of the methods described in the above embodiments can be implemented by a computer program instructing related hardware, and the program can be stored in a computer-readable storage medium. The computer-readable storage medium may be a disk, optical disk, read-only memory, or random access memory, etc.
[0084] The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any changes or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in the present invention should be included within the scope of protection of the present invention.
Claims
1. A method for determining user operation security in an internal network, characterized in that, include: Acquire internal network system data, which includes entity information data, identity information data, and internal network monitoring data; An information mapping set is constructed based on the entity information data and the identity information data; User operation data is obtained by cleaning the internal network monitoring data based on the information mapping set. Based on the user operation data, it is determined whether the user operation is a safe operation.
2. The user operation security determination method applied to an internal network according to claim 1, characterized in that, The entity information data includes entity type, entity identifier, entity name, and additional attributes, and the entity type includes terminal; The identity information data includes a unique identifier, the organization to which the identity belongs, and additional attributes; The internal network monitoring data includes network traffic data and behavior log data. The network traffic data includes source IP, source port, destination IP, destination port, protocol, network packet size, and attribute characteristics of each layer of the protocol. The behavior log data includes the subject of the behavior, operation type, object of the behavior, operation time, operation content, and operation result.
3. The user operation security determination method applied to an internal network according to claim 2, characterized in that, The construction of the information mapping set based on the entity information data and the identity information data includes: For each piece of data in the entity information data, perform the following operation: Determine whether the additional attributes of the entity information data contain the unique identity identifier in the identity information data. If they do, construct a first entity-identity mapping based on the association between the entity information data and the unique identity identifier. The first entity-identity mapping includes the unique identity identifier, entity name, entity identifier, and entity type. Using the entity type, entity identifier, or entity name in the entity information data as keywords, the internal network monitoring data is matched to the matching information data set. If the matching information data set is not empty, the matching information data of the last operation is obtained from the matching information data set based on the user operation time. The unique identity identifier in the matching information data is obtained. Then, a second entity-identity mapping is constructed based on the association between the entity information data and the unique identity identifier. The second entity-identity mapping includes the unique identity identifier, entity name, entity identifier, and entity type. If the first entity-identity mapping exists but the second entity-identity mapping does not exist, then the first entity-identity mapping is included as an information mapping data in the information mapping set. If the first entity-identity mapping does not exist but the second entity-identity mapping exists, then the second entity-identity mapping is included as an information mapping data in the information mapping set. If both the first and second entity-identity mappings exist, then the first entity-identity mapping and the second entity-identity mapping are compared for consistency. If they are consistent, then either the first entity-identity mapping or the second entity-identity mapping is included as an information mapping data in the information mapping set. If they are inconsistent, then the second entity-identity mapping is included as an information mapping data in the information mapping set.
4. The user operation security determination method applied to an internal network according to claim 3, characterized in that, The process of cleaning the internal network monitoring data based on the information mapping set to obtain user operation data includes: For any piece of network traffic data, perform the following operation: Convert it into a data format containing source IP, source port, destination IP, destination port, protocol type, and additional attributes; The source IP is used as the first matching network keyword and matched with the entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the information mapping data containing the entity identifier is used as the first network entity information data. The destination IP and / or destination port are used as the second matching network keyword and matched with the entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the information mapping data containing the entity identifier is used as the second network entity information data. Replace the source IP in the network traffic data with the unique identifier of the first network entity information data, and replace the destination IP and destination port in the network traffic data with the unique identifier of the second network entity information data. The replaced network traffic data is used as a user operation data.
5. The user operation security determination method applied to an internal network according to claim 3, characterized in that, The process of cleaning the internal network monitoring data based on the information mapping set to obtain user operation data further includes: For any single behavior log entry, perform the following operation: Convert it into a data format containing subject name, subject IP, object name, object IP, operation type, operation time, operation content, operation result, and additional attributes; The entity name and entity IP are used as the first matching keywords to match the entity name and entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the unique identifier in the information mapping data containing the entity name and entity identifier is used as the unique identifier of the first line of entity information data. The object name and object IP are used as the second matching behavior keywords and matched with the entity name and entity identifier of each piece of information mapping data in the mapping set. If the match is successful, the unique identifier in the information mapping data containing the entity name and entity identifier is used as the unique identifier of the entity information data in the second behavior. Replace the subject name and subject IP in the behavior log data with the unique identifier of the first line of entity information data, and replace the object name and object IP in the behavior log data with the unique identifier of the second line of entity information data. The replaced behavior log data is used as a single user action data.
6. The user operation security determination method applied to an internal network according to claim 5, characterized in that, include: If no data is matched in the mapping set for network traffic data or behavior log data, the corresponding network traffic data or behavior log data will be stored in the exception queue. The system periodically polls the abnormal data queue in the abnormal queue and performs matching on the newly generated internal network monitoring data using the first matching network keyword, the second matching network keyword, or the first matching behavior keyword and the second matching behavior keyword. If no data is matched within a preset time, the matching is performed manually.
7. The user operation security determination method applied to an internal network according to claim 6, characterized in that, include: After acquiring user operation data, the data is standardized to form an analysis dataset.
8. The user operation security determination method applied to an internal network according to claim 7, characterized in that, The step of determining whether a user's action is a safe action based on the user action data includes: Statistical analysis is performed on the dataset using unique identity identifiers as keywords to obtain behavioral parameters corresponding to each unique identity identifier. The behavioral parameters include behavioral type, frequency of occurrence of behavior, extreme value of occurrence of behavior, and time interval of occurrence of behavior. The behavioral parameters are compared with the corresponding normal behavioral baseline parameters. If there is a deviation, the entity corresponding to the unique identity is considered to have a security risk.
9. The user operation security determination method applied to an internal network according to claim 8, characterized in that, The statistical analysis of the dataset using unique identity identifiers as keywords includes: Using the unique identifier of this identity as the search keyword, a forward or backward chain search is performed on the analysis dataset to obtain all security data associated with it, and a security event association map is drawn in the form of a graph.
10. The user operation security determination method applied to an internal network according to claim 9, characterized in that, The terminal includes a server, network equipment, and security equipment, and the additional attributes of the entity information data include the operating system and access network type.