Abnormal file access behavior monitoring method and device

The invention discloses an abnormal file access behavior monitoring method, which is used for solving the identification of behaviors such as deleting and modifying an abnormal file of a Linux server.The method comprises the following steps: learning and generating a user access permission white lis...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: WANG WAN'ER, LI ZHONGYI, TAO JING, HAO CHUANZHOU, ZHAN XUNA, CHANG YUE, ZHENG NING, CHEN YIGUANG
Format: Patent
Sprache:chi ; eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:The invention discloses an abnormal file access behavior monitoring method, which is used for solving the identification of behaviors such as deleting and modifying an abnormal file of a Linux server.The method comprises the following steps: learning and generating a user access permission white list from a historical log; based on the streaming data, identifying file access behaviors in the streaming data through association analysis of various system logs; and based on filtering of the user access permission white list, identifying abnormal deletion and modification behaviors. The device comprises a log acquisition unit, an offline training unit and a behavior monitoring unit. Compared with the prior art, the invention has the advantages that 1) a wider file system can be monitored, 2)a white list is generated through a machine learning algorithm, normal access behaviors are filtered, and the false alarm rate is reduced, and 3) real-time detection is carried out based on a stream processing framework. 本发明一种