CN106777024A - Recognize the method and device of malicious user - Google Patents

Recognize the method and device of malicious user Download PDF

Info

Publication number
CN106777024A
CN106777024A CN201611123024.1A CN201611123024A CN106777024A CN 106777024 A CN106777024 A CN 106777024A CN 201611123024 A CN201611123024 A CN 201611123024A CN 106777024 A CN106777024 A CN 106777024A
Authority
CN
China
Prior art keywords
user
disaggregated model
malicious
historical behavior
identified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611123024.1A
Other languages
Chinese (zh)
Inventor
孟庆迪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xiaomi Mobile Software Co Ltd
Original Assignee
Beijing Xiaomi Mobile Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xiaomi Mobile Software Co Ltd filed Critical Beijing Xiaomi Mobile Software Co Ltd
Priority to CN201611123024.1A priority Critical patent/CN106777024A/en
Publication of CN106777024A publication Critical patent/CN106777024A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/951Indexing; Web crawling techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • G06F16/353Clustering; Classification into predefined classes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0207Discounts or incentives, e.g. coupons or rebates
    • G06Q30/0212Chance discounts or incentives
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0207Discounts or incentives, e.g. coupons or rebates
    • G06Q30/0225Avoiding frauds
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0207Discounts or incentives, e.g. coupons or rebates
    • G06Q30/0239Online discounts or incentives

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Development Economics (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Game Theory and Decision Science (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Marketing (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Present disclose provides a kind of method and device for recognizing malicious user, belong to network technique field.Methods described includes:Obtain the historical behavior feature of user to be identified;User's disaggregated model is obtained, user's disaggregated model is based on the historical behavior feature of malicious user and the historical behavior feature of normal users is trained by sorter model and generated;The historical behavior feature of the user to be identified is input into user's disaggregated model, to determine whether the user to be identified is malicious user.User's disaggregated model that the disclosure is obtained by sorter model training, the behavioural characteristic of malicious user can be automatically analyzed using the characteristic of machine learning algorithm, there is the wider array of feature of the coverage of Subjective and behavioural characteristic for being independent of people for correlation technique, erroneous judgement and situation about failing to judge thus can be effectively reduced, the order of accuarcy of identification malicious user is improved.

Description

Recognize the method and device of malicious user
Technical field
This disclosure relates to server field, more particularly to a kind of method and device for recognizing malicious user.
Background technology
With the development of network technology, the webserver can come in parallel for a large amount of visits by its powerful process performance Ask that user provides information service, such as such as software download, online chat, shopping online etc..But in access network services In the user of device, some malicious users that other people rights and interests are damaged using technological means are commonly present.Such as, online electronic emporium The panic buying of line commodity is a kind of emerging merchandise sales mode, can play a part of publicity new product, attract loyalty user high, but Some malicious users can by technological means malice panic buying shiploads of merchandise and change hands price markup sale, seriously compromise sellers and its The rights and interests of his consumer.
In order to effectively prevent the behavior of malicious user, it is existing at present some malice can be identified in user group The scheme of user.For example for the situation of above-mentioned malice panic buying, there is scheme to be based on the scoring to user, trigger short in user Its certain score value is deducted when the conditions such as shopping cart are repeatedly added in the time, and score value is judged to that malice is used less than the user of threshold value Family, so as to play a part of certain limitation malicious user.
But, the actual effect of such scheme depends critically upon the personal experience of the maker of scoring and personal energy Power, is inevitably limited by the Subjective of maker, thus is easy to the situation for producing erroneous judgement and failing to judge, and does not reach identification The accuracy requirement of malicious user.
The content of the invention
To overcome problem present in correlation technique, the disclosure to provide a kind of method and device for recognizing malicious user.
According to the first aspect of the embodiment of the present disclosure, there is provided a kind of method of identification malicious user, including:
Obtain the historical behavior feature of user to be identified;
User's disaggregated model is obtained, user's disaggregated model is based on the historical behavior feature and normal users of malicious user Historical behavior feature by sorter model train generate;
The historical behavior feature of the user to be identified is input into user's disaggregated model, to determine the use to be identified Whether family is malicious user.
The embodiment of the present disclosure is based on the user's disaggregated model obtained by sorter model training, it is possible to use machine learning is calculated The characteristic of method automatically analyzes the behavioural characteristic of malicious user, have for correlation technique be independent of the Subjective of people with And the wider array of feature of coverage of behavioural characteristic, thus erroneous judgement and situation about failing to judge can be effectively reduced, improve identification malice The order of accuarcy of user.
In one embodiment of the disclosure, methods described also includes:
After any recognition cycle terminates, malicious user and/or normal users going through in the recognition cycle are obtained History behavioural characteristic, and expand the training set for having stored based on acquired historical behavior feature;
Based on the training set after expansion, user's disaggregated model is adjusted.
Training set after the embodiment of the present disclosure is terminated based on recognition cycle expands and the adjustment of user's disaggregated model, can pass through The Behavioral change of taken at regular intervals malicious user and/or normal users, to adjust user's disaggregated model in time to adapt to its behavior change Change so that when the change of server capability or the behavior pattern of malicious user change, still can protect to a certain extent The order of accuarcy of barrier identification malicious user, realizes malicious user identifying schemes for self adaptation that application scenarios change.
In one embodiment of the disclosure, methods described also includes:
It is user's addition malicious user mark to be identified after it is determined that the user to be identified is malicious user.
The embodiment of the present disclosure is based on adding malicious user mark to the user to be identified for being defined as malicious user, can coordinate Above-mentioned training set expands and user's disaggregated model adjusts the behavioural characteristic for gathering the newest malicious user for identifying in time, favorably In the adaptability that enhancing changes to the behavioural characteristic of malicious user.
In one embodiment of the disclosure, methods described also includes:
After any user disaggregated model is obtained, user's disaggregated model is judged according to the Evaluation Strategy for pre-setting Classifying quality whether meet requirement;
Different user's disaggregated model is regenerated when the classifying quality of user's disaggregated model is unsatisfactory for requiring, Until the classifying quality of user's disaggregated model meets requiring.
Based on judging classifying quality according to Evaluation Strategy, and that one is regenerated when classifying quality is unsatisfactory for requiring is different User's disaggregated model, the present embodiment can avoid by classifying quality difference user's disaggregated model put into the middle of practical application, And user's disaggregated model randomness to be had in generation can be utilized preferentially to choose used user's classification mould Type, contributes to the order of accuarcy of further lifting identification malicious user.
In one embodiment of the disclosure, the Evaluation Strategy that the basis pre-sets judges user's disaggregated model Classifying quality whether meet requirement, including:
When the classification accuracy of user's disaggregated model is less than the first predetermined threshold value, user's disaggregated model is determined Classifying quality be unsatisfactory for require;
And/or,
When the classification error rate of user's disaggregated model is more than the second predetermined threshold value, user's disaggregated model is determined Classifying quality be unsatisfactory for require;
And/or,
When the malicious user coverage rate of user's disaggregated model is less than three predetermined threshold values, user's classification is determined The classifying quality of model is unsatisfactory for requiring;
And/or,
When the malicious user hit rate of user's disaggregated model is less than four predetermined threshold values, user's classification is determined The classifying quality of model is unsatisfactory for requiring;
And/or,
Preset less than the 5th in the TG-AUC AUC of recipient's operating characteristic curve ROC of user's disaggregated model During threshold value, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring.
In one embodiment of the disclosure, the sorter model belongs to Gradient Boosting decision-tree models.
Gradient Boosting decision-tree models are belonged to based on the sorter model, can be by multiple weak typings Device realizes user's disaggregated model, with certain uncertainty, thus the judgement of above-mentioned Evaluation Strategy can be coordinated to realize preferentially Choose;And, there is prominent interpretation by the grader obtained by decision-tree model, thus can be carried for operating personnel The analyze data for for being easier to understand.
According to the second aspect of the embodiment of the present disclosure, there is provided a kind of device of identification malicious user, including:
First acquisition module, is configured as obtaining the historical behavior feature of user to be identified;
Second acquisition module, is configured as obtaining user's disaggregated model, and user's disaggregated model is based on malicious user The historical behavior feature of historical behavior feature and normal users is trained by sorter model and generated;
Input module, is configured as the historical behavior feature of the user to be identified being input into user's disaggregated model, To determine whether the user to be identified is malicious user.
In one embodiment of the disclosure, described device also includes:
3rd acquisition module, is configured as after any recognition cycle terminates, and obtains malicious user and/or normal users Historical behavior feature in the recognition cycle, and expand the training set for having stored based on acquired historical behavior feature;
Adjusting module, is configured as, based on the training set after being expanded by the 3rd acquisition module, classifying the user Model is adjusted.
In one embodiment of the disclosure, described device also includes:
Add module, is configured as after it is determined that the user to be identified is malicious user, is the user to be identified Addition malicious user mark.
In one embodiment of the disclosure, described device also includes:
Judge module, is configured as after any user disaggregated model is obtained, and is sentenced according to the Evaluation Strategy for pre-setting Whether the classifying quality of disconnected user's disaggregated model meets requirement;
Generation module, is configured as regenerating one not when the classifying quality of user's disaggregated model is unsatisfactory for requiring Same user's disaggregated model, until the classifying quality of user's disaggregated model meets requiring.
In one embodiment of the disclosure, the judge module includes:
First determining unit, is configured as being less than the first predetermined threshold value in the classification accuracy of user's disaggregated model When, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
Second determining unit, is configured as being more than the second predetermined threshold value in the classification error rate of user's disaggregated model When, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
3rd determining unit, is configured as the malicious user coverage rate in user's disaggregated model less than the 3rd default threshold During value, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
4th determining unit, is configured as the malicious user hit rate in user's disaggregated model less than the 4th default threshold During value, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
5th determining unit, is configured as the curve of the recipient's operating characteristic curve ROC in user's disaggregated model When lower area AUC is less than five predetermined threshold values, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring.
In one embodiment of the disclosure, the sorter model belongs to Gradient Boosting decision-tree models.
According to the third aspect of the embodiment of the present disclosure, there is provided a kind of device of identification malicious user, including:
Processor;
Memory for storing the executable instruction of processor;
Wherein, the processor is configured as:
Obtain the historical behavior feature of user to be identified;
User's disaggregated model is obtained, user's disaggregated model is based on the historical behavior feature and normal users of malicious user Historical behavior feature by sorter model train generate;
The historical behavior feature of the user to be identified is input into user's disaggregated model, to determine the use to be identified Whether family is malicious user.
The technical scheme provided by this disclosed embodiment can include the following benefits:The disclosure is instructed by sorter model The user's disaggregated model for getting, it is possible to use the characteristic of machine learning algorithm automatically analyzes the behavioural characteristic of malicious user, phase The wider array of feature of the coverage of Subjective and behavioural characteristic of people is independent of than having for correlation technique, thus can With effective situation for reducing erroneous judgement and failing to judge, the order of accuarcy of identification malicious user is improved.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary and explanatory, not The disclosure can be limited.
Brief description of the drawings
Accompanying drawing herein is merged in specification and constitutes the part of this specification, shows the implementation for meeting the disclosure Example, and it is used to explain the principle of the disclosure together with specification.
Fig. 1 is a kind of flow chart of the method for the identification malicious user according to an exemplary embodiment;
Fig. 2 is a kind of flow chart of the method for the identification malicious user according to an exemplary embodiment;
Fig. 3 is a kind of flow chart of the method for the identification malicious user according to an exemplary embodiment;
Fig. 4 is a kind of structured flowchart of the device of the identification malicious user according to an exemplary embodiment;
Fig. 5 is a kind of structured flowchart of the device of the identification malicious user according to an exemplary embodiment.
Specific embodiment
To make the purpose, technical scheme and advantage of the disclosure clearer, below in conjunction with accompanying drawing to disclosure embodiment party Formula is described in further detail.
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment Described in implementation method do not represent all implementation methods consistent with the disclosure.Conversely, they be only with it is such as appended The example of the consistent apparatus and method of some aspects described in detail in claims, the disclosure.
Fig. 1 is a kind of flow chart of the method for the identification malicious user according to an exemplary embodiment, such as Fig. 1 institutes Show, comprise the following steps:
In a step 101, the historical behavior feature of user to be identified is obtained;
In a step 102, user's disaggregated model is obtained, the historical behavior that user's disaggregated model is based on malicious user is special The historical behavior feature of normal users of seeking peace is trained by sorter model and generated;
In step 103, the historical behavior feature of the user to be identified is input into user's disaggregated model, to determine Whether the user to be identified is malicious user.
In a kind of possible implementation, methods described also includes:
After any recognition cycle terminates, malicious user and/or normal users going through in the recognition cycle are obtained History behavioural characteristic, and expand the training set for having stored based on acquired historical behavior feature;
Based on the training set after expansion, user's disaggregated model is adjusted.
In a kind of possible implementation, methods described also includes:
It is user's addition malicious user mark to be identified after it is determined that the user to be identified is malicious user.
In a kind of possible implementation, methods described also includes:
After any user disaggregated model is obtained, user's disaggregated model is judged according to the Evaluation Strategy for pre-setting Classifying quality whether meet requirement;
Different user's disaggregated model is regenerated when the classifying quality of user's disaggregated model is unsatisfactory for requiring, Until the classifying quality of user's disaggregated model meets requiring.
In a kind of possible implementation, the Evaluation Strategy that the basis pre-sets judges user's disaggregated model Classifying quality whether meet requirement, including:
When the classification accuracy of user's disaggregated model is less than the first predetermined threshold value, user's disaggregated model is determined Classifying quality be unsatisfactory for require;
And/or,
When the classification error rate of user's disaggregated model is more than the second predetermined threshold value, user's disaggregated model is determined Classifying quality be unsatisfactory for require;
And/or,
When the malicious user coverage rate of user's disaggregated model is less than three predetermined threshold values, user's classification is determined The classifying quality of model is unsatisfactory for requiring;
And/or,
When the malicious user hit rate of user's disaggregated model is less than four predetermined threshold values, user's classification is determined The classifying quality of model is unsatisfactory for requiring;
And/or,
Preset less than the 5th in the TG-AUC AUC of recipient's operating characteristic curve ROC of user's disaggregated model During threshold value, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring.
In a kind of possible implementation, the sorter model belongs to Gradient Boosting decision-tree models.
It should be noted that during the method for the present embodiment can apply to any one server, it can be single Server apparatus, or server farm, server cluster or Cloud Server etc..
Also, it should be noted that the user to be identified in the present embodiment refers to any one needs in all known users Determine whether the user for malicious user, can be using the combination of arbitrary or more than one in the peculiar information of user by one Individual user distinguishes with other users, for example with user login ID, user made using the MAC Address of equipment, user IP address, or server is that each logins ID of combination distribution of ID and IP address etc., the disclosure pair This is not limited.
Also, it should be noted that the historical behavior feature in the present embodiment refers to representing that user enters between server The process of row interaction is different from the information of other users, such as the uniform resource position mark URL of user access server, Yong Hu The total degree of access server, user click event of certain button etc. during access server in certain time period, The range of information that the historical behavior feature is covered can pre-set according to application demand, and the disclosure is without limitation. Thus, the mode that historical behavior feature is obtained in the present embodiment may, for example, be in server log and/or client log Obtain.
Also, it should be noted that the historical behavior of the input quantity comprising user of the user's disaggregated model in the present embodiment is special Levy, the output quantity of user's disaggregated model comprising represent user whether be malicious user information, it is substantially trained Sorter model, the sorter model for being used can be chosen in machine learning algorithm, such as NB Algorithm, support Vector machine (Support Vector Machine, SVM), neural network algorithm, decision Tree algorithms etc., the disclosure is not done to this Limitation.
As can be seen that the disclosure is based on the user's disaggregated model obtained by sorter model training, it is possible to use engineering The characteristic for practising algorithm automatically analyzes the behavioural characteristic of malicious user, and there is the subjectivity for being independent of people to recognize for correlation technique Know and behavioural characteristic the wider array of feature of coverage, thus can effectively reduce erroneous judgement and situation about failing to judge, improve identification The order of accuarcy of malicious user.
Fig. 2 is a kind of flow chart of the method for the identification malicious user according to an exemplary embodiment, such as Fig. 2 institutes Show, the method is comprised the following steps:
In step 201, the server log and client log in a recognition cycle are obtained.
It should be noted that during the method for the present embodiment can apply to any one server, it can be single Server apparatus, or server farm, server cluster or Cloud Server etc..
Wherein, client log can be sent after the request message for receiving server from user terminal to server, Can be sent to server every the set time by user terminal.It is understood that in server log and client log The information for not only being covered comprising historical behavior feature, also runs shape including such as operation condition of server information, client State information etc. the information unrelated with user behavior, thus in order to obtain historical behavior feature, it is necessary to first to server log and Information in client log is screened.
In step 202, filtered out from server log and client log according to the setting range of historical behavior feature The user behavior information of user to be identified.
For example, the setting range of historical behavior feature can include:The all unified money sent with user orientation server Number of times in source finger URL URL shared by each type;Each Log Types (such as client, collapse, mistake, event and the page) Under daily record bar number;The daily record bar number produced under each time period;Some special events (for example click on the thing of button under client Part or slide the page event) frequency.Thus, it is possible to be filtered out in server log and client log relative The information answered, for the acquisition of historical behavior feature.
In step 203, the user behavior information of user to be identified is converted to vector based on default Feature Mapping table The historical behavior feature of form.
Wherein, the historical behavior feature with vector form can be made up of multiple characteristic values order, each feature Value one behavioural characteristic of user of respective correspondence, the use corresponding to the characteristic value quantity and each characteristic value of historical behavior feature The behavioural characteristic at family can pre-set in above-mentioned default Feature Mapping table according to application demand.It is thus possible to according to default The user behavior information of journal format is converted to Feature Mapping table the historical behavior feature of vector form.For example, history The composition of behavioural characteristic and the historical behavior examples of features of two users are as shown in table 1 below.
The historical behavior examples of features of the user of table 1
In historical behavior feature with vector form as shown in table 1, include successively:The sent with user orientation server The number of times URL1 of the URL of one type, with user orientation server send Second Type URL number of times URL2 ... it is (other kinds of Number of times corresponding to URL), the daily record bar number FT under daily record bar number ER, crash log type under error log type ... (its The corresponding daily record bar number of his Log Types), between the daily record bar number 00m of client log between 0 point to 1 point, 0 point to 1 point Server log daily record bar number 00o ... (the daily record bar number of the lower client log/server log of other times section), 23 O'clock to the daily record bar number 23o of server log, client lower slider event between 24 points frequency SL.In features described above value Building form under, the historical behavior feature of the first user U1 to be identified can be expressed as (12,0 ..., 15,1 ..., 3,1 ..., 6,11) vector, the historical behavior feature of the second user U2 to be identified can be expressed as (1,55 ..., 0,0 ..., 30,30 ..., 30,0) vector.Thus, each characteristic value can be obtained by the data processing to above-mentioned user behavior information.Due to default The behavior that Feature Mapping table secures the user corresponding to the characteristic value quantity and each characteristic value of each historical behavior feature is special Levy, therefore can ensure that the structure of the resulting historical behavior feature with vector form is consistent.Additionally, special in historical behavior Levy during comprising characteristic value (such as the above-mentioned point daily record bar number of hour statistics) relevant with the moment, in order to ensure different recognition cycles Between above-mentioned historical behavior feature structure it is consistent, carved at the beginning of each recognition cycle can be set and finish time be one All there is the fixed moment in it 24 hours.
Above-mentioned steps 201 to step 203 is a kind of possible implementation of above-mentioned steps 101, in other possible realities In existing mode, the historical behavior feature of user can also be only obtained by server log, or obtain by third party's network equipment The historical behavior feature of user to be identified is taken, the disclosure is without limitation.
In step 204, user's disaggregated model is obtained.
For example, the input quantity of user's disaggregated model can be the above-mentioned historical behavior feature with vector form, defeated Output can be 0 (it is normal users to represent user) and 1 (it is malicious user to represent user).Thus, it is configured as to grader The training set of model training generation user's disaggregated model can include the historical behavior feature of multiple normal users (output quantity is 0) Vector, and the historical behavior feature of multiple malicious user (output quantity is 1) vector.Wherein, the data in training set can To come from being manually set or test collection in advance at least in part, it is possible to storage in the middle of server, the present embodiment pair This is not limited.Additionally, the generation example of user's disaggregated model will be described in detail later.
In step 205, the historical behavior feature of user to be identified is input into user's disaggregated model, to determine user to be identified Whether it is malicious user.
For example, the historical behavior feature of the first user U1 to be identified shown in above-mentioned table 1 is being input to user point After in class model, 0 or 1 output quantity can be obtained by user's disaggregated model, represent that first waits to know when wherein output quantity is 1 Other user U1 is malicious user, and output quantity represents that the first user U1 to be identified is normal users when being 0.It is understood that with Family disaggregated model can be a series of classified calculating process by the process that input quantity obtains output quantity.
It is user's addition malicious user mark to be identified after it is determined that user to be identified is malicious user in step 206 Note.
For example, it is identified as after malicious user by the first user U1 to be identified shown in above-mentioned table 1, can be in clothes To adding character marking in the user property of the user in the user list of device storage inside of being engaged in.In other embodiment party of the disclosure In formula, the mode of addition malicious user mark can also be the user is moved under blacklist, or by the credit of the user Grade be changed to it is minimum etc., be considered as treat identifying user addition malicious user mark equivalent implementations, the disclosure is to this It is not limited.
In step 207, after the recognition cycle terminates, malicious user and normal users are obtained in the recognition cycle Interior historical behavior feature, and expand the training set for having stored based on acquired historical behavior feature.
For example, can be obtained according to the mode of step 202 and step 203 in server log and client log The historical behavior feature of predetermined white list user, the training for having stored is extended to together with the data that output quantity is 1 in the lump Concentrate;Can also obtain predetermined according to the mode of step 202 and step 203 in server log and client log The historical behavior feature of black list user, together with the data extending that output quantity is 0 to the training set for having stored.May at other Implementation in, can also only be obtained in step 207 historical behavior feature of the malicious user in the recognition cycle or Normal users are only obtained in the historical behavior feature in the recognition cycle, the disclosure is without limitation.Additionally, in one kind In possible implementation, the above-mentioned malicious user that is confirmed as in step 206 can also be obtained in the recognition cycle Historical behavior feature, to expand the training set for having stored.
In step 208, based on the training set after expansion, user's disaggregated model is adjusted.
In a kind of possible implementation, the training set after expanding can be based on the sorter model is instructed Practice, original user's disaggregated model is replaced to obtain brand-new user's disaggregated model.In alternatively possible realization side In formula, the part of expanding of training set can be mixed with the part before expansion according to predetermined ratio, and the user to having obtained Disaggregated model continues to train, to change original user's disaggregated model.
It can be seen that the present embodiment is based on user's disaggregated model of machine learning algorithm generation, can be according to machine The mode of study automatically extracts the behavioural characteristic of malicious user, is judged for treating identifying user.Compared to correlation Technology, the present embodiment does not need the designer of user's disaggregated model to have the behavioural characteristic of malicious user rich experience and to recognize Know, and widely can all be taken into account all kinds of behavioural characteristics of user by expanding the setting range of historical behavior feature Come, thus with the Subjective for being independent of people and the wider array of feature of the coverage of behavioural characteristic, can effectively reduce mistake The situation sentenced and fail to judge, improves the order of accuarcy of identification malicious user.
It is also seen that, the training set after being terminated based on recognition cycle is expanded and the adjustment of user's disaggregated model, this public affairs Opening embodiment can to adjust in time user's classification mould by taken at regular intervals malicious user and/or the Behavioral change of normal users Type adapts to its Behavioral change so that when the change of server capability or the behavior pattern of malicious user change, still may be used To ensure the order of accuarcy of identification malicious user to a certain extent, realize that malicious user identifying schemes change for application scenarios Self adaptation.And, the embodiment of the present disclosure is based on adding malicious user mark to the user to be identified for being defined as malicious user, can To coordinate the behavior that above-mentioned training set expands with the adjustment of user's disaggregated model gathers the newest malicious user for identifying in time special Levy, the adaptability for being conducive to enhancing to change the behavioural characteristic of malicious user.
Fig. 3 is a kind of flow chart of the method for the identification malicious user according to an exemplary embodiment.The present embodiment Method process shown in Fig. 1 or Fig. 2 basis on, also including the following step shown in Fig. 3:
In step 301, after any user disaggregated model is obtained, according to the Evaluation Strategy for pre-setting judges Whether the classifying quality of user's disaggregated model meets requirement.
Wherein, Evaluation Strategy can include one or more Rule of judgment, and each Rule of judgment can be comprising pre- If threshold value, so as to determine that the classifying quality of user's disaggregated model meets when user's disaggregated model meets all Rule of judgment want Ask.For example, Evaluation Strategy can include following one or more Rule of judgment:The classification of user's disaggregated model is accurate Rate is more than the first predetermined threshold value;The classification error rate of user's disaggregated model is less than the second predetermined threshold value;The evil of user's disaggregated model Meaning user coverage rate is more than the 3rd predetermined threshold value;The malicious user hit rate of user's disaggregated model is more than the 4th predetermined threshold value, uses Under the curve of recipient's operating characteristic curve (Receiver Operating Characteristic, ROC) of family disaggregated model Area (Area Under Curve, AUC) is more than the 5th predetermined threshold value.Thus, above-mentioned steps 301 can include following any One or more sub-step:
When the classification accuracy of user's disaggregated model is less than the first predetermined threshold value, user's disaggregated model is determined Classifying quality be unsatisfactory for require;
When the classification error rate of user's disaggregated model is more than the second predetermined threshold value, user's disaggregated model is determined Classifying quality be unsatisfactory for require;
When the malicious user coverage rate of user's disaggregated model is less than three predetermined threshold values, user's classification is determined The classifying quality of model is unsatisfactory for requiring;
When the malicious user hit rate of user's disaggregated model is less than four predetermined threshold values, user's classification is determined The classifying quality of model is unsatisfactory for requiring;
Preset less than the 5th in the TG-AUC AUC of recipient's operating characteristic curve ROC of user's disaggregated model During threshold value, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring.
For example, can successively judge the classification accuracy of user's disaggregated model whether less than the first predetermined threshold value, Yi Jiyong Whether the malicious user coverage rate of family disaggregated model is less than the 3rd predetermined threshold value, and determines when any one judged result is to be The classifying quality of user's disaggregated model is unsatisfactory for requirement, and user's classification is determined when the results of two judgements are no The classifying quality of model meets requirement.
Certainly, can be using different from generation user when whether the classifying quality for judging user's disaggregated model meets and require The training set used during disaggregated model so that judged result better authenticity.
In step 302, one is regenerated when the classifying quality in user's disaggregated model is unsatisfactory for requiring different User's disaggregated model, until the classifying quality of user's disaggregated model meets requiring.
For example, when the classifying quality in user's disaggregated model is unsatisfactory for requiring, the sorter model can be increased Used in training sample quantity (or changing fit approach and/or fitting parameter etc. of training sample), can be with One different user's classification mould is regenerated with identical generating mode using the randomness of the generating process of user's disaggregated model Type, user's disaggregated model is generated with by from training sample set set in advance using greater number of training sample, is made The classifying quality for obtaining user's disaggregated model produces change.
Based on judging classifying quality according to Evaluation Strategy, and that one is regenerated when classifying quality is unsatisfactory for requiring is different User's disaggregated model, the present embodiment can avoid by classifying quality difference user's disaggregated model put into the middle of practical application, And user's disaggregated model randomness to be had in generation can be utilized preferentially to choose used user's classification mould Type, contributes to the order of accuarcy of further lifting identification malicious user.
In addition, in one embodiment of the disclosure, the sorter model belongs to Gradient Boosting decision trees Model.Wherein, decision-tree model is a kind of based on the maximized disaggregated model of information gain, is in itself a kind of tree-like data knot Structure, nonleaf node is attribute and classification thresholds of the selection for classification, and leaf node is the classification results of sample.When acquisition one When sample is classified, since root node, sample compares in the value of present node attribute with classification thresholds, selects a son Tree, recurrence classification, until sample reaches leaf node so as to obtain the classification results of the sample.The training method of decision tree is base In information gain, best one attribute of selection classifying quality, recursively builds the tree classificator of the above every time.And Boosting methods are the integrated learning frameworks of a class, by training a series of weak base graders and to integrate classification capacity stronger Grader, generally given base grader quantity m, Boosting method can obtain m weak base grader, by weighting or Voting method obtains the classification results to sample.Gradient Boosting methods train multiple successively using gradient descent method Decision-tree model, each decision-tree model is by subtracting prediction loss function certainly on the basis of previous decision-tree model Plan tree-model functional gradient and selection learn rate coefficient product and renewal is obtained.For example, based on Gradient Boosting The algorithm flow that decision-tree model generates above-mentioned user's disaggregated model is as follows:
First, preliminary classification device is set
Wherein, x is the input quantity of training sample, yiIt is that (i is 1 to whole between n for i-th output quantity of training sample Number), F0X () is preliminary classification device, L (y, F (x)) is loss function, and n is the quantity of the training sample of training set.Then, according to Preliminary classification device F0X () obtains first grader F1(x), then by first grader F1X () obtains second grader F2 (x), by that analogy, until obtaining last grader FMX (), M is the sum of grader in user's disaggregated model.Wherein, By the m-1 grader Fm-1X () obtains m-th grader FmX the process of () is as follows:
First, computation model gradient
Wherein, i is 1 to the integer between n, xiIt is i-th input quantity of training sample.Then, gradient training set is usedUsing decision tree training algorithm fitting base grader hmX (), multiplier is calculated by solving one-dimensional optimization problem
So as to obtain m-th grader
Fm(x)=Fm-1(x)+γmhm(x)
Finally, the set F of the i.e. all graders of user's disaggregated model for obtaining1(x),…,FM(x)。
Gradient Boosting decision-tree models are belonged to based on the sorter model, can be by multiple weak typings Device realizes user's disaggregated model, with certain uncertainty, thus the judgement of above-mentioned Evaluation Strategy can be coordinated to realize preferentially Choose;And, there is prominent interpretation by the grader obtained by decision-tree model, thus can be carried for operating personnel The analyze data for for being easier to understand.
Fig. 4 is a kind of structured flowchart of the device of the identification malicious user according to an exemplary embodiment.Referring to figure 4, recognize that the device of malicious user includes in the embodiment of the present disclosure:
First acquisition module 41, is configured as obtaining the historical behavior feature of user to be identified;
Second acquisition module 42, is configured as obtaining user's disaggregated model, and user's disaggregated model is based on malicious user Historical behavior feature and normal users historical behavior feature by sorter model train generate;
Input module 43, is configured as the historical behavior feature of the user to be identified being input into user's classification mould Type, to determine whether the user to be identified is malicious user.
It should be noted that during the device of the present embodiment can apply to any one server, it can be single Server apparatus, or server farm, server cluster or Cloud Server etc..
Also, it should be noted that the user to be identified in the present embodiment refers to any one needs in all known users Determine whether the user for malicious user, can be using the combination of arbitrary or more than one in the peculiar information of user by one Individual user distinguishes with other users, for example with user login ID, user made using the MAC Address of equipment, user IP address, or server is that each logins ID of combination distribution of ID and IP address etc., the disclosure pair This is not limited.
Also, it should be noted that the historical behavior feature in the present embodiment refers to representing that user enters between server The process of row interaction is different from the information of other users, such as the uniform resource position mark URL of user access server, Yong Hu The total degree of access server, user click event of certain button etc. during access server in certain time period, The range of information that the historical behavior feature is covered can pre-set according to application demand, and the disclosure is without limitation. Thus, the mode that historical behavior feature is obtained in the present embodiment may, for example, be in server log and/or client log Obtain.
Also, it should be noted that the historical behavior of the input quantity comprising user of the user's disaggregated model in the present embodiment is special Levy, the output quantity of user's disaggregated model comprising represent user whether be malicious user information, it is substantially trained Sorter model, the sorter model for being used can be chosen in machine learning algorithm, such as NB Algorithm, support Vector machine (Support Vector Machine, SVM), neural network algorithm, decision Tree algorithms etc., the disclosure is not done to this Limitation.
As can be seen that the disclosure is based on the user's disaggregated model obtained by sorter model training, it is possible to use engineering The characteristic for practising algorithm automatically analyzes the behavioural characteristic of malicious user, and there is the subjectivity for being independent of people to recognize for correlation technique Know and behavioural characteristic the wider array of feature of coverage, thus can effectively reduce erroneous judgement and situation about failing to judge, improve identification The order of accuarcy of malicious user.
In one embodiment of the disclosure, described device also includes:
3rd acquisition module, is configured as after any recognition cycle terminates, and obtains malicious user and/or normal users Historical behavior feature in the recognition cycle, and expand the training set for having stored based on acquired historical behavior feature;
Adjusting module, is configured as, based on the training set after being expanded by the 3rd acquisition module, classifying the user Model is adjusted.
In one embodiment of the disclosure, described device also includes:
Add module, is configured as after it is determined that the user to be identified is malicious user, is the user to be identified Addition malicious user mark.
In one embodiment of the disclosure, described device also includes:
Judge module, is configured as after any user disaggregated model is obtained, and is sentenced according to the Evaluation Strategy for pre-setting Whether the classifying quality of disconnected user's disaggregated model meets requirement;
Generation module, is configured as regenerating one not when the classifying quality of user's disaggregated model is unsatisfactory for requiring Same user's disaggregated model, until the classifying quality of user's disaggregated model meets requiring.
In one embodiment of the disclosure, the judge module includes:
First determining unit, is configured as being less than the first predetermined threshold value in the classification accuracy of user's disaggregated model When, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
Second determining unit, is configured as being more than the second predetermined threshold value in the classification error rate of user's disaggregated model When, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
3rd determining unit, is configured as the malicious user coverage rate in user's disaggregated model less than the 3rd default threshold During value, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
4th determining unit, is configured as the malicious user hit rate in user's disaggregated model less than the 4th default threshold During value, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
5th determining unit, is configured as the curve of the recipient's operating characteristic curve ROC in user's disaggregated model When lower area AUC is less than five predetermined threshold values, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring.
In one embodiment of the disclosure, the sorter model belongs to Gradient Boosting decision-tree models.
On the device in above-described embodiment, wherein modules perform the concrete mode of operation in relevant the method Embodiment in be described in detail, explanation will be not set forth in detail herein.
Fig. 5 is a kind of structured flowchart of the device of the identification malicious user according to an exemplary embodiment.For example, dress Put 500 and may be provided in a server.Reference picture 5, device 500 includes processing assembly 522, and it further includes one or many Individual processor, and the memory resource as representated by memory 532, being configured as storage can be by the execution of processing assembly 522 Instruction, such as application program.The application program stored in memory 532 can include that one or more each is right The module of Ying Yuyi groups instruction.Additionally, processing assembly 522 is configured as execute instruction, to perform the above-mentioned identification of any one The method of malicious user.
Device 500 can also include that a power supply module 526 is configured as the power management of performs device 500, and one has Line or radio network interface 550 are configured as device 500 being connected to network, and input and output (I/O) interface 558.Dress Put 500 can operate based on storage memory 532 operating system, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..
Those skilled in the art will readily occur to the disclosure after considering specification and putting into practice technology contents disclosed herein Other embodiments.The application is intended to any modification, purposes or the adaptations of the disclosure, these modifications, use Way or adaptations follow the general principle of the disclosure and including undocumented in the art known of the disclosure General knowledge or conventional techniques.Description and embodiments are considered only as exemplary, and the true scope of the disclosure and spirit are under The claim in face is pointed out.
It should be appreciated that the disclosure is not limited to the precision architecture for being described above and being shown in the drawings, and And can without departing from the scope carry out various modifications and changes.The scope of the present disclosure is only limited by appended claim.

Claims (13)

1. it is a kind of recognize malicious user method, it is characterised in that including:
Obtain the historical behavior feature of user to be identified;
User's disaggregated model is obtained, user's disaggregated model is based on the historical behavior feature of malicious user and going through for normal users History behavioural characteristic is trained by sorter model and generated;
The historical behavior feature of the user to be identified is input into user's disaggregated model, to determine that the user to be identified is No is malicious user.
2. method according to claim 1, it is characterised in that also include:
After any recognition cycle terminates, the history row of malicious user and/or normal users in the recognition cycle is obtained It is characterized, and expands the training set for having stored based on acquired historical behavior feature;
Based on the training set after expansion, user's disaggregated model is adjusted.
3. method according to claim 2, it is characterised in that also include:
It is user's addition malicious user mark to be identified after it is determined that the user to be identified is malicious user.
4. method as claimed in any of claims 1 to 3, it is characterised in that also include:
After any user disaggregated model is obtained, dividing for user's disaggregated model is judged according to the Evaluation Strategy for pre-setting Whether class effect meets requirement;
Different user's disaggregated model is regenerated when the classifying quality of user's disaggregated model is unsatisfactory for requiring, until The classifying quality of user's disaggregated model meets requirement.
5. method according to claim 4, it is characterised in that the Evaluation Strategy that the basis pre-sets judges the use Whether the classifying quality of family disaggregated model meets requirement, including:
When the classification accuracy of user's disaggregated model is less than the first predetermined threshold value, dividing for user's disaggregated model is determined Class effect is unsatisfactory for requiring;
And/or,
When the classification error rate of user's disaggregated model is more than the second predetermined threshold value, dividing for user's disaggregated model is determined Class effect is unsatisfactory for requiring;
And/or,
When the malicious user coverage rate of user's disaggregated model is less than three predetermined threshold values, user's disaggregated model is determined Classifying quality be unsatisfactory for require;
And/or,
When the malicious user hit rate of user's disaggregated model is less than four predetermined threshold values, user's disaggregated model is determined Classifying quality be unsatisfactory for require;
And/or,
The 5th predetermined threshold value is less than in the TG-AUC AUC of recipient's operating characteristic curve ROC of user's disaggregated model When, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring.
6. according to the method in any one of claims 1 to 3, it is characterised in that the sorter model belongs to Gradient Boosting decision-tree models.
7. it is a kind of recognize malicious user device, it is characterised in that including:.
First acquisition module, is configured as obtaining the historical behavior feature of user to be identified;
Second acquisition module, is configured as obtaining user's disaggregated model, and user's disaggregated model is based on the history of malicious user The historical behavior feature of behavioural characteristic and normal users is trained by sorter model and generated;
Input module, is configured as the historical behavior feature of the user to be identified being input into user's disaggregated model, with true Whether the fixed user to be identified is malicious user.
8. device according to claim 7, it is characterised in that also include:
3rd acquisition module, is configured as after any recognition cycle terminates, and obtains malicious user and/or normal users in institute The historical behavior feature in recognition cycle is stated, and expands the training set for having stored based on acquired historical behavior feature;
Adjusting module, is configured as based on the training set after being expanded by the 3rd acquisition module, to user's disaggregated model It is adjusted.
9. device according to claim 8, it is characterised in that also include:
Add module, is configured as after it is determined that the user to be identified is malicious user, is user's addition to be identified Malicious user is marked.
10. the device according to any one in claim 7 to 9, it is characterised in that also include:
Judge module, is configured as after any user disaggregated model is obtained, and institute is judged according to the Evaluation Strategy for pre-setting Whether the classifying quality for stating user's disaggregated model meets requirement;
Generation module, is configured as regenerating one when the classifying quality of user's disaggregated model is unsatisfactory for requiring different User's disaggregated model, until the classifying quality of user's disaggregated model meets requiring.
11. devices according to claim 10, it is characterised in that the judge module includes:
First determining unit, is configured as when the classification accuracy of user's disaggregated model is less than the first predetermined threshold value, really The classifying quality of fixed user's disaggregated model is unsatisfactory for requiring;
And/or,
Second determining unit, is configured as when the classification error rate of user's disaggregated model is more than the second predetermined threshold value, really The classifying quality of fixed user's disaggregated model is unsatisfactory for requiring;
And/or,
3rd determining unit, is configured as being less than the 3rd predetermined threshold value in the malicious user coverage rate of user's disaggregated model When, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
4th determining unit, is configured as being less than the 4th predetermined threshold value in the malicious user hit rate of user's disaggregated model When, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring;
And/or,
5th determining unit, is configured as below the curve of recipient's operating characteristic curve ROC of user's disaggregated model When product AUC is less than five predetermined threshold values, determine that the classifying quality of user's disaggregated model is unsatisfactory for requiring.
12. device according to any one of claim 7 to 9, it is characterised in that the sorter model belongs to Gradient Boosting decision-tree models.
A kind of 13. devices for recognizing malicious user, it is characterised in that including:
Processor;
Memory for storing the executable instruction of processor;
Wherein, the processor is configured as:
Obtain the historical behavior feature of user to be identified;
User's disaggregated model is obtained, user's disaggregated model is based on the historical behavior feature of malicious user and going through for normal users History behavioural characteristic is trained by sorter model and generated;
The historical behavior feature of the user to be identified is input into user's disaggregated model, to determine that the user to be identified is No is malicious user.
CN201611123024.1A 2016-12-08 2016-12-08 Recognize the method and device of malicious user Pending CN106777024A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611123024.1A CN106777024A (en) 2016-12-08 2016-12-08 Recognize the method and device of malicious user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611123024.1A CN106777024A (en) 2016-12-08 2016-12-08 Recognize the method and device of malicious user

Publications (1)

Publication Number Publication Date
CN106777024A true CN106777024A (en) 2017-05-31

Family

ID=58881621

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611123024.1A Pending CN106777024A (en) 2016-12-08 2016-12-08 Recognize the method and device of malicious user

Country Status (1)

Country Link
CN (1) CN106777024A (en)

Cited By (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107392801A (en) * 2017-07-21 2017-11-24 上海携程商务有限公司 The method and its device, storage medium, electronic equipment of order are upset in control
CN107392259A (en) * 2017-08-16 2017-11-24 北京京东尚科信息技术有限公司 The method and apparatus for building unbalanced sample classification model
CN107633326A (en) * 2017-09-14 2018-01-26 北京拉勾科技有限公司 A kind of user delivers the construction method and computing device of wish model
CN107730364A (en) * 2017-10-31 2018-02-23 北京麒麟合盛网络技术有限公司 user identification method and device
CN107909516A (en) * 2017-12-06 2018-04-13 链家网(北京)科技有限公司 A kind of problem source of houses recognition methods and system
CN108121912A (en) * 2017-12-13 2018-06-05 中国科学院软件研究所 A kind of malice cloud tenant recognition methods and device based on neutral net
CN108390883A (en) * 2018-02-28 2018-08-10 武汉斗鱼网络科技有限公司 Recognition methods, device and the terminal device of brush popularity user
CN108520438A (en) * 2018-03-30 2018-09-11 北京小米移动软件有限公司 Behavior type determines method and device
CN108829715A (en) * 2018-05-04 2018-11-16 慧安金科(北京)科技有限公司 For detecting the method, equipment and computer readable storage medium of abnormal data
CN108900909A (en) * 2018-06-06 2018-11-27 武汉斗鱼网络科技有限公司 Judgment method, corresponding medium and the electronic equipment of cheating user
CN109242522A (en) * 2017-07-11 2019-01-18 深圳乐信软件技术有限公司 The foundation of target user's identification model, target user's recognition methods and device
CN109255391A (en) * 2018-09-30 2019-01-22 武汉斗鱼网络科技有限公司 A kind of method, apparatus and storage medium identifying malicious user
CN109426969A (en) * 2017-08-25 2019-03-05 拓元股份有限公司 Network ticket-booking system
CN109561069A (en) * 2018-10-25 2019-04-02 阿里巴巴集团控股有限公司 A kind of generation method and device, a kind of recognition methods and device of identification model
CN109993340A (en) * 2017-12-29 2019-07-09 北京京东尚科信息技术有限公司 Data processing method
CN110022359A (en) * 2019-03-25 2019-07-16 浙江每日互动网络科技股份有限公司 A method of end user status is obtained based on mobile terminal data
CN110020662A (en) * 2019-01-09 2019-07-16 阿里巴巴集团控股有限公司 The training method and device of user's disaggregated model
CN110188796A (en) * 2019-04-25 2019-08-30 博彦科技股份有限公司 User identification method, device, storage medium and processor
CN110309205A (en) * 2019-07-10 2019-10-08 上海诚数信息科技有限公司 A kind of data-optimized extraction system of credit decision and method
CN110334129A (en) * 2019-07-08 2019-10-15 国家电网有限公司 Learning behavior analyzing method, apparatus and storage medium
CN110516422A (en) * 2019-08-30 2019-11-29 北京字节跳动网络技术有限公司 Recognition methods, device, electronic equipment and the storage medium of user identity
CN110852761A (en) * 2019-10-11 2020-02-28 支付宝(杭州)信息技术有限公司 Method and device for formulating anti-cheating strategy and electronic equipment
WO2020062731A1 (en) * 2018-09-25 2020-04-02 平安科技(深圳)有限公司 Method and apparatus for updating white list based on cost function, and electronic device
CN111177725A (en) * 2019-12-31 2020-05-19 广州市百果园信息技术有限公司 Method, device, equipment and storage medium for detecting malicious click operation
CN111200607A (en) * 2019-12-31 2020-05-26 浙江工业大学 Online user behavior analysis method based on multilayer LSTM
CN111353554A (en) * 2020-05-09 2020-06-30 支付宝(杭州)信息技术有限公司 Method and device for predicting missing user service attributes
CN111385247A (en) * 2018-12-28 2020-07-07 广州市百果园信息技术有限公司 User behavior classification method and device, storage medium and server
CN111459780A (en) * 2020-04-01 2020-07-28 北京字节跳动网络技术有限公司 User identification method and device, readable medium and electronic equipment
CN111492635A (en) * 2017-08-09 2020-08-04 Ntt安全公司 Malicious software host network flow analysis system and method
CN111773732A (en) * 2020-09-04 2020-10-16 完美世界(北京)软件科技发展有限公司 Target game user detection method, device and equipment
WO2020225819A1 (en) * 2019-05-07 2020-11-12 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University Methods and devices for detecting improper clinical programming of implantable medical devices
CN112035775A (en) * 2020-09-01 2020-12-04 中国平安财产保险股份有限公司 User identification method and device based on random forest model and computer equipment
CN112184315A (en) * 2020-09-29 2021-01-05 深圳市尊信网络科技有限公司 Method, device, equipment and storage medium for identifying abnormal lottery purchasing behavior
CN112529623A (en) * 2020-12-14 2021-03-19 中国联合网络通信集团有限公司 Malicious user identification method, device and equipment
WO2021218336A1 (en) * 2020-04-30 2021-11-04 深圳壹账通智能科技有限公司 User information discrimination method and apparatus, and device and computer readable storage medium
CN114139643A (en) * 2021-12-07 2022-03-04 佳力士添加剂(海安)有限公司 Monoglyceride quality detection method and system based on machine vision

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924660A (en) * 2009-06-09 2010-12-22 阿尔卡特朗讯公司 Method and device for detecting network malicious behaviors
CN103853841A (en) * 2014-03-19 2014-06-11 北京邮电大学 Method for analyzing abnormal behavior of user in social networking site
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN105681312A (en) * 2016-01-28 2016-06-15 李青山 Mobile internet exceptional user detection method based on frequent itemset mining

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924660A (en) * 2009-06-09 2010-12-22 阿尔卡特朗讯公司 Method and device for detecting network malicious behaviors
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN103853841A (en) * 2014-03-19 2014-06-11 北京邮电大学 Method for analyzing abnormal behavior of user in social networking site
CN105681312A (en) * 2016-01-28 2016-06-15 李青山 Mobile internet exceptional user detection method based on frequent itemset mining

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
林成峰: "新浪微博恶意用户研究及检测", 《中国优秀硕士论文全文数据库 信息科技辑》 *

Cited By (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109242522A (en) * 2017-07-11 2019-01-18 深圳乐信软件技术有限公司 The foundation of target user's identification model, target user's recognition methods and device
CN107392801B (en) * 2017-07-21 2021-11-23 上海携程商务有限公司 Method and device for controlling order disorder, storage medium and electronic equipment
CN107392801A (en) * 2017-07-21 2017-11-24 上海携程商务有限公司 The method and its device, storage medium, electronic equipment of order are upset in control
CN111492635A (en) * 2017-08-09 2020-08-04 Ntt安全公司 Malicious software host network flow analysis system and method
CN107392259A (en) * 2017-08-16 2017-11-24 北京京东尚科信息技术有限公司 The method and apparatus for building unbalanced sample classification model
CN107392259B (en) * 2017-08-16 2021-12-07 北京京东尚科信息技术有限公司 Method and device for constructing unbalanced sample classification model
CN109426969A (en) * 2017-08-25 2019-03-05 拓元股份有限公司 Network ticket-booking system
CN107633326A (en) * 2017-09-14 2018-01-26 北京拉勾科技有限公司 A kind of user delivers the construction method and computing device of wish model
CN107730364A (en) * 2017-10-31 2018-02-23 北京麒麟合盛网络技术有限公司 user identification method and device
CN107909516A (en) * 2017-12-06 2018-04-13 链家网(北京)科技有限公司 A kind of problem source of houses recognition methods and system
CN108121912A (en) * 2017-12-13 2018-06-05 中国科学院软件研究所 A kind of malice cloud tenant recognition methods and device based on neutral net
CN108121912B (en) * 2017-12-13 2021-11-09 中国科学院软件研究所 Malicious cloud tenant identification method and device based on neural network
CN109993340A (en) * 2017-12-29 2019-07-09 北京京东尚科信息技术有限公司 Data processing method
CN108390883A (en) * 2018-02-28 2018-08-10 武汉斗鱼网络科技有限公司 Recognition methods, device and the terminal device of brush popularity user
CN108390883B (en) * 2018-02-28 2020-08-04 武汉斗鱼网络科技有限公司 Identification method and device for people-refreshing user and terminal equipment
CN108520438A (en) * 2018-03-30 2018-09-11 北京小米移动软件有限公司 Behavior type determines method and device
CN108520438B (en) * 2018-03-30 2021-06-22 北京小米移动软件有限公司 Behavior type determination method and device
CN108829715A (en) * 2018-05-04 2018-11-16 慧安金科(北京)科技有限公司 For detecting the method, equipment and computer readable storage medium of abnormal data
CN108829715B (en) * 2018-05-04 2022-03-25 慧安金科(北京)科技有限公司 Method, apparatus, and computer-readable storage medium for detecting abnormal data
CN108900909A (en) * 2018-06-06 2018-11-27 武汉斗鱼网络科技有限公司 Judgment method, corresponding medium and the electronic equipment of cheating user
CN108900909B (en) * 2018-06-06 2020-07-17 武汉斗鱼网络科技有限公司 Method for judging cheating user, related storage medium and electronic equipment
WO2020062731A1 (en) * 2018-09-25 2020-04-02 平安科技(深圳)有限公司 Method and apparatus for updating white list based on cost function, and electronic device
CN109255391B (en) * 2018-09-30 2021-07-23 武汉斗鱼网络科技有限公司 Method, device and storage medium for identifying malicious user
CN109255391A (en) * 2018-09-30 2019-01-22 武汉斗鱼网络科技有限公司 A kind of method, apparatus and storage medium identifying malicious user
CN109561069A (en) * 2018-10-25 2019-04-02 阿里巴巴集团控股有限公司 A kind of generation method and device, a kind of recognition methods and device of identification model
CN111385247B (en) * 2018-12-28 2022-07-08 广州市百果园信息技术有限公司 User behavior classification method and device, storage medium and server
CN111385247A (en) * 2018-12-28 2020-07-07 广州市百果园信息技术有限公司 User behavior classification method and device, storage medium and server
CN110020662A (en) * 2019-01-09 2019-07-16 阿里巴巴集团控股有限公司 The training method and device of user's disaggregated model
CN110022359A (en) * 2019-03-25 2019-07-16 浙江每日互动网络科技股份有限公司 A method of end user status is obtained based on mobile terminal data
CN110188796A (en) * 2019-04-25 2019-08-30 博彦科技股份有限公司 User identification method, device, storage medium and processor
WO2020225819A1 (en) * 2019-05-07 2020-11-12 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University Methods and devices for detecting improper clinical programming of implantable medical devices
CN110334129A (en) * 2019-07-08 2019-10-15 国家电网有限公司 Learning behavior analyzing method, apparatus and storage medium
CN110309205A (en) * 2019-07-10 2019-10-08 上海诚数信息科技有限公司 A kind of data-optimized extraction system of credit decision and method
CN110516422B (en) * 2019-08-30 2021-05-07 北京字节跳动网络技术有限公司 User identity identification method and device, electronic equipment and storage medium
CN110516422A (en) * 2019-08-30 2019-11-29 北京字节跳动网络技术有限公司 Recognition methods, device, electronic equipment and the storage medium of user identity
CN110852761B (en) * 2019-10-11 2023-07-04 支付宝(杭州)信息技术有限公司 Method and device for formulating anti-cheating strategy and electronic equipment
CN110852761A (en) * 2019-10-11 2020-02-28 支付宝(杭州)信息技术有限公司 Method and device for formulating anti-cheating strategy and electronic equipment
CN111200607A (en) * 2019-12-31 2020-05-26 浙江工业大学 Online user behavior analysis method based on multilayer LSTM
CN111177725A (en) * 2019-12-31 2020-05-19 广州市百果园信息技术有限公司 Method, device, equipment and storage medium for detecting malicious click operation
CN111200607B (en) * 2019-12-31 2022-04-19 浙江工业大学 Online user behavior analysis method based on multilayer LSTM
CN111459780A (en) * 2020-04-01 2020-07-28 北京字节跳动网络技术有限公司 User identification method and device, readable medium and electronic equipment
CN111459780B (en) * 2020-04-01 2023-04-07 北京字节跳动网络技术有限公司 User identification method and device, readable medium and electronic equipment
WO2021218336A1 (en) * 2020-04-30 2021-11-04 深圳壹账通智能科技有限公司 User information discrimination method and apparatus, and device and computer readable storage medium
CN111353554A (en) * 2020-05-09 2020-06-30 支付宝(杭州)信息技术有限公司 Method and device for predicting missing user service attributes
CN112035775A (en) * 2020-09-01 2020-12-04 中国平安财产保险股份有限公司 User identification method and device based on random forest model and computer equipment
CN112035775B (en) * 2020-09-01 2023-11-14 中国平安财产保险股份有限公司 User identification method and device based on random forest model and computer equipment
CN111773732A (en) * 2020-09-04 2020-10-16 完美世界(北京)软件科技发展有限公司 Target game user detection method, device and equipment
CN111773732B (en) * 2020-09-04 2021-01-08 完美世界(北京)软件科技发展有限公司 Target game user detection method, device and equipment
CN112184315A (en) * 2020-09-29 2021-01-05 深圳市尊信网络科技有限公司 Method, device, equipment and storage medium for identifying abnormal lottery purchasing behavior
CN112529623A (en) * 2020-12-14 2021-03-19 中国联合网络通信集团有限公司 Malicious user identification method, device and equipment
CN112529623B (en) * 2020-12-14 2023-07-11 中国联合网络通信集团有限公司 Malicious user identification method, device and equipment
CN114139643A (en) * 2021-12-07 2022-03-04 佳力士添加剂(海安)有限公司 Monoglyceride quality detection method and system based on machine vision
CN114139643B (en) * 2021-12-07 2022-11-29 佳力士添加剂(海安)有限公司 Monoglyceride quality detection method and system based on machine vision

Similar Documents

Publication Publication Date Title
CN106777024A (en) Recognize the method and device of malicious user
CN109902708B (en) Recommendation model training method and related device
CN107992887B (en) Classifier generation method, classification device, electronic equipment and storage medium
Elmachtoub et al. A practical method for solving contextual bandit problems using decision trees
CN109447099B (en) PCA (principal component analysis) dimension reduction-based multi-classifier fusion method
CN108491714A (en) The man-machine recognition methods of identifying code
CN110135167B (en) Edge computing terminal security level evaluation method for random forest
CN104866831B (en) The face recognition algorithms of characteristic weighing
CN104462385A (en) Personalized movie similarity calculation method based on user interest model
JP6029041B2 (en) Face impression degree estimation method, apparatus, and program
Shin et al. Multi-scale link prediction
CN112329816A (en) Data classification method and device, electronic equipment and readable storage medium
CN106484766A (en) Searching method based on artificial intelligence and device
CN113761359B (en) Data packet recommendation method, device, electronic equipment and storage medium
He et al. Fake review detection based on pu learning and behavior density
CN107592296A (en) The recognition methods of rubbish account and device
CN107426148A (en) A kind of anti-reptile method and system based on running environment feature recognition
CN110874638B (en) Behavior analysis-oriented meta-knowledge federation method, device, electronic equipment and system
CN116629937A (en) Marketing strategy recommendation method and device
CN112116025A (en) User classification model training method and device, electronic equipment and storage medium
CN110781467A (en) Abnormal business data analysis method, device, equipment and storage medium
KR20190028880A (en) Method and appratus for generating machine learning data for botnet detection system
CN110472742A (en) A kind of model variable determines method, device and equipment
CN110866609B (en) Method, device, server and storage medium for acquiring interpretation information
CN113762703A (en) Method and device for determining enterprise portrait, computing equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination