CN113360899A - Machine behavior identification method and system - Google Patents

Machine behavior identification method and system Download PDF

Info

Publication number
CN113360899A
CN113360899A CN202110762856.2A CN202110762856A CN113360899A CN 113360899 A CN113360899 A CN 113360899A CN 202110762856 A CN202110762856 A CN 202110762856A CN 113360899 A CN113360899 A CN 113360899A
Authority
CN
China
Prior art keywords
time intervals
variation
coefficient
target log
calculating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110762856.2A
Other languages
Chinese (zh)
Other versions
CN113360899B (en
Inventor
王启凡
殷钱安
陶景龙
余贤喆
梁淑云
魏国富
夏玉明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN202110762856.2A priority Critical patent/CN113360899B/en
Publication of CN113360899A publication Critical patent/CN113360899A/en
Application granted granted Critical
Publication of CN113360899B publication Critical patent/CN113360899B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a machine behavior identification method, which comprises the following steps: acquiring a target log and a time interval of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user; calculating the variation coefficients of different numbers of continuous time intervals respectively; acquiring the maximum number of continuous time intervals when the variation coefficient is smaller than a preset fluctuation coefficient; and when the maximum number is larger than the preset number, confirming the operation behavior corresponding to the maximum number as the machine behavior. The invention calculates the interval time of the operation behaviors and judges whether the operation behaviors are machine behaviors or not, and the calculation process is simple and effective and is easy to realize. The required log data is simple and can be applied to any scene. The output result has strong interpretability, and the related records with machine behaviors are easy to find.

Description

Machine behavior identification method and system
Technical Field
The invention relates to computer data security, in particular to a method and a system for identifying machine behaviors.
Background
Malicious machine behaviors, such as brute force cracking, library bumping, etc., can cause significant losses to application systems and user assets. The popularization of security devices such as WAFs reduces high-frequency machine behavior attacks. Hackers can also upgrade the logic of machine behavior at the same time, with both human and machine operations, by which way the security device is bypassed.
The methods of placing machine actions commonly used in the prior art include:
1. through login control. Such as captcha techniques, sliding windows, and the like. The technologies need to modify the system, are not very friendly to the user experience, and the machine operation behaviors after login cannot be identified.
2. Supervised algorithms are used in machine learning. The adoption of a supervision method needs a large amount of manual labels, and the manual labeling work is difficult because the proportion difference of positive and negative samples is very large.
As disclosed in publication No. CN109522692B, the method includes obtaining a plurality of web page operation behavior samples, where the plurality of web page operation behavior samples include a plurality of machine behavior samples with machine behavior tags, a plurality of human behavior samples with human behavior tags, and a plurality of unknown behavior samples without tags: behavior characteristics are respectively extracted from a plurality of webpage operation behavior samples: taking each webpage operation behavior sample as a sample point, and calculating the distance between the sample points based on the extracted behavior characteristics: constructing a fused k-neighbor graph fusing the k-neighbor graph and the mutual k-neighbor graph based on the calculated distances among the sample points: based on the constructed fusion k neighbor graph, performing cluster analysis on each sample point: based on the results of the cluster analysis, label diffusion is performed starting from sample points that already have labels to sample points that do not have labels: and determining whether the unknown behavior sampler is a machine behavior according to the label diffusion result. This method has the above-described problem of requiring a difficult labeling.
3. Probabilities are used to identify whether there is machine behavior. The method generally sets a threshold value with a small time interval, and judges that the interval of 2 operations is lower than the threshold value, and then the machine behavior is identified. This method is not suitable for low frequency machine operation behavior.
For example, a machine behavior recognition method and apparatus disclosed in publication No. CN108965207B, the method includes: acquiring at least one piece of request data in a first time period, and storing the request data in a first data area: calculating a probability of occurrence of a field value of at least one field of the requested data in the first data region within a second time period, the second time period being longer than the first time period: and comparing the occurrence probability with a preset value, and judging whether the request data corresponds to the machine behavior according to the comparison result. The machine behavior identification method can improve the identification accuracy of the machine behavior of black-product malicious first-purchase in electronic commerce. This method cannot be recognized for low frequency machine behavior.
4. Based on an unsupervised algorithm, machine behaviors are identified, and then algorithm accuracy is improved through a supervised algorithm. With this algorithm, the accuracy of the algorithm can be improved. But a large amount of log data is required for analysis, such as data of mouse operation behavior, keyboard operation behavior, and the like. Most existing systems do not retain such data and the results identified are not sufficiently interpretable.
Disclosure of Invention
The technical problem to be solved by the invention is how to provide a method for identifying continuous machine behaviors, which is simple and easy to operate and has strong result interpretability.
The invention solves the technical problems through the following technical means:
a method for identifying machine behavior comprises the following steps:
acquiring a target log and a time interval of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user;
calculating the variation coefficients of different numbers of continuous time intervals respectively;
acquiring the maximum number of continuous time intervals when the variation coefficient is smaller than a preset fluctuation coefficient;
and when the maximum number is larger than the preset number, confirming the operation behavior corresponding to the maximum number as the machine behavior.
The invention calculates the interval time of the operation behaviors and judges whether the operation behaviors are machine behaviors or not, and the calculation process is simple and effective and is easy to realize. The required log data is simple and can be applied to any scene. The output result has strong interpretability, and the related records with machine behaviors are easy to find.
Further, the step of obtaining the target log comprises:
acquiring an operation log, wherein the operation log at least comprises a plurality of users and a plurality of operation times;
and grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to respectively form the target logs.
Further, the step of calculating the coefficients of variation for different numbers of consecutive time intervals respectively comprises:
step a, taking the operation time arranged at the first position in the target log as an initial position, and calculating the variation coefficients of m continuous time intervals from the initial position;
b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing step c, calculating the variation coefficients of m + n continuous time intervals from the initial position, and then executing step b until all time intervals in the target log are traversed, wherein n is larger than or equal to 1;
and if the variation coefficient is larger than or equal to the preset fluctuation coefficient, executing step d, calculating the variation coefficients of m continuous time intervals from adjacent positions behind the starting position, and then executing step b until all time intervals in the target log are traversed.
Further, the coefficient of variation is a standard deviation/average value, the standard deviation is a standard deviation of consecutive time intervals, and the average value is an average value of consecutive time intervals.
Further, the standard deviation calculation formula is as follows:
Figure BDA0003149617080000031
wherein xiFor the (i) th time interval (t),
Figure BDA0003149617080000032
is the average of n time intervals.
Corresponding to the method, the invention also discloses a machine behavior recognition system, which comprises:
the target log obtaining module is used for obtaining a target log and a time interval of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user;
the coefficient of variation calculation module, is used for calculating the coefficient of variation of different quantity of consecutive time intervals separately;
the maximum number obtaining module of the continuous time intervals is used for obtaining the maximum number of the continuous time intervals when the variation coefficient is smaller than the preset fluctuation coefficient;
and the machine behavior identification module is used for confirming the operation behaviors corresponding to the maximum number as the machine behaviors when the maximum number is larger than the preset number.
Further, when the target log obtaining module is executed, the step of obtaining the target log includes:
acquiring an operation log, wherein the operation log at least comprises a plurality of users and a plurality of operation times;
and grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to respectively form the target logs.
Further, the step of calculating the variation coefficients of different numbers of consecutive time intervals in the different coefficient calculation module respectively includes:
step a, taking the operation time arranged at the first position in the target log as an initial position, and calculating the variation coefficients of m continuous time intervals from the initial position;
b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing step c, calculating the variation coefficients of m + n continuous time intervals from the initial position, and then executing step b until all time intervals in the target log are traversed, wherein n is larger than or equal to 1;
and if the variation coefficient is larger than or equal to the preset fluctuation coefficient, executing step d, calculating the variation coefficients of m continuous time intervals from adjacent positions behind the starting position, and then executing step b until all time intervals in the target log are traversed.
Further, the coefficient of variation is a standard deviation/average value, the standard deviation is a standard deviation of consecutive time intervals, and the average value is an average value of consecutive time intervals.
Further, the standard deviation calculation formula is as follows:
Figure BDA0003149617080000041
wherein xiFor the (i) th time interval (t),
Figure BDA0003149617080000042
is the average of n time intervals.
The invention has the advantages that:
the invention calculates the interval time of the operation behaviors and judges whether the operation behaviors are machine behaviors or not, and the calculation process is simple and effective and is easy to realize. The required log data is simple and can be applied to any scene. The output result has strong interpretability, and the related records with machine behaviors are easy to find.
Drawings
Fig. 1 is a flowchart illustrating a method for identifying a machine behavior according to an embodiment of the present invention.
Fig. 2 is a block diagram of a system for identifying machine behavior according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment discloses a method for identifying a machine behavior, which is used for identifying an abnormal user with the machine behavior, and specifically comprises the following steps as shown in fig. 1:
step 1, obtaining a target log and a time interval of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sorted according to the operation time of the user;
the specific process is that firstly, an operation log of a user is obtained, and the operation log at least comprises a plurality of users and a plurality of operation times. As exemplified in table 1.
TABLE 1 user action Log
Figure BDA0003149617080000043
Figure BDA0003149617080000051
And then grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to respectively form the target logs. Table 1 is shown in table 2 after grouping and sorting according to users.
TABLE 2 target Log
Figure BDA0003149617080000052
Figure BDA0003149617080000061
Step 2, respectively calculating the variation coefficients of different quantities of continuous time intervals; the method comprises the following specific steps:
since the coefficient of variation is equal to the standard deviation/average value, the standard deviation is the standard deviation of consecutive time intervals, and the calculation formula is:
Figure BDA0003149617080000062
wherein xiFor the (i) th time interval (t),
Figure BDA0003149617080000063
is the average of n time intervals. The average value is the average value of continuous time intervals, and the time interval is the operation time of the current time and the operation time of the last time. So first, on the basis of table 2, the interval time between adjacent operations is calculated as shown in table 3.
TABLE 3 time interval table for continuous operation
User' s Time of operation Time interval
Zhang San 2021-10-01 08:55:00 NaN
Zhang San 2021-10-21 10:13:03 1732683.0
Zhang San 2021-10-21 10:23:07 604.0
Zhang San 2021-10-21 10:33:15 608.0
Zhang San 2021-10-21 10:43:01 586.0
Zhang San 2021-10-21 10:53:03 602.0
Zhang San 2021-10-21 11:03:14 611.0
Zhang San 2021-10-21 11:13:24 610.0
Zhang San 2021-10-21 14:00:00 9996.0
Li Si 2021-10-01 05:55:00 NaN
Li Si 2021-10-21 11:23:07 1747687.0
Li Si 2021-10-21 13:33:15 7808.0
Li Si 2021-10-21 14:43:01 4186.0
Li Si 2021-10-21 15:53:03 4202.0
Li Si 2021-10-21 18:03:34 7831.0
Li Si 2021-10-21 19:00:00 3386.0
Then, the step of calculating the coefficients of variation for different numbers of consecutive time intervals, respectively, comprises:
step a, taking the operation time arranged at the first position in the target log as an initial position, and calculating the variation coefficients of m continuous time intervals from the initial position;
b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing step c, calculating the variation coefficients of m + n continuous time intervals from the initial position, and then executing step b until all time intervals in the target log are traversed, wherein n is larger than or equal to 1;
and d, if the variation coefficient is larger than or equal to the preset fluctuation coefficient, calculating the variation coefficients of m continuous time intervals from adjacent positions behind the initial position, and then executing the step b until all time intervals in the target log are traversed.
In this embodiment, the preset fluctuation coefficient y may be set first, and the smaller the fluctuation coefficient, the more stable the description. If the fluctuation coefficient is 0, the fluctuation is absolutely equal. In practice, there are some errors due to network or other reasons, and in order to tolerate these errors, the present embodiment sets the preset fluctuation coefficient y to 0.05. Then, a minimum number of continuous operations (i.e. a preset number) can be set, and the variation coefficient of the time interval of 5 continuous operations is considered to be smaller than a preset fluctuation coefficient, i.e. the machine behavior is considered to be continuous, so the minimum number of continuous operations is 5 in this embodiment. Of course, other settings may be made on the preset fluctuation coefficient and the minimum continuous operation number m according to the actual service demand and the service scenario, which is not limited in this application.
Specifically, in this embodiment, the operation time ranked first in the target log may be taken as a starting position, the variation coefficients of 5 consecutive time intervals are calculated from the starting position, if the variation coefficient of 5 consecutive time intervals is smaller than the preset fluctuation coefficient y (0.05), the variation coefficients of 6 consecutive time intervals are continuously calculated from the starting position, and if the variation coefficient of 6 consecutive time intervals is still smaller than the preset fluctuation coefficient y (0.05), the variation coefficients … … of 7 consecutive time intervals are continuously calculated from the starting position until all time intervals are traversed. And connecting the maximum value of the time interval when the coefficient of variation is determined to be smaller than the preset fluctuation coefficient according to the calculation process. Of course, if the variance factor of 5 consecutive time intervals is greater than or equal to the predetermined fluctuation factor, the variance factors of the next 5 consecutive time intervals are calculated from the operation time of the second-ranked operation time in the target log, and the relationship … … between the variance factors of the 5 consecutive time intervals and the predetermined fluctuation factor is determined until all the time intervals are traversed.
Based on table 3, the coefficients of variation for different numbers of consecutive time intervals for each user calculated according to the above method are shown in table 4.
TABLE 4 coefficient of variation for different numbers of consecutive time intervals
Figure BDA0003149617080000071
Figure BDA0003149617080000081
And 3, acquiring the maximum number of continuous time intervals when the variation coefficient is smaller than the preset fluctuation system. As can be seen from table 4, the maximum number of consecutive time intervals of zhang, which are smaller than the ripple coefficient, is 7 times, and the lie, which is greater than the preset ripple system.
And 4, when the maximum number is larger than the preset number, confirming the operation behavior corresponding to the maximum number as the machine behavior. As can be seen from table 4, the coefficient of variation of continuous operation of 7 times for zhangsan is smaller than the fluctuation coefficient, so the 7 operations of zhangsan are considered as machine behavior, while the coefficient of variation of continuous operation of lie si is not smaller than 0.05, so lie si has no machine behavior.
The embodiment calculates the interval time of the operation behaviors and judges whether the operation behaviors are machine behaviors or not, so that the calculation process is simple and effective and is easy to realize. The required log data is simple and can be applied to any scene. The output result has strong interpretability, and the related records with machine behaviors are easy to find.
Corresponding to the above method, the present embodiment further provides a system for recognizing a machine behavior, as shown in fig. 2, including:
the target log obtaining module is used for obtaining a target log and a time interval of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user;
the specific process is that firstly, an operation log of a user is obtained, and the operation log at least comprises a plurality of users and a plurality of operation times. As exemplified in table 1.
TABLE 1 user action Log
Figure BDA0003149617080000082
Figure BDA0003149617080000091
And then grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to respectively form the target logs. Table 1 is shown in table 2 after grouping and sorting according to users.
TABLE 2 target Log
Figure BDA0003149617080000092
Figure BDA0003149617080000101
The coefficient of variation calculation module, is used for calculating the coefficient of variation of different quantity of consecutive time intervals separately; the method comprises the following specific steps:
first, since the coefficient of variation is equal to the standard deviation/average value, the standard deviation is the standard deviation of consecutive time intervals, and the calculation formula is:
Figure BDA0003149617080000102
wherein xiFor the (i) th time interval (t),
Figure BDA0003149617080000103
is the average of n time intervals. The average value is the average value of continuous time intervals, and the time interval is the operation time of the current time and the operation time of the last time. So first, on the basis of table 2, the interval time between adjacent operations is calculated as shown in table 3.
TABLE 3 time interval table for continuous operation
Figure BDA0003149617080000104
Figure BDA0003149617080000111
Then, the step of calculating the coefficients of variation for different numbers of consecutive time intervals, respectively, comprises:
step a, taking the operation time arranged at the first position in the target log as an initial position, and calculating the variation coefficients of m continuous time intervals from the initial position;
b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing step c, calculating the variation coefficients of m + n continuous time intervals from the initial position, and then executing step b until all time intervals in the target log are traversed, wherein n is larger than or equal to 1;
and d, if the variation coefficient is larger than or equal to the preset fluctuation coefficient, calculating the variation coefficients of m continuous time intervals from adjacent positions behind the initial position, and then executing the step b until all time intervals in the target log are traversed.
In this embodiment, the preset fluctuation coefficient y may be set first, and the smaller the fluctuation coefficient, the more stable the description. If the fluctuation coefficient is 0, the fluctuation is absolutely equal. In practice, there are some errors due to network or other reasons, and in order to tolerate these errors, the present embodiment sets the preset fluctuation coefficient y to 0.05. Then, a minimum number of continuous operations (i.e. a preset number) can be set, and the variation coefficient of the time interval of 5 continuous operations is considered to be smaller than a preset fluctuation coefficient, i.e. the machine behavior is considered to be continuous, so the minimum number of continuous operations is 5 in this embodiment. Of course, other settings may be made on the preset fluctuation coefficient and the minimum continuous operation number m according to the actual service demand and the service scenario, which is not limited in this application.
Specifically, in this embodiment, the operation time ranked first in the target log may be taken as a starting position, the variation coefficients of 5 consecutive time intervals are calculated from the starting position, if the variation coefficient of 5 consecutive time intervals is smaller than the preset fluctuation coefficient y (0.05), the variation coefficients of 6 consecutive time intervals are continuously calculated from the starting position, and if the variation coefficient of 6 consecutive time intervals is still smaller than the preset fluctuation coefficient y (0.05), the variation coefficients … … of 7 consecutive time intervals are continuously calculated from the starting position until all time intervals are traversed. And connecting the maximum value of the time interval when the coefficient of variation is determined to be smaller than the preset fluctuation coefficient according to the calculation process. Of course, if the variance factor of 5 consecutive time intervals is greater than or equal to the predetermined fluctuation factor, the variance factors of the next 5 consecutive time intervals are calculated from the operation time of the second-ranked operation time in the target log, and the relationship … … between the variance factors of the 5 consecutive time intervals and the predetermined fluctuation factor is determined until all the time intervals are traversed.
Based on table 3, the coefficients of variation for different numbers of consecutive time intervals for each user calculated according to the above method are shown in table 4.
TABLE 4 coefficient of variation for different numbers of consecutive time intervals
Figure BDA0003149617080000112
Figure BDA0003149617080000121
And the maximum number acquisition module of the continuous time intervals is used for acquiring the maximum number of the continuous time intervals when the coefficient of variation is smaller than the preset fluctuation system. As can be seen from table 4, the maximum number of consecutive time intervals in which the variation coefficient of zhangsan is smaller than the preset fluctuation coefficient is 7 times, and the variation coefficient of lie san is larger than the preset fluctuation system.
And the machine behavior identification module is used for confirming the operation behaviors corresponding to the maximum number as the machine behaviors when the maximum number is larger than the preset number.
As can be seen from table 4, the coefficient of variation of the three sheets for 7 consecutive operations is smaller than the predetermined fluctuation coefficient, so the 7 operations are considered as machine behavior, and the four leaves do not meet the minimum 5 coefficient of variation smaller than 0.05, so the four leaves do not have machine behavior.
The embodiment calculates the interval time of the operation behaviors and judges whether the operation behaviors are machine behaviors or not, so that the calculation process is simple and effective and is easy to realize. The required log data is simple and can be applied to any scene. The output result has strong interpretability, and the related records with machine behaviors are easy to find.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A method for identifying a machine behavior, comprising:
acquiring a target log and a time interval of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user;
calculating the variation coefficients of different numbers of continuous time intervals respectively;
acquiring the maximum number of continuous time intervals when the variation coefficient is smaller than a preset fluctuation coefficient;
and when the maximum number is larger than the preset number, confirming the operation behavior corresponding to the maximum number as the machine behavior.
2. The method for identifying machine behavior according to claim 1, wherein the step of obtaining a target log comprises:
acquiring an operation log, wherein the operation log at least comprises a plurality of users and a plurality of operation times;
and grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to respectively form the target logs.
3. The method according to claim 1, wherein the step of calculating the coefficients of variation for different numbers of consecutive time intervals comprises:
step a, taking the operation time arranged at the first position in the target log as an initial position, and calculating the variation coefficients of m continuous time intervals from the initial position;
b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing step c, calculating the variation coefficients of m + n continuous time intervals from the initial position, and then executing step b until all time intervals in the target log are traversed, wherein n is larger than or equal to 1;
and if the variation coefficient is larger than or equal to the preset fluctuation coefficient, executing step d, calculating the variation coefficients of m continuous time intervals from adjacent positions behind the starting position, and then executing step b until all time intervals in the target log are traversed.
4. The machine behavior recognition method of claim 1, wherein the coefficient of variation is a standard deviation/mean, the standard deviation is a standard deviation of consecutive time intervals, and the mean is a mean of consecutive time intervals.
5. The method of identifying machine behavior of claim 4, wherein the standard deviation calculation formula is:
Figure FDA0003149617070000011
wherein xiFor the (i) th time interval (t),
Figure FDA0003149617070000012
is the average of n time intervals.
6. A system for identifying machine behavior, comprising:
the target log obtaining module is used for obtaining a target log and a time interval of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user;
the coefficient of variation calculation module, is used for calculating the coefficient of variation of different quantity of consecutive time intervals separately;
the maximum number obtaining module of the continuous time intervals is used for obtaining the maximum number of the continuous time intervals when the variation coefficient is smaller than the preset fluctuation coefficient;
and the machine behavior identification module is used for confirming the operation behaviors corresponding to the maximum number as the machine behaviors when the maximum number is larger than the preset number.
7. The machine behavior recognition system of claim 6, wherein the step of obtaining the target log comprises, when the target log obtaining module is executed:
acquiring an operation log, wherein the operation log at least comprises a plurality of users and a plurality of operation times;
and grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to respectively form the target logs.
8. The machine behavior recognition system of claim 6, wherein the step of calculating the coefficient of variation for different numbers of consecutive time intervals in the coefficient of variation calculation module comprises:
step a, taking the operation time arranged at the first position in the target log as an initial position, and calculating the variation coefficients of m continuous time intervals from the initial position;
b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing step c, calculating the variation coefficients of m + n continuous time intervals from the initial position, and then executing step b until all time intervals in the target log are traversed, wherein n is larger than or equal to 1;
and if the variation coefficient is larger than or equal to the preset fluctuation coefficient, executing step d, calculating the variation coefficients of m continuous time intervals from adjacent positions behind the starting position, and then executing step b until all time intervals in the target log are traversed.
9. Machine behavior recognition system according to claim 6, characterized in that the coefficient of variation is the standard deviation/mean value of the standard deviation over successive time intervals, the mean value being the mean value over successive time intervals.
10. The machine behavior recognition system of claim 9, wherein the standard deviation calculation formula is:
Figure FDA0003149617070000021
wherein xiFor the (i) th time interval (t),
Figure FDA0003149617070000022
is the average of n time intervals.
CN202110762856.2A 2021-07-06 2021-07-06 Machine behavior recognition method and system Active CN113360899B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110762856.2A CN113360899B (en) 2021-07-06 2021-07-06 Machine behavior recognition method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110762856.2A CN113360899B (en) 2021-07-06 2021-07-06 Machine behavior recognition method and system

Publications (2)

Publication Number Publication Date
CN113360899A true CN113360899A (en) 2021-09-07
CN113360899B CN113360899B (en) 2023-11-21

Family

ID=77538480

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110762856.2A Active CN113360899B (en) 2021-07-06 2021-07-06 Machine behavior recognition method and system

Country Status (1)

Country Link
CN (1) CN113360899B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116488948A (en) * 2023-06-25 2023-07-25 上海观安信息技术股份有限公司 Machine behavior abnormality detection method, device, equipment and medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107332931A (en) * 2017-08-07 2017-11-07 合肥工业大学 The recognition methods of waterborne troops of machine type forum and device
CN109522692A (en) * 2018-11-19 2019-03-26 第四范式(北京)技术有限公司 Webpage machine behavioral value method and system
CN110933115A (en) * 2019-12-31 2020-03-27 上海观安信息技术股份有限公司 Analysis object behavior abnormity detection method and device based on dynamic session
CN110990242A (en) * 2019-11-29 2020-04-10 上海观安信息技术股份有限公司 Method and device for determining fluctuation abnormity of user operation times
CN111177656A (en) * 2019-12-31 2020-05-19 奇安信科技集团股份有限公司 Behavior detection method, computer equipment and computer-readable storage medium
CN111310139A (en) * 2020-01-21 2020-06-19 腾讯科技(深圳)有限公司 Behavior data identification method and device and storage medium
WO2020125929A1 (en) * 2018-12-17 2020-06-25 Huawei Technologies Co., Ltd. Apparatus and method for detecting an anomaly among successive events and computer program product therefor
CN111818011A (en) * 2020-05-29 2020-10-23 中国平安财产保险股份有限公司 Abnormal access behavior recognition method and device, computer equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107332931A (en) * 2017-08-07 2017-11-07 合肥工业大学 The recognition methods of waterborne troops of machine type forum and device
CN109522692A (en) * 2018-11-19 2019-03-26 第四范式(北京)技术有限公司 Webpage machine behavioral value method and system
WO2020125929A1 (en) * 2018-12-17 2020-06-25 Huawei Technologies Co., Ltd. Apparatus and method for detecting an anomaly among successive events and computer program product therefor
CN110990242A (en) * 2019-11-29 2020-04-10 上海观安信息技术股份有限公司 Method and device for determining fluctuation abnormity of user operation times
CN110933115A (en) * 2019-12-31 2020-03-27 上海观安信息技术股份有限公司 Analysis object behavior abnormity detection method and device based on dynamic session
CN111177656A (en) * 2019-12-31 2020-05-19 奇安信科技集团股份有限公司 Behavior detection method, computer equipment and computer-readable storage medium
CN111310139A (en) * 2020-01-21 2020-06-19 腾讯科技(深圳)有限公司 Behavior data identification method and device and storage medium
CN111818011A (en) * 2020-05-29 2020-10-23 中国平安财产保险股份有限公司 Abnormal access behavior recognition method and device, computer equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
殷钱安等: "电信运营商电子渠道风控研究", 《通信技术》 *
殷钱安等: "电信运营商电子渠道风控研究", 《通信技术》, vol. 51, no. 9, 30 September 2018 (2018-09-30), pages 2222 - 2227 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116488948A (en) * 2023-06-25 2023-07-25 上海观安信息技术股份有限公司 Machine behavior abnormality detection method, device, equipment and medium
CN116488948B (en) * 2023-06-25 2023-09-01 上海观安信息技术股份有限公司 Machine behavior abnormality detection method, device, equipment and medium

Also Published As

Publication number Publication date
CN113360899B (en) 2023-11-21

Similar Documents

Publication Publication Date Title
CN106982196B (en) Abnormal access detection method and equipment
WO2022110557A1 (en) Method and device for diagnosing user-transformer relationship anomaly in transformer area
CN109525595B (en) Black product account identification method and equipment based on time flow characteristics
Yassin et al. Anomaly-based intrusion detection through k-means clustering and naives bayes classification
US20190311114A1 (en) Man-machine identification method and device for captcha
CN111026653B (en) Abnormal program behavior detection method and device, electronic equipment and storage medium
CN110083475B (en) Abnormal data detection method and device
CN114915478B (en) Network attack scene identification method, system and storage medium of intelligent park industrial control system based on multi-agent distributed correlation analysis
KR101866556B1 (en) Method and program for detecting abnormal action
CN110162958B (en) Method, apparatus and recording medium for calculating comprehensive credit score of device
CN112288025A (en) Abnormal case identification method, device and equipment based on tree structure and storage medium
CN112463848A (en) Method, system, device and storage medium for detecting abnormal user behavior
CN113360899A (en) Machine behavior identification method and system
CN110597792A (en) Multistage redundant data fusion method and device based on synchronous line loss data fusion
CN114638501A (en) Business data processing method and device, computer equipment and storage medium
CN116681350A (en) Intelligent factory fault detection method and system
CN116366303A (en) Network anomaly detection method, device, equipment and medium based on deep learning
CN111258788B (en) Disk failure prediction method, device and computer readable storage medium
CN111935089B (en) Data processing method based on big data and edge calculation and artificial intelligence server
CN110188529B (en) Abnormal sliding track detection method and device and electronic equipment
CN114363082A (en) Network attack detection method, device, equipment and computer readable storage medium
CN113536087A (en) Method, device, equipment, storage medium and program product for identifying cheating sites
CN114528909A (en) Unsupervised anomaly detection method based on flow log feature extraction
Jeyanna et al. A network intrusion detection system using clustering and outlier detection
CN109905340B (en) Feature optimization function selection method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant