CN113452685A

CN113452685A - Recognition rule processing method and system, storage medium and electronic equipment

Info

Publication number: CN113452685A
Application number: CN202110690968.1A
Authority: CN
Inventors: 孙泽懿
Original assignee: Shanghai Minglue Artificial Intelligence Group Co Ltd
Current assignee: Shanghai Minglue Artificial Intelligence Group Co Ltd
Priority date: 2021-06-22
Filing date: 2021-06-22
Publication date: 2021-09-28
Anticipated expiration: 2041-06-22
Also published as: CN113452685B

Abstract

The application discloses a processing method, a system, a storage medium and an electronic device for identification rules, wherein the processing method comprises the following steps: and (3) encoding: vectorizing and coding the identified abnormal flow; a learning step: obtaining a plurality of abnormal flow clusters by adopting unsupervised learning on the coded abnormal flow; matching: matching an identification rule for each abnormal traffic in the abnormal traffic cluster; a judging step: judging the number of the identification rules of the abnormal traffic cluster and outputting a judgment result; and (3) identification rule processing step: and identifying the identification rule according to the judgment result to obtain an identification rule classification label. The invention provides a method system for automatically classifying and predicting the rule base, so as to more effectively manage and maintain various rules.

Description

Recognition rule processing method and system, storage medium and electronic equipment

Technical Field

The invention belongs to the field of processing of identification rules, and particularly relates to a method and a system for processing identification rules, a storage medium and electronic equipment.

Background

The identification of the abnormal advertisement flow mainly depends on rules based on experience to judge, and the rule judging system has the defect that some new cheating modes cannot be actively and timely identified, namely, a certain time is needed for collecting and feeding back various information, and then summarization is carried out so as to add new rules.

Meanwhile, with the development of the internet advertising industry, anti-cheating and anti-cheating countermeasures become more and more common, so that more and more abnormal flow identification rules are introduced and used, the used rule set is more and more complicated, unified management and classification are difficult, manual labeling and classification are time-consuming and labor-consuming, and efficiency is underground.

Disclosure of Invention

The embodiment of the application provides a processing method, a processing system, a storage medium and electronic equipment of an identification rule, and aims to at least solve the problem that the existing processing method of the identification rule is low in efficiency.

The invention provides a processing method of an identification rule, which comprises the following steps:

and (3) encoding: vectorizing and coding the identified abnormal flow;

a learning step: obtaining a plurality of abnormal flow clusters by adopting unsupervised learning on the coded abnormal flow;

matching: matching an identification rule for each abnormal traffic in the abnormal traffic cluster;

a judging step: judging the number of the identification rules of the abnormal traffic cluster and outputting a judgment result;

and (3) identification rule processing step: and identifying the identification rule according to the judgment result to obtain an identification rule classification label.

The processing method described above, wherein the identification rule processing step includes:

when the judgment result is that the number of the identification rules is 1, identifying the identification rules to obtain the identification rule classification labels; and when the judgment result shows that the number of the identification rules is more than 1, voting is carried out, the identification rule which appears most in the abnormal flow cluster is selected, and the identification rule is identified to obtain the identification rule classification label.

The processing method further includes:

a prediction step: and predicting the newly generated abnormal flow through a prediction model to obtain a corresponding new identification rule, and updating the existing rule base according to the new identification rule.

The processing method described above, wherein the predicting step includes:

and (3) rule coding: coding the identification rule to obtain an identification rule coding result;

common characteristic coding step: coding the common characteristics of the abnormal flow in each abnormal flow cluster to obtain a common characteristic coding result;

a prediction model construction step: constructing a prediction model according to the identification rule coding result and the common characteristic coding result;

and updating the rule base: and predicting the newly generated abnormal flow through the prediction model to obtain a new identification rule, decoding the new identification rule to obtain a corresponding rule description, and updating the existing rule base through the rule description.

The invention also provides a processing system for identifying rules, which comprises the following steps:

the coding module is used for vectorizing and coding the identified abnormal flow;

the learning module is used for obtaining a plurality of abnormal flow clusters by adopting unsupervised learning on the coded abnormal flow;

a matching module that matches an identification rule for each of the abnormal traffic in the abnormal traffic cluster;

the judging module judges the number of the identification rules of the abnormal traffic cluster and outputs a judging result;

and the identification rule processing module identifies the identification rule according to the judgment result to obtain an identification rule classification label.

The processing system, wherein the identification rule processing module includes:

The processing system further includes:

and the prediction module predicts the newly generated abnormal flow through the prediction model to obtain a correspondingly new identification rule, and updates the existing rule base according to the new identification rule.

The processing system, wherein the prediction module comprises:

the rule coding unit codes the identification rule to obtain an identification rule coding result;

a common feature encoding unit, which encodes the common features of the abnormal traffic in each abnormal traffic cluster to obtain a common feature encoding result;

a prediction model construction unit that constructs a prediction model according to the recognition rule coding result and the common feature coding result;

and the rule base updating unit is used for predicting the newly generated abnormal flow through the prediction model to obtain a new identification rule, decoding the new identification rule to obtain a corresponding rule description, and updating the existing rule base through the rule description.

The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements any of the processing methods when executing the computer program.

The present invention also provides a storage medium having a computer program stored thereon, wherein the program realizes any of the processing methods described when executed by a processor.

The invention has the beneficial effects that:

the invention belongs to the field of data mining in data capacity, and provides a method system for automatically classifying and predicting a rule base so as to more effectively manage and maintain various rules. Meanwhile, the invention also provides a methodology for coding and calculating the rules, so as to realize effective calculation and processing of various rules by using a more advanced mathematical method.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application.

In the drawings:

FIG. 1 is a flow chart of a method of processing an identification rule of the present invention;

FIG. 2 is a flowchart of step S6 of FIG. 1;

FIG. 3 is a schematic diagram of the structure of a processing system for identifying rules of the present invention;

fig. 4 is a frame diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.

It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.

Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.

Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.

The present invention is described in detail with reference to the embodiments shown in the drawings, but it should be understood that these embodiments are not intended to limit the present invention, and those skilled in the art should understand that functional, methodological, or structural equivalents or substitutions made by these embodiments are within the scope of the present invention.

Before describing in detail the various embodiments of the present invention, the core inventive concepts of the present invention are summarized and described in detail by the following several embodiments.

The first embodiment is as follows:

the invention provides a processing method of an identification rule, and aims to provide a method logic for automatically classifying various existing and newly added abnormal flow identification rules so as to further optimize automatic classification management of complicated rules.

Different abnormal flows can be identified by different rules, after vectorization is carried out on various abnormal flows, an unsupervised learning model is adopted for clustering, then corresponding identification rules are found for each clustered cluster, the rules are constructed into corresponding rule clusters, and then expert judgment is introduced for refinement. The method comprises the following specific steps:

referring to fig. 1, fig. 1 is a flowchart of a processing method of an identification rule. As shown in fig. 1, the processing method of the identification rule of the present invention includes:

encoding step S1: vectorizing and coding the identified abnormal flow;

learning step S2: obtaining a plurality of abnormal flow clusters by adopting unsupervised learning on the coded abnormal flow;

matching step S3: matching an identification rule for each abnormal traffic in the abnormal traffic cluster;

determination step S4: judging the number of the identification rules of the abnormal traffic cluster and outputting a judgment result;

identification rule processing step S5: identifying the identification rule according to the judgment result to obtain an identification rule classification label;

wherein the identification rule processing step S5 includes:

Prediction step S6: and predicting the newly generated abnormal flow through a prediction model to obtain a corresponding new identification rule, and updating the existing rule base according to the new identification rule.

Referring to fig. 2, fig. 2 is a flowchart of the prediction step S6. As shown in fig. 2, the prediction step S6 of the present invention includes:

rule encoding step S61: coding the identification rule to obtain an identification rule coding result;

common feature encoding step S62: coding the common characteristics of the abnormal flow in each abnormal flow cluster to obtain a common characteristic coding result;

prediction model construction step S63: constructing a prediction model according to the identification rule coding result and the common characteristic coding result;

rule base update step S64: and predicting the newly generated abnormal flow through the prediction model to obtain a new identification rule, decoding the new identification rule to obtain a corresponding rule description, and updating the existing rule base through the rule description.

Specifically, vectorization coding is carried out on the identified abnormal flow;

then, carrying out classification and aggregation on the encoded abnormal flow by adopting unsupervised learning, such as clustering, so as to form a plurality of abnormal flow clusters;

then finding out a corresponding identification rule for each abnormal flow in each found abnormal flow cluster;

if each cluster has more than one corresponding rule, voting is carried out, and the rule with the largest number of corresponding abnormal flows is selected;

if each cluster only has one corresponding rule, the rules are properly coded;

further, coding the common characteristics of the abnormal flow of each cluster;

and then, outputting a rule coding result of the cluster as a model, inputting a coding result of the common characteristic of the abnormal flow of each cluster as a model, establishing a prediction model, and performing training and verification.

And (3) selecting the rule with the largest number of corresponding abnormal flows, namely completing the classification label of the rule used for identifying the existing abnormal flows, when a new abnormal flow is identified (an irregular class identification system may be used, for example, a model-based identification method), predicting the corresponding rule by using the model output in the eighth step, encoding and decoding the predicted rule into a rule description by using a decoding method, and finally checking and confirming by an expert and updating the rule base.

Example two:

referring to fig. 3, fig. 3 is a schematic structural diagram of a processing system for identifying rules according to the present invention. Fig. 3 shows a processing system for identifying rules, which includes:

Wherein the identification rule processing module comprises:

Wherein, still include:

Wherein the prediction module comprises:

Example three:

referring to fig. 4, this embodiment discloses a specific implementation of an electronic device. The electronic device may include a processor 81 and a memory 82 storing computer program instructions.

Specifically, the processor 81 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.

Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 82 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.

The memory 82 may be used to store or cache various data files for processing and/or communication use, as well as possible computer program instructions executed by the processor 81.

The processor 81 implements a processing method of any one of the identification rules in the above embodiments by reading and executing computer program instructions stored in the memory 82.

In some of these embodiments, the electronic device may also include a communication interface 83 and a bus 80. As shown in fig. 4, the processor 81, the memory 82, and the communication interface 83 are connected via the bus 80 to complete communication therebetween.

The communication interface 83 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication port 83 may also be implemented with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.

The bus 80 includes hardware, software, or both to couple the components of the electronic device to one another. Bus 80 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 80 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (Front Side Bus), an FSB (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an Infini Band Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (Peripheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 80 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.

The electronic device may implement the methods described in connection with fig. 1-2 based on the processing of the recognition rules.

In addition, in combination with the processing method of the identification rule in the foregoing embodiments, the embodiments of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement a method of processing an identification rule of any of the above embodiments.

The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

In conclusion, the advertisement anti-fraud model to be adopted by the scheme is a multi-input-single-output model, the characteristics do not need to be manually constructed, the problems of gradient disappearance and gradient explosion during model training can be effectively relieved through the deep residual error network, and various abnormal traffic types can be effectively identified.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. A method for processing an identification rule, comprising:

and (3) encoding: vectorizing and coding the identified abnormal flow;

2. The process of claim 1, wherein the identification rule processing step comprises:

3. The processing method of claim 1, further comprising:

4. The processing method of claim 3, wherein the predicting step comprises:

5. A system for processing an identification rule, comprising:

6. The processing system of claim 5, wherein the identification rule processing module comprises:

7. The processing system of claim 5, further comprising:

8. The processing system of claim 7, wherein the prediction module comprises:

9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the processing method according to any one of claims 1 to 4 when executing the computer program.

10. A storage medium on which a computer program is stored, which program, when being executed by a processor, carries out the processing method of any one of claims 1 to 4.