CN114492576A - Abnormal user detection method, system, storage medium and electronic equipment - Google Patents

Abnormal user detection method, system, storage medium and electronic equipment Download PDF

Info

Publication number
CN114492576A
CN114492576A CN202111585007.0A CN202111585007A CN114492576A CN 114492576 A CN114492576 A CN 114492576A CN 202111585007 A CN202111585007 A CN 202111585007A CN 114492576 A CN114492576 A CN 114492576A
Authority
CN
China
Prior art keywords
uniform resource
resource locator
time sequence
user
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111585007.0A
Other languages
Chinese (zh)
Inventor
韩志松
王鑫渊
林顺东
许金旺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Cloud Technology Co Ltd
Original Assignee
Tianyi Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Cloud Technology Co Ltd filed Critical Tianyi Cloud Technology Co Ltd
Priority to CN202111585007.0A priority Critical patent/CN114492576A/en
Publication of CN114492576A publication Critical patent/CN114492576A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/253Fusion techniques of extracted features
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/088Non-supervised learning, e.g. competitive learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/018Certifying business or products
    • G06Q30/0185Product, service or business identity fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/102Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Computing Systems (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Evolutionary Biology (AREA)
  • Software Systems (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Molecular Biology (AREA)
  • Technology Law (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Finance (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method, a system, a storage medium and an electronic device for detecting abnormal users, wherein the method comprises the following steps: acquiring a uniform resource locator record of historical access of a user; converting the uniform resource locator record into a uniform resource locator feature vector; performing time sequence processing according to the characteristic vector of the uniform resource locator to obtain characteristics with a time sequence incidence relation; and calculating according to the characteristics with the time sequence incidence relation to obtain the abnormal result of the uniform resource locator record corresponding to the user. By implementing the method and the device, the uniform resource locator records accessed by the user history are analyzed and converted into the characteristic vectors, the time sequence correlation information among the records is obtained based on the time sequence, and finally the risk grade is divided based on the characteristics with the time sequence correlation information. Therefore, under the condition that an application scene is not specified, the abnormal user detection is realized, so that the abnormal user detection method can be applied to different scenes and has stronger adaptability.

Description

Abnormal user detection method, system, storage medium and electronic equipment
Technical Field
The invention relates to the technical field of data processing, in particular to a method, a system, a storage medium and electronic equipment for detecting abnormal users.
Background
With the continuous popularization and development of the internet, many bad merchants induce customers to purchase defective products by operating a large number of users to perform fraudulent activities such as false comments, malicious bill swiping and the like on various large e-commerce network platforms, and the interests of the customers are seriously damaged. The users can be classified into normal users and abnormal users controlled by scripts, wherein the abnormal users access the website through abnormal operations such as high-frequency repetition, and the like, which not only increases the load of the website, but also has a high possibility of bringing huge property loss to the platform.
At present, some rules established manually are mainly used for intercepting abnormal user access, such as modes of limiting the speed of a single IP (Internet protocol) access website and the like. However, these rules are usually associated with specific application scenarios and are not universal.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, a system, a storage medium, and an electronic device for detecting an abnormal user, so as to solve the technical problem in the prior art that a general abnormal user interception or detection is lacking.
The technical scheme provided by the invention is as follows:
a first aspect of an embodiment of the present invention provides a method for detecting an abnormal user, including: acquiring a uniform resource locator record of historical access of a user; converting the uniform resource locator record into a uniform resource locator feature vector; performing time sequence processing according to the uniform resource locator feature vector to obtain features with a time sequence incidence relation; and calculating according to the characteristics with the time sequence incidence relation to obtain an abnormal result of the uniform resource locator record corresponding to the user.
Optionally, obtaining a uniform resource locator record of historical access of the user includes: and acquiring the uniform resource locator record of the historical access of the user according to the preset Internet protocol address and/or browser identification.
Optionally, converting the uniform resource locator record into a uniform resource locator feature vector includes: training an unsupervised learning model by adopting a uniform resource locator training set to obtain a vector mapping model; and inputting the uniform resource locator training set into the vector mapping module to obtain a uniform resource locator feature vector.
Optionally, performing time sequence processing according to the uniform resource locator feature vector to obtain a feature having a time sequence association relationship, including: carrying out position coding on the characteristic vector of the uniform resource locator to obtain position coding information; fusing the position coding information and the uniform resource locator feature vector to obtain fused features; and inputting the fused features into a pre-trained coding model based on a multi-head attention mechanism or a pre-trained long-short term memory artificial neural network to obtain the features with a time sequence incidence relation.
Optionally, calculating according to the feature having the time sequence association relationship to obtain an abnormal result of the uniform resource locator record corresponding to the user, including: and inputting the characteristics with the time sequence incidence relation into a pre-trained classification model to obtain an abnormal result of the uniform resource locator record corresponding to the user.
Optionally, the classification model comprises: an average pooling layer, a full-link layer and a classification layer; or the classification model comprises a Logistic regression model; or the classification model comprises a support vector machine model.
Optionally, the position code is represented by the following formula:
Figure BDA0003426187320000021
where pos is the position where the uniform resource locator is located (pos is 0, 1, 2, …, m-1), n is the dimension of the feature vector, and i is the dimension position (i is 0, 1, 2, …, n-1).
A second aspect of the embodiments of the present invention provides a system for detecting an abnormal user, including: the record acquisition module is used for acquiring a uniform resource locator record of historical access of a user; a vector conversion module for converting the uniform resource locator record into a uniform resource locator feature vector; the time sequence processing module is used for carrying out time sequence processing according to the uniform resource locator feature vector to obtain features with time sequence incidence relation; and the abnormity judgment module is used for calculating according to the characteristics with the time sequence incidence relation to obtain an abnormity result of the uniform resource locator record corresponding to the user.
A third aspect of the embodiments of the present invention provides a computer-readable storage medium, where computer instructions are stored, and the computer instructions are configured to cause a computer to execute the abnormal user detection method according to any one of the first aspect and the first aspect of the embodiments of the present invention.
A fourth aspect of an embodiment of the present invention provides an electronic device, including: the abnormal user detection method comprises a memory and a processor, wherein the memory and the processor are connected in communication with each other, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the abnormal user detection method according to any one of the first aspect and the first aspect of the embodiments of the present invention.
The technical scheme provided by the invention has the following effects:
according to the abnormal user detection method, the system, the storage medium and the electronic device, the uniform resource locator records accessed by the user in history are analyzed and converted into the characteristic vectors, the time sequence correlation information among the uniform resource locator records is obtained based on the time sequence of the uniform resource locator records, and finally the abnormal user is detected based on the characteristic with the time sequence correlation information. Therefore, the abnormal user detection method realizes the detection of the abnormal user under the condition that the application scene is not specified, so that the abnormal user detection method can be applied to different scenes and has stronger adaptability.
The abnormal user detection method provided by the embodiment of the invention can be applied to a website wind control management scene and can also be applied to user behavior analysis management, namely the abnormal user detection method is suitable for different scenes. The platform property loss can be prevented, and meanwhile customized management can be performed for different users.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of a method of anomalous user detection in accordance with an embodiment of the present invention;
FIG. 2 is a flow chart of log collection for an abnormal user detection method according to an embodiment of the present invention;
FIG. 3 is a schematic view of a Doc2Vec structure of an abnormal user detection method according to an embodiment of the present invention;
FIG. 4 is a flow chart of a method of anomalous user detection in accordance with another embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an encoder in a transform of an abnormal user detection method according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of a classification model of an abnormal user detection method according to an embodiment of the present invention;
FIG. 7 is a flow chart of a method of anomalous user detection in accordance with another embodiment of the present invention;
fig. 8 is a block diagram of the structure of an abnormal user detection system according to an embodiment of the present invention;
FIG. 9 is a schematic structural diagram of a computer-readable storage medium provided in accordance with an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an electronic device provided in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a method for detecting an abnormal user, as shown in fig. 1, the method includes the following steps:
step S101: a uniform resource locator record of historical access by a user is obtained.
Specifically, the user may be logged by retrieving the Uniform Resource Locator (URL) records of all users in the existing log. The log comprises the URL records of normal users and the URL records of abnormal users detected based on the existing preset rules, such as the mode of limiting the speed of a single IP to access the website. When abnormal users are detected, corresponding users can be specified according to the conditions of Internet Protocol addresses (IP) and/or browser identifiers (UA), URL record information of the corresponding users is screened from logs, and whether the users are abnormal users or not is judged. When specifying, it may be specified by IP, or may be specified by a combination of IP and UA. For example, specify an IP, get m URL records of all its visits over the past week.
In one embodiment, an open source real-time log analysis ELK platform is used to extract Uniform Resource Locator (URL) records from existing logs. ELK consists of three open source tools, ElasticSearch, Logstash and Kibana. When the platform works, logs are collected by Logstatsh, stored in an elastic search (store, generate index, search), and then exposed by Kibana. Wherein, Logstash is a tool for collecting, analyzing and filtering logs; the ElasticSearch is used as an open source distributed search engine and can provide functions of searching, analyzing and storing data; kibana can provide a Web interface for log analysis for Logstash and ElasticSearch, and can help to summarize, analyze and search important data logs.
In an embodiment, as shown in fig. 2, a filebolt module may be used to collect logs on multiple servers, and then the logs are uniformly sent to Logstatsh, and then handed to an elastic search for full-text search, and then operated through a Kibana web interface. The filebeat is a lightweight log collection agent, is deployed at the client, and can consume very few resources (logstash) to extract the log. In addition, a plurality of Logstatsh can be directly adopted to obtain logs on a plurality of servers.
Step S102: converting the uniform resource locator record into a uniform resource locator feature vector. Specifically, to enable better identification of the URL, the URL may be converted into the form of a feature vector. Thereby facilitating subsequent processing. In an embodiment, when the feature vector is generated by conversion, the Doc2Vec algorithm may be adopted, and the conversion of the feature vector may also be implemented by using other algorithms such as BoW or Word2 Vec.
Step S103: and performing time sequence processing according to the uniform resource locator feature vector to obtain features with time sequence incidence relation.
In one embodiment, the URL records are arranged in a time sequence, and there are time-series association information between the URL records, and the time-series association information plays an important role in identifying whether a user is a normal user. Thus, the feature vectors generated by conversion can be subjected to time-series processing so that the generated features include a time-series correlation.
The time sequence processing can be realized by adopting a time sequence correlation algorithm. For example, the timing correlation can be performed by using an encoder module in a transformer, or by using a Long Short-Term Memory artificial neural network (LSTM).
Step S104: and calculating according to the characteristics with the time sequence incidence relation to obtain an abnormal result of the uniform resource locator record corresponding to the user. Specifically, the obtained features with time sequence association may be input into a pre-trained classification model for secondary classification, and whether the corresponding user is an abnormal user is determined according to the output result. After the features with time sequence association are processed through the pre-trained classification model, a score is output, and different risk levels can be determined according to the score. Therefore, after the risk levels are obtained, corresponding operations can be performed on different users according to different risk levels, such as direct interception or addition of man-machine interaction operations.
In one embodiment, the pre-trained classification model may be obtained by training features having a time-series association relationship extracted from URL records of normal users and abnormal users. The URL records of the normal user and the abnormal user can be obtained from the existing log. The existing log includes both the URL records of normal users and the URL records of abnormal users detected based on existing preset rules, such as limiting the rate at which individual IP accesses websites.
The abnormal user detection method provided by the embodiment of the invention comprises the steps of analyzing the uniform resource locator records accessed by the user history, converting the uniform resource locator records into the characteristic vectors, acquiring the time sequence associated information among the uniform resource locator records based on the time sequence of the uniform resource locator records, and finally judging the abnormal user based on the characteristics with the time sequence associated information. Therefore, the abnormal user detection method realizes the detection of the abnormal user under the condition that the application scene is not specified, so that the abnormal user detection method can be applied to different scenes and has stronger adaptability.
The abnormal user detection method provided by the embodiment of the invention can be applied to a website wind control management scene and can also be applied to user behavior analysis management, namely the abnormal user detection method is suitable for different scenes. The platform property loss can be prevented, and meanwhile customized management can be performed for different users.
In one embodiment, converting the uniform resource locator record into a uniform resource locator feature vector comprises: training an unsupervised learning model by adopting a uniform resource locator training set to obtain a vector mapping model; and inputting the uniform resource locator training set into the vector mapping module to obtain a uniform resource locator feature vector. The unsupervised learning model can be based on the Doc2Vec algorithm, and can also be based on other algorithms such as BoW or Word2 Vec.
Specifically, the following Doc2Vec algorithm is taken as an example to describe the training process. The Doc2Vec algorithm is able to map text of indefinite length to a feature vector of fixed length. In Doc2vec, each sentence is represented by a unique vector, such as a column of the matrix D. Each word is also represented by a unique vector, such as a column of the matrix W. During training, words with fixed length are sampled in a sliding mode from a sentence every time, one word is taken as a predicted word, and the other words are taken as input words. And taking a Word Vector corresponding to the input Word and a sentence Vector Paragraph Vector corresponding to the sentence as input of an input layer, adding the Vector of the sentence and the Word Vector sampled at this time for averaging or accumulating to form a new Vector X, and predicting the predicted Word in the window at this time by using the Vector X.
As shown in FIG. 3, for example, there are N URLs in a URL training set, each URL may be used as a sentence, and there are M different words in the URLs. Thus, each URL vector corresponds to a column in matrix D, and each word vector corresponds to a column in matrix W. Assume that there is a URL in the training set: https: // www.test.com/test, the word vector in the URL includes https, www, test, com, and login sections. During training, a URL vector (sentence vector), i.e. a vector containing complete information of the URL, is connected with four word vectors of three words, www, test and com, as input, and then a classifier is used to predict the next word, thereby completing the training of the unsupervised learning model and obtaining the vector mapping model in this embodiment.
When the vector mapping model is adopted to calculate a new URL characteristic vector, a column can be added in a URL vector matrix D, the column corresponds to a newly added URL, then parameters of the fixed matrix W and the rest part of the network are unchanged, and gradient descent is carried out on the matrix D to continuously iterate to obtain a finally stabilized sentence vector. To this end, m URLs can be mapped into m n-dimensional feature vectors by Doc2 Vec.
In an embodiment, as shown in fig. 4, performing a timing process according to the uniform resource locator feature vector to obtain a feature having a timing association relationship, includes the following steps:
step S201: and carrying out position coding on the characteristic vector of the uniform resource locator to obtain position coding information. Because the user accesses the corresponding URL according to a certain time sequence, corresponding position coding needs to be carried out on different URLs so as to represent the sequence position relation between the accessed URLs. The position coding adopts trigonometric function coding.
Specifically, the position code is expressed by the following formula:
Figure BDA0003426187320000091
where pos is the position where the uniform resource locator is located (pos is 0, 1, 2, …, m-1), n is the dimension of the feature vector, and i is the dimension position (i is 0, 1, 2, …, n-1).
Step S202: and fusing the position coding information and the uniform resource locator feature vector to obtain fused features. Specifically, by calculating the position encoding information of the feature vector of the uniform resource locator, for each URL feature vector with n feature dimensions, the corresponding position encoding information represented by the feature vector with n dimensions can be obtained. Thus, the two can be fused to obtain a fused feature. For example, the uniform resource locator feature vector and the position encoding information represented by the n-dimensional feature vector are added, thereby fusing the position information into the corresponding feature vector.
Step S203: and inputting the fused features into a pre-trained coding model based on a multi-head attention mechanism or a pre-trained long-short term memory artificial neural network to obtain the features with a time sequence incidence relation. For the fused features, a coder in a transformer or an LSTM is adopted to perform time sequence correlation processing, and then time sequence correlation information among URLs accessed by a user can be obtained.
Specifically, the time-series correlation process will be described below by taking a pre-trained multi-head attention mechanism-based coding model as an example. The encoding model based on the multi-head attention mechanism can specifically adopt an encoder structure in a transform, as shown in fig. 5, after the fused features are obtained, the fused features are input into a multi-head attention mechanism module in the structure, the output of the multi-head attention mechanism module is added with the original input fused features to perform residual error connection operation, then the normalized features are input into a feedforward transmission module, residual error operation is also performed on the feedforward transmission module, and the output of the residual error module and the normalized output are added and then normalized, so that the final features with time sequence incidence relation can be output.
In an embodiment, the calculating according to the feature having the time-series association relationship to obtain the risk level of the user corresponding to the uniform resource locator record includes: and inputting the characteristics with the time sequence incidence relation into a pre-trained classification model to obtain the risk level of the uniform resource locator record corresponding to the user. The classification model includes: an average pooling layer, a full-link layer and a classification layer; or the classification model comprises a Logistic regression model; or the classification model comprises a support vector machine model.
Specifically, when m URL records are acquired for calculation, the obtained features having a time sequence association relationship include m feature vectors with dimensions n through time sequence processing. The probability that a corresponding user is an abnormal user can be obtained by calculating the two classes by taking the user as the input of a pre-trained classification model.
As shown in fig. 6, when the classification model includes: average pooling layer, full link layer and classification layer, when the characteristics with time sequence incidence relation are input into the pre-trained model, the m characteristic vectors can be averaged through the average pooling layer, and then the secondary classification can be carried out through the full link layer and the classification layer (sigmoid or softmax). In addition, the pre-trained classification model may also adopt a Logistic regression algorithm or a Support Vector Machine (SVM) algorithm, which is not limited in the embodiment of the present invention.
The output of the pre-trained classification model is a value between 0 and 1, and the higher the output value is, the more likely the user is an abnormal user. Therefore, a plurality of user levels can be divided according to the numerical value, and different user levels correspond to different operations. I.e. different processing is done when different user classes access the web site. Wherein, if the value is 0, the interception can be directly carried out.
In one embodiment, as shown in fig. 7, the following process may be adopted to implement the detection of the abnormal user: and acquiring a uniform resource locator record of historical access of the user in the log, and then acquiring a URL record of the appointed user in an appointed IP or UA mode to perform anomaly detection. Firstly, after a URL record is obtained, converting the URL record into a URL characteristic vector by adopting a vector mapping model such as Doc2Vec, then performing time sequence processing by adopting an encoder in a transformer to obtain a characteristic with a time sequence incidence relation, inputting the characteristic into a classification model with a full connection layer and a classification layer for secondary classification to obtain a classification result, and detecting an abnormal user according to the classification result.
An embodiment of the present invention further provides a system for detecting an abnormal user, as shown in fig. 8, where the system includes:
the record acquisition module is used for acquiring a uniform resource locator record of historical access of a user; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
A vector conversion module for converting the uniform resource locator record into a uniform resource locator feature vector; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
The time sequence processing module is used for carrying out time sequence processing according to the uniform resource locator feature vector to obtain features with time sequence incidence relation; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
And the abnormity judgment module is used for calculating according to the characteristics with the time sequence incidence relation to obtain an abnormity result of the uniform resource locator record corresponding to the user. For details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
The abnormal user detection system provided by the embodiment of the invention converts the uniform resource locator records accessed by the user history into the characteristic vectors by analyzing the uniform resource locator records accessed by the user history, acquires the time sequence associated information among the uniform resource locator records based on the time sequence of the uniform resource locator records, and finally carries out the risk grade division based on the characteristics with the time sequence associated information. Therefore, the abnormal user detection system realizes the detection of the abnormal user under the condition that the application scene is not specified, so that the abnormal user detection system can be applied to different scenes and has stronger adaptability.
The abnormal user detection system provided by the embodiment of the invention can be applied to a website wind control management scene and can also be applied to user behavior analysis management, namely the abnormal user detection system is suitable for different scenes. The platform property loss can be prevented, and meanwhile customized management can be performed for different users.
The description of the functions of the abnormal user detection system provided by the embodiment of the invention refers to the description of the abnormal user detection method in the above embodiment in detail.
An embodiment of the present invention further provides a storage medium, as shown in fig. 9, on which a computer program 601 is stored, where the instructions, when executed by a processor, implement the steps of the abnormal user detection method in the foregoing embodiment. The storage medium is also stored with audio and video stream data, characteristic frame data, an interactive request signaling, encrypted data, preset data size and the like. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
An embodiment of the present invention further provides an electronic device, as shown in fig. 10, the electronic device may include a processor 51 and a memory 52, where the processor 51 and the memory 52 may be connected by a bus or in another manner, and fig. 10 takes the example of connection by a bus as an example.
The processor 51 may be a Central Processing Unit (CPU). The Processor 51 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 52, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as the corresponding program instructions/modules in the embodiments of the present invention. The processor 51 executes various functional applications and data processing of the processor by running non-transitory software programs, instructions and modules stored in the memory 52, that is, implements the abnormal user detection method in the above method embodiment.
The memory 52 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 51, and the like. Further, the memory 52 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 52 may optionally include memory located remotely from the processor 51, and these remote memories may be connected to the processor 51 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 52 and, when executed by the processor 51, perform the abnormal user detection method of the embodiment shown in fig. 1-7.
The details of the electronic device may be understood by referring to the corresponding descriptions and effects in the embodiments shown in fig. 1 to fig. 7, which are not described herein again.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (10)

1. An abnormal user detection method, comprising:
acquiring a uniform resource locator record of historical access of a user;
converting the uniform resource locator record into a uniform resource locator feature vector;
performing time sequence processing according to the characteristic vector of the uniform resource locator to obtain characteristics with a time sequence incidence relation;
and calculating according to the characteristics with the time sequence incidence relation to obtain an abnormal result of the uniform resource locator record corresponding to the user.
2. The abnormal user detection method of claim 1, wherein obtaining a uniform resource locator record of historical access by the user comprises:
and acquiring the uniform resource locator record of the historical access of the user according to the preset Internet protocol address and/or browser identification.
3. The abnormal user detection method of claim 1, wherein converting the uniform resource locator record into a uniform resource locator feature vector comprises:
training an unsupervised learning model by adopting a uniform resource locator training set to obtain a vector mapping model;
and inputting the uniform resource locator training set into the vector mapping module to obtain a uniform resource locator feature vector.
4. The method according to claim 1, wherein performing a time sequence process according to the uniform resource locator feature vector to obtain a feature having a time sequence association relationship comprises:
carrying out position coding on the characteristic vector of the uniform resource locator to obtain position coding information;
fusing the position coding information and the uniform resource locator feature vector to obtain fused features;
and inputting the fused features into a pre-trained coding model based on a multi-head attention mechanism or a pre-trained long-short term memory artificial neural network to obtain the features with a time sequence incidence relation.
5. The method according to claim 1, wherein the calculating according to the characteristics having the time-series association relationship to obtain the abnormal result of the url record corresponding to the user comprises:
and inputting the characteristics with the time sequence incidence relation into a pre-trained classification model to obtain an abnormal result of the uniform resource locator record corresponding to the user.
6. The abnormal user detection method according to claim 5,
the classification model includes: an average pooling layer, a full-link layer and a classification layer; or
The classification model comprises a Logistic regression model; or
The classification model comprises a support vector machine model.
7. The abnormal user detection method according to claim 4, wherein the position code is expressed by the following formula:
Figure FDA0003426187310000021
where pos is the position where the uniform resource locator is located (pos is 0, 1, 2, …, m-1), n is the dimension of the feature vector, and i is the dimension position (i is 0, 1, 2, …, n-1).
8. An abnormal user detection system, comprising:
the record acquisition module is used for acquiring a uniform resource locator record of historical access of a user;
a vector conversion module for converting the uniform resource locator record into a uniform resource locator feature vector;
the time sequence processing module is used for carrying out time sequence processing according to the uniform resource locator feature vector to obtain features with time sequence incidence relation;
and the abnormity judgment module is used for calculating according to the characteristics with the time sequence incidence relation to obtain an abnormity result of the uniform resource locator record corresponding to the user.
9. A computer-readable storage medium storing computer instructions for causing a computer to perform the abnormal user detection method according to any one of claims 1 to 7.
10. An electronic device, comprising: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing computer instructions, the processor executing the computer instructions to perform the abnormal user detection method according to any one of claims 1 to 7.
CN202111585007.0A 2021-12-22 2021-12-22 Abnormal user detection method, system, storage medium and electronic equipment Pending CN114492576A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111585007.0A CN114492576A (en) 2021-12-22 2021-12-22 Abnormal user detection method, system, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111585007.0A CN114492576A (en) 2021-12-22 2021-12-22 Abnormal user detection method, system, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN114492576A true CN114492576A (en) 2022-05-13

Family

ID=81494943

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111585007.0A Pending CN114492576A (en) 2021-12-22 2021-12-22 Abnormal user detection method, system, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN114492576A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022153A (en) * 2022-06-07 2022-09-06 中国工商银行股份有限公司 Fault root cause analysis method, device, equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022153A (en) * 2022-06-07 2022-09-06 中国工商银行股份有限公司 Fault root cause analysis method, device, equipment and storage medium
CN115022153B (en) * 2022-06-07 2024-04-23 中国工商银行股份有限公司 Fault root cause analysis method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US11683330B2 (en) Network anomaly data detection method and device as well as computer equipment and storage medium
US9053436B2 (en) Methods and system for providing simultaneous multi-task ensemble learning
CN106599160B (en) Content rule library management system and coding method thereof
CN109743311B (en) WebShell detection method, device and storage medium
CN111371806A (en) Web attack detection method and device
CN108763274B (en) Access request identification method and device, electronic equipment and storage medium
CN109905288B (en) Application service classification method and device
CN107451476A (en) Webpage back door detection method, system, equipment and storage medium based on cloud platform
US8639559B2 (en) Brand analysis using interactions with search result items
CN113141360B (en) Method and device for detecting network malicious attack
CN109558547A (en) A kind of filter method of data, device, electronic equipment and storage medium
CN110351299B (en) Network connection detection method and device
CN110825941A (en) Content management system identification method, device and storage medium
CN110602030A (en) Network intrusion blocking method, server and computer readable medium
CN112165484A (en) Network encryption traffic identification method and device based on deep learning and side channel analysis
CN110956278A (en) Method and system for retraining machine learning models
CN116015842A (en) Network attack detection method based on user access behaviors
CN114492576A (en) Abnormal user detection method, system, storage medium and electronic equipment
US20210264033A1 (en) Dynamic Threat Actionability Determination and Control System
CN116684491A (en) Dynamic caching method, device, equipment and medium based on deep learning
CN111352820A (en) Method, equipment and device for predicting and monitoring running state of high-performance application
CN116016365A (en) Webpage identification method based on data packet length information under encrypted flow
CN112231700B (en) Behavior recognition method and apparatus, storage medium, and electronic device
CN112199573B (en) Illegal transaction active detection method and system
CN110674839B (en) Abnormal user identification method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination