CN115296855B

CN115296855B - User behavior baseline generation method and related device

Info

Publication number: CN115296855B
Application number: CN202210811244.2A
Authority: CN
Inventors: 何立维; 蔡达龙; 刘国平; 吕文俊; 但柯锐
Original assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Current assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Priority date: 2022-07-11
Filing date: 2022-07-11
Publication date: 2023-11-07
Anticipated expiration: 2042-07-11
Also published as: CN115296855A

Abstract

The application relates to a user behavior baseline generation method and a related device, which are used for improving the accuracy of a user behavior baseline and reducing the calculation complexity, and the method comprises the following steps: and aiming at the target attribute, after adding the current attribute information into the history access record, determining the target weights corresponding to the current attribute information and the history attribute information respectively based on the addition sequence of the history attribute information and the current attribute information contained in the history access record and the addition time interval between the history attribute information and the current attribute information, accumulating the target weights corresponding to the attribute information with the same content in the current attribute information and the history attribute information, and generating a user behavior baseline based on the weight accumulated value.

Description

User behavior baseline generation method and related device

Technical Field

The application relates to the technical field of network security, in particular to a user behavior baseline generation method and a related device.

Background

With the rapid development of computer networks, how to identify abnormal behaviors from massive behaviors to be identified based on user behavior baselines is particularly important to ensure the security of the network, wherein the user behavior baselines refer to common attribute information sets corresponding to various attributes, and the attributes can be internet protocol (Internet Protocol, IP) addresses, physical addresses, equipment identifiers and the like.

In the related art, the following two ways are generally adopted to generate a user behavior baseline:

a first method for generating a user behavior base line based on machine learning.

In the first approach, the machine learning algorithm may employ isolated forests, K-means clustering, timing analysis, and the like. However, the machine learning algorithm is complex to implement, and requires a large amount of sample data, so that it is difficult to ensure the accuracy of abnormal behavior recognition under the condition of insufficient behavior data samples. In addition, in practical application, in order to meet the real-time performance, the user behavior needs to be recalculated every time, so that the recognition performance is affected.

Second, statistical-based user behavior baseline generation method

In the second aspect, for a certain attribute, attribute information corresponding to a login time closest to the current time is used as common attribute information, or attribute information having the largest login number is used as common attribute information. However, the behavior baseline with a single dimension (login time or login frequency) cannot truly embody abnormal behaviors, so that the calculated common attribute information is inconsistent with the actual situation, and the accuracy is difficult to identify and guarantee.

Disclosure of Invention

The application provides a user behavior base line generation method and a related device, which are used for improving the accuracy of a user behavior base line and reducing the calculation complexity.

In a first aspect, an embodiment of the present application provides a method for generating a user behavior baseline, including:

responding to a login success operation triggered by a target object aiming at a target service, and acquiring current attribute information corresponding to a target attribute in the login success operation;

adding the current attribute information into a history access record, wherein the history access record comprises the following steps: the target object aims at each piece of history attribute information corresponding to the target attribute triggered by the target service;

determining target weights corresponding to the current attribute information and the historical attribute information respectively based on the adding sequence of the current attribute information and the historical attribute information and the adding time interval between the historical attribute information and the current attribute information respectively;

accumulating target weights corresponding to attribute information with the same content in the current attribute information and the historical attribute information, and determining at least one common attribute information from the current attribute information and the historical attribute information based on a weight accumulated value;

and generating a user behavior baseline based on the target attribute and the at least one common attribute information.

In a second aspect, an embodiment of the present application provides a user behavior baseline generation apparatus, including:

the acquisition unit is used for responding to the login success operation triggered by the target object aiming at the target service and acquiring the current attribute information corresponding to the target attribute in the login success operation;

the recording unit is used for adding the current attribute information into a history access record, and the history access record comprises: the target object aims at each piece of history attribute information corresponding to the target attribute triggered by the target service;

a determining unit, configured to determine target weights corresponding to the current attribute information and each history attribute information, based on an order of addition of the current attribute information and each history attribute information, and based on an addition time interval between each history attribute information and the current attribute information, respectively;

the accumulating unit is used for accumulating the target weights corresponding to the attribute information with the same content in the current attribute information and the historical attribute information, and determining at least one common attribute information from the current attribute information and the historical attribute information based on a weight accumulated value;

And the generating unit is used for generating a user behavior baseline based on the target attribute and the at least one common attribute information.

In a third aspect, an embodiment of the present application provides an electronic device, where the electronic device includes at least a processor and a memory, where the processor is configured to implement the steps of the user behavior baseline generation method described above when executing a computer program stored in the memory.

In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program which when executed by a processor implements the steps of a user behavior baseline generation method as described above.

In a fifth aspect, embodiments of the present application provide a computer program product comprising: computer program code which, when run on a computer, causes the computer to perform the steps of the user behavior baseline generation method as described above.

In the embodiment of the application, aiming at target attributes, after adding current attribute information into a history access record, determining target weights corresponding to the current attribute information and the history attribute information respectively based on the addition sequence of the history attribute information and the current attribute information contained in the history access record and the addition time interval between the history attribute information and the current attribute information respectively, accumulating the target weights corresponding to the attribute information with the same content in the current attribute information and the history attribute information, and generating a user behavior baseline based on a weight accumulated value.

In this way, through the addition sequence and corresponding time interval of each historical attribute information and the current attribute information, a behavior baseline in the time dimension can be obtained, through accumulating the target weights corresponding to the attribute information with the same content, the behavior baseline in the use frequency dimension can be obtained, and the generated user behavior baseline has sensitivity to time and use frequency, so that the accuracy of the user behavior baseline is improved, the abnormal behavior recognition accuracy is further improved, meanwhile, the calculation complexity is reduced, the generation efficiency of the user behavior baseline is improved, and the abnormal behavior recognition performance is further improved.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a method for generating a user behavior baseline according to an embodiment of the present application;

FIG. 2 is a schematic diagram of a queue according to an embodiment of the present application;

FIG. 3 is a flowchart illustrating a method for determining a target weight according to an embodiment of the present application;

FIG. 4 is a flowchart of a method for determining a weight correction value according to an embodiment of the present application;

FIG. 5 is a mapping relationship between a target weight and an index number according to an embodiment of the present application;

FIG. 6 is a schematic diagram of logic for determining target weights according to an embodiment of the present application;

FIG. 7 is a schematic diagram of logic for determining the maximum number of common attribute information according to an embodiment of the present application;

FIG. 8 is a schematic diagram of a null attribute mechanism provided in an embodiment of the present application;

FIG. 9 is a schematic structural diagram of a device for generating a baseline of user behavior according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the technical solutions of the present application, but not all embodiments. All other embodiments, based on the embodiments described in the present document, which can be obtained by a person skilled in the art without any creative effort, are within the scope of protection of the technical solutions of the present application.

For easy understanding, technical terms related to the present application will be described first:

software defined boundary (Software Defined Perimeter, SDP): based on a new generation network security model of zero trust, a safe and reliable virtual boundary is constructed on the Internet for enterprises or organizations in a software-defined mode.

Zero trust: the uncertainty of the decision accuracy of each access request in the information system and service is reduced when it is performed, assuming that the network environment has been compromised.

User behavior baseline: the method refers to a set of various common attributes counted according to various behaviors of a user in the processes of login, access and the like, such as a common IP set, a common login address set, a common equipment set and the like.

In the SDP framework, each terminal typically must be authenticated before connecting to the server to ensure that each terminal connected to the server is allowed access. The core network assets and facilities are hidden through the SDP architecture and are not directly exposed to the Internet, so that the network assets and facilities are prevented from external security threat. Through the SDP framework, distributed denial of service attacks (Distributed denial of service attack, DDoS), man-in-the-middle attacks, vulnerability scanning, and advanced persistent threats (reliable transport layer protocol (Asymmetric Transport Protocol, ATP)) are all thwarted.

However, for abnormal authentication and authorization actions of a user after a transmission control protocol (Transmission Control Protocol, TCP) connection (i.e. connection with a server) is established, such as abnormal network login and abnormal time period access, the SDP framework based on zero trust is difficult to identify and intercept in real time, and how to improve the identification capability of the abnormal actions is a problem to be solved at present.

Second, statistical-based user behavior baseline generation method

In the second aspect, for a certain attribute, attribute information corresponding to a login time closest to the current time is used as common attribute information, or attribute information having the largest login number is used as common attribute information. However, the behavior baseline with a single dimension (login time or login frequency) often cannot truly embody abnormal behaviors, so that the calculated common attribute information is inconsistent with the actual situation, and the accuracy is difficult to identify and guarantee.

In view of this, in an embodiment of the present application, a scheme for generating a user behavior baseline is provided, where the scheme includes: and aiming at the target attribute, after adding the current attribute information into the history access record, determining the target weights corresponding to the current attribute information and the history attribute information respectively based on the addition sequence of the history attribute information and the current attribute information contained in the history access record and the addition time interval between the history attribute information and the current attribute information, accumulating the target weights corresponding to the attribute information with the same content in the current attribute information and the history attribute information, and generating a user behavior baseline based on the weight accumulated value.

Referring to fig. 1, a flow chart of a method for generating a user behavior baseline according to an embodiment of the present application is shown, where the method flow may be executed by a hardware facility with an operation function, such as a computer, a chip, a processor, or a server, and the method flow specifically includes:

s101, responding to a login success operation triggered by a target object aiming at a target service, and acquiring current attribute information corresponding to a target attribute in the login success operation.

In the embodiment of the application, the target object may refer to a user, or may refer to a user group, where the user group includes one or more users. If the target object is a user, the terminal responds to the successful login operation triggered by the user aiming at the target service to acquire the current attribute information corresponding to the target attribute. If the target object is a group, the terminal responds to successful login operation triggered by any user in the group aiming at the target service, and obtains the current attribute information corresponding to the target attribute.

The target service includes, but is not limited to, authentication, authorization and other services performed after the terminal is connected with the server. For the target service, when the user login is successful, the terminal determines that the target object triggers a login success operation for the target service. The successful login may be that the password input by the target object or the authority of the target object passes verification, but is not limited thereto.

The target attribute may be, but is not limited to, IP, terminal identification, or MAC address. Attribute information may also be referred to as attribute values. Here, only the IP is taken as an example for the target attribute.

For example, suppose that the target object is user a, user a uses IP:1.1.1.1 when the login is successful, responding to the login success operation triggered by the user A aiming at the target service, and acquiring the current attribute information 1.1.1.1 corresponding to the target attribute IP.

For another example, suppose that the target object is group x, user B is one user in group x, user B uses IP:2.2.2.2 when the login is successful, responding to the login success operation triggered by the user B in the group x for the target service, and acquiring the current attribute information 2.2.2.2 corresponding to the target attribute IP.

S102, adding the current attribute information into a history access record, wherein the history access record comprises: and the target object aims at each history attribute information corresponding to the target attribute triggered by the target service.

As a possible implementation manner, the target object is a user, and the history access record contains each history attribute information corresponding to the target attribute triggered by the user aiming at the target service. Taking the user a as an example, the history access record includes each history IP triggered by the user a for the target service, where each history IP includes: 1.1.2.1, 1.1.1.1, 1.1.6.1, etc.

As another possible implementation manner, the target object is a group, and the history access record includes each history attribute information corresponding to the target attribute triggered by all users aiming at the target service in the group. Taking group x as an example, it is assumed that group x includes user B and user C, and the history access record includes each history IP triggered by user a for the target service, and each history IP triggered by user B for the target service.

In the embodiment of the application, the history access record can be implemented by a first-in first-out (First Input First Output, FIFO) queue or a table form, but is not limited to the embodiment. The queue is described herein as an example only.

Referring to fig. 2, a schematic diagram of a queue provided in an embodiment of the present application is shown, the queue includes 20 pieces of IP attribute information such as IP0, IP1, IP2, etc., wherein index numbers of the 20 pieces of IP attribute information such as IP0, IP1, IP2, etc. are sequentially 0 to 19, and only IP0, IP1, IP2 are taken as an example, IP0, IP1, IP2 are respectively 1.1.2.1, 1.1.1.1, 1.1.2.1. When the current attribute information is added to the queue, if the queue is full, the IP attribute information with the longest time entering the queue is removed from the queue.

In the embodiment of the present application, the index numbers of the queues are sorted from small to large, and in the practical application process, the index numbers of the queues may be sorted from large to small, which is not limited.

S103, determining target weights corresponding to the current attribute information and the historical attribute information respectively based on the adding sequence of the current attribute information and the historical attribute information and the adding time interval between the historical attribute information and the current attribute information respectively.

S104, accumulating target weights corresponding to attribute information with the same content in the current attribute information and each history attribute information, and determining at least one common attribute information from the current attribute information and each history attribute information based on the weight accumulated value.

S105, generating a user behavior baseline based on the target attribute and at least one piece of common attribute information.

Specifically, when S105 is performed, the following manner may be adopted, but is not limited to:

aiming at the attribute information with the same content in the current attribute information and each historical attribute information, when the weight accumulated value is not smaller than a preset weight threshold value, the attribute information with the same content is used as common attribute information;

and aiming at other attribute information except the attribute information with the same content in the current attribute information and each history attribute information, when the target weight of the other attribute information is not smaller than a preset weight threshold value, the other attribute information is used as common attribute information.

Illustratively, the weight accumulation value may be calculated using the following equation (1):

sum=Σweight formula (1)

Wherein sum represents the accumulated value of the target weights corresponding to the attribute information with the same content, and weight represents the target weight of the current attribute information.

For example, assume that in the queue shown in fig. 2, IP0 is current attribute information, IP1 to IP19 are history attribute information, if IP0, IP2, and IP3 are all 1.1.2.1, for IP address 1.1.2.1, the weight accumulated value is the weight accumulated value of the target weights corresponding to IP0, IP2, and IP3, and then the weight accumulated value is compared with the preset weight threshold, and if only IP1 is 1.1.1.1 in the queue, the target weight of IP1 is directly compared with the preset weight threshold.

The preset weight threshold may be set to be a queue length, so that after one attribute information enters the queue, the attribute information may become common attribute information, and as new attribute information is enqueued, the target weight of the one attribute information may be reduced, and thus the attribute information may become common attribute information.

In the embodiment of the application, aiming at target attributes, after adding current attribute information into a history access record, determining target weights corresponding to the current attribute information and the history attribute information respectively based on the addition sequence of the history attribute information and the current attribute information contained in the history access record and the addition time interval between the history attribute information and the current attribute information respectively, accumulating the target weights corresponding to the attribute information with the same content in the current attribute information and the history attribute information, and generating a user behavior baseline based on a weight accumulated value. In this way, through the addition sequence and corresponding time interval of each historical attribute information and the current attribute information, a behavior baseline in the time dimension can be obtained, through accumulating the target weights corresponding to the attribute information with the same content, the behavior baseline in the use frequency dimension can be obtained, and the generated user behavior baseline has sensitivity to time and use frequency, so that the accuracy of the user behavior baseline is improved, the abnormal behavior recognition accuracy is further improved, meanwhile, the calculation complexity is reduced, the generation efficiency of the user behavior baseline is improved, and the abnormal behavior recognition performance is further improved.

In some embodiments, considering that the weight of attribute information which is not used for a longer time should drop faster, a weight correction value may be introduced, according to which the influence of time on weight is dynamically adjusted, specifically, when S103 is performed, referring to fig. 3, the following steps are performed for the current attribute information and each of the historical attribute information, respectively:

s1031, taking one attribute information of the current attribute information and each history attribute information as target attribute information, and determining initial weight corresponding to the target attribute information based on the adding sequence.

Because each attribute information in the queue is ordered according to the enqueuing time, the adding sequence of the current attribute information and each history attribute information in the queue is the sequence of the current attribute information and each history attribute information in the queue. For example, the initial weight corresponding to the target attribute information may be a difference between the queue length and the index number.

For example, in the queue of fig. 2, IP0 is the current attribute information, IP1 to IP19 are each the history attribute information, the initial weight corresponding to IP0 is 20-0=20, the initial weight corresponding to IP1 is 20-1=19, the initial weight corresponding to IP2 is 20-2=18, and similarly, the initial weights corresponding to IP3 to IP19 are each 17 to 1, respectively.

S1032, determining the weight correction value corresponding to the target attribute information based on the joining time interval between the current attribute information and the target attribute information.

In some embodiments, considering the effect of the joining time interval between the current attribute information and each of the historical attribute information on the target weight, referring to fig. 4, when S302 is performed, the following steps may be adopted:

s10321, determining a reference time interval corresponding to the target attribute information based on the joining time interval between the target attribute information and the adjacent attribute information, wherein the adjacent attribute information is the attribute information adjacent to the target attribute information according to the joining sequence.

Specifically, when S10321 is executed, there are two cases:

case one: the target attribute information is current attribute information or historical attribute information which is added to the historical access record earliest, namely the target attribute information is attribute information positioned at the head or tail of the team, at the moment, one piece of adjacent attribute information exists in the target attribute information, and the adding time interval between the target attribute information and the corresponding adjacent attribute information is used as a reference time interval corresponding to the target attribute information.

For example, in the queue of fig. 2, the history attribute information of the earliest joining history access record is IP19, the current attribute information is IP0, the target attribute information is IP0, the adjacent attribute information of IP0 is IP1, and the joining time interval between IP0 and IP1 is taken as the reference time interval corresponding to IP 0.

For another example, assume that the target attribute information is IP19, the adjacent attribute information of IP19 is IP18, and the addition time interval between IP19 and IP18 is defined as the reference time interval corresponding to IP 19.

And a second case: the target attribute information is not the current attribute information and the historical attribute information of the earliest joining historical access record, namely the target attribute information is the attribute information except the head and tail of the team, at this time, the target attribute information has two adjacent attribute information, and the average value of the joining time interval between the two corresponding adjacent attribute information is taken as the reference time interval corresponding to the target attribute information.

By way of example, the reference time interval may be determined using the following equation (2):

wherein T (index) represents a reference time interval corresponding to the target attribute information, index is an index number of the target attribute information in the queue, and T _index-1 And t _index+1 Respectively represent the joining times of two adjacent attribute information. If the length of the queue is L, the index range is [0, L-1]。

For example, in the queue of fig. 2, if the target attribute information is IP1 and the adjacent attribute information of IP1 is IP0 and IP2, the average value of the addition time intervals between IP0 and IP2 is taken as the corresponding IP1 With reference to the time interval, assume that the IP0 join time is t ₀ The IP2 addition time is t ₂ Reference time interval corresponding to IP1

S10322, determining a weight correction value corresponding to the target attribute information based on the joining time interval between the current attribute information and the target attribute information and based on the reference time interval.

Specifically, when S10322 is executed, there are two cases:

case a: if the adding time interval between the current attribute information and the target attribute information is smaller than the reference adding time length, determining the weight correction value corresponding to the target attribute information as a first set value. The first setting value may be, for example, 0.

Case B: if the adding time interval between the current attribute information and the target attribute information is not smaller than the reference adding time length, taking the minimum value of the second set value and the difference value as the weight correction value corresponding to the target attribute information, wherein the difference value is the ratio of the difference value between the corresponding adding time interval and the reference adding time length to the reference adding time length.

The reference joining duration is determined according to the reference time interval and the position of the target attribute information in the joining sequence, namely, the reference joining duration is determined according to the reference time interval and the index number of the target attribute information.

Illustratively, the weight correction value corresponding to the target attribute information may be determined using the following formula (3):

wherein c (index, t _index ) Indicating the weight correction value corresponding to the target attribute information, wherein index is the index number of the target attribute information in the queue, t _index Representing the joining time of the target attribute information, T representing the reference time interval corresponding to the target attribute information,t ₀ index number representing current attribute information, min represents a minimum function.

For example, in the queue of fig. 2, it is assumed that the target attribute information is IP0 and the weight correction value corresponding to IP0 is 0.

For another example, in the queue of fig. 2, it is assumed that the target attribute information is IP3, and it is assumed that |t is satisfied ₀ -t ₃ The weight correction value corresponding to I-3 xT is more than or equal to 2T, and the IP3 is 2.

For another example, in the queue of fig. 2, it is assumed that the target attribute information is IP4, and it is assumed that 0 is satisfied<|t ₀ -t ₄ And the weight correction value corresponding to the IP4 is 1, wherein the T is smaller than or equal to 4T.

S1033, determining the target weight corresponding to the target attribute information based on the initial weight and the weight correction value.

As one possible implementation manner, the target weight corresponding to the target attribute information may be determined directly based on the initial weight and the weight correction value, and exemplary, the target weight corresponding to the target attribute information may be calculated using the following formula (4):

weight＝f(index,t _index )＝length-index-c(index,t _index ) Formula (4)

Wherein weight represents a target weight corresponding to the target attribute information, c (index, t _index ) The weight correction value corresponding to the target attribute information is represented by length, the index is represented by index number of the target attribute information, and the difference value between length and index is represented by initial weight corresponding to the target attribute information.

For example, in the queue of fig. 2, if the target attribute information is IP0, the weight correction value corresponding to IP0 is 0, the initial weight corresponding to IP0 is 20, and the target weight corresponding to IP0 is 20-0=20.

For another example, in the queue of fig. 2, the target attribute information is IP3, the initial weight corresponding to IP3 is 17, the weight correction value corresponding to IP3 is 2, and the target weight corresponding to IP3 is 20-3-2=15.

For another example, in the queue of fig. 2, the target attribute information is IP4, the initial weight corresponding to IP4 is 16, and it is assumed that the weight correction value corresponding to IP4 is 1 and the target weight corresponding to IP4 is 20-4-1=15.

Obviously, length-index reflects the effect of the number of new IP's on the weight of existing IP's in the queue, c (index, t _index ) By correcting the weight change, the influence of the time intervals among all enqueued IPs on the weight is reflected.

It is to be understood that the current attribute information in the present application may also be referred to as new IP attribute information, and the information content of the new IP attribute information may be the same as one or more of the history attribute information, or may be different from each of the history attribute information.

Referring to fig. 5, since the index number is adopted as a parameter in the calculation of the target weight without considering the C function, the target weight decrease is linear, which is adapted to the case that the time interval Δt of each entry of the IP attribute information is equal, that is, one new IP attribute information is entered+the IP weight in the new IP attribute information=queue is subtracted by 1 at equal intervals, that is, the new IP attribute information can be entered into the queue only one by one in the queue, so that the number of the new IP attribute information entries is linearly increased, and the influence thereof on the target weight can be considered as a constant value.

However, since the decrease in the target weight is simultaneously affected by the number of pieces of incoming new IP attribute information and the variance σ of the time interval Δt of incoming all the IP attribute information ² And sigma(s) ² The closer to 0, the closer to equal time interval entry is considered. Wherein,x is a variable value, namely deltat, M is the number of variables, mu is the average value of time intervals deltat, and the time interval deltat of one piece of IP attribute information can be the time interval between the adding queue time of the IP attribute information and the adding queue time of the previous attribute information.

When the actual time and the estimated time of entering the queue of one IP attribute information are greatly different, the sigma is considered to be ² Large if sigma ² The target weight is greatly affected by the time interval, so that the new IP attribute information is entered in a short time + the variance sigma of the time interval ² Is very largeTarget weight corresponding to IP attribute information in the queue is unchanged. Therefore, in the case where the time interval Δt of the incoming new IP attribute information is short and the variance of the time interval of the incoming historical IP attribute information is large, even if the new IP attribute information is entered, the weight thereof will not change for the historical IP attribute information in the queue.

Referring to fig. 6, assume that for IP:10.10.0.1, IP:10.10.0.1 the current index value is 3, i.e. IP3 is 10.10.0.1, satisfying |t ₀ -t ₃ The target weight corresponding to the I-3 xT is more than or equal to 2T, and the IP3 is as follows: l-3-2, after entering a new IP attribute information, IP:10.10.0.1 has an index value of 4, i.e. IP4 of 10.10.0.1, satisfying 0<|t ₀ -t ₄ The target weight corresponding to the I-4T is less than or equal to T, and the IP4 is as follows: l-4-1, after entering a new IP attribute information again, IP:10.10.0.1 has an index value of 5, i.e. IP5 of 10.10.0.1, satisfying |t ₀ -t ₅ The target weight corresponding to the I is less than or equal to 5T, and the IP5 is as follows: l-5-0. It can be seen that although 2 new IP attribute information are entered consecutively, IP: the target weight of 10.10.0.1 was always L-5, and no change occurred.

This situation does not continue all the time, σ after continuing to enter new IP attribute information with a small time interval Δt ² Will gradually decrease towards a zero value, approaching the case where new IP attribute information is entered at equal time intervals, and thus the target weight of IP attribute information in the queue will start to decrease linearly after a constant period of time.

In some embodiments, in order to solve the problem of the expected adjustment of the difficulty of becoming the common IP in the actual scenarios, for example, for the user with a low authorization level, the number of the users is more, the security risk is lower, and the user experience and the operation and maintenance efficiency are improved by reducing the difficulty of becoming the common IP, specifically, when executing S2033, the method includes:

acquiring easiness preset for target attribute information;

based on the initial weight and the weight correction value, and based on the easiness, a target weight corresponding to the target attribute information is determined.

For example, the target weight corresponding to the target attribute information may be calculated using the following formula (5):

weight＝f(index,t _index ) +N formula (5)

Wherein weight represents the target weight, f (index, t _index ) And (3) calculating by adopting a formula (4), wherein N is an integer not less than 0. If N is a non-negative integer, N represents the difficulty level of one attribute information becoming common attribute information, and the larger the value of N, the more likely it is to become common attribute information. When the value of N is larger, the value of the target weight corresponding to each piece of IP attribute information in the queue is larger, so that the threshold value is easier to be reached, the IP attribute information in the queue is easier to be a common IP, and the maximum number of common IPs is also larger.

Referring to fig. 7, in the case where the preset weight threshold value is equal to the length L of the queue, it is assumed that, in the queue of length L, the target weight is equal to or greater than L for n+n to L corresponding attribute information, n+1 total, and the remaining L- (n+1) attribute information, since the initial weights of the head and tail attribute information are added, (1+n) + (L-1) =l+n, without considering the C function>L, so that the left L- (N+1) attribute information is matched in a head-to-tail one-to-one correspondence manner, and the most is matchedFor each pair. Therefore, the maximum number of commonly used attribute information can be calculated by the following formula (6):

where max represents the maximum number of commonly used attribute information, and when the target attribute is IP, max may be also referred to as the maximum number of commonly used IPs, and obviously, the number of commonly used IPs is a dynamically changing section, which is [0, max ].

In some embodiments, since the number of popular IP is dynamically changed, in order to solve the problem that the number of popular IP is too large, resulting in losing the meaning of actual statistics of popular IP, a null attribute mechanism is proposed, and in particular, when S202 is executed, the following manner may be adopted:

determining the number of the common attribute information at the current moment based on the number of the common attribute information at the previous moment, and determining a common information number threshold based on the number of the common attribute information at the current moment, wherein the current moment is the moment of acquiring the current attribute information, and the previous moment is the latest entering moment of each historical attribute information;

If the number of the common attribute information at the current moment is larger than the common information number threshold, adding the appointed attribute information into the history access record, and then adding the current attribute information into the history access record.

Illustratively, the specified attribute information may employ null attribute information.

In the implementation of the application, a common data number threshold H is set, when count is more than or equal to H, if new IP attribute information is about to enter the queue, one IP attribute information with a value being a set value is first entered, and then the new IP attribute information is entered, so that the calculation of the target weight of all the IP attribute information in the queue is influenced by one designated attribute information, the attenuation is faster, the number of the common IP attribute information is controlled, and the judgment of the common IP is more accurate.

Specifically, the common data number threshold is calculated by using the following formula (7) and formula (8):

where H represents a threshold value of the number of common information,representing the number average value and count of the common attribute information at the current moment _max The maximum historical number of the common attribute information is represented, alpha and beta are preset parameters, and +.>The count represents the number of the common attribute information at the current moment. Illustratively, α=0.125, β=5.

As can be seen from the above equation (6),is an average value determined by the number of historical common IP attribute information,/>The effect of count recorded by the last time is greater, assuming +.>The value of (2) is 0, < >>For the number average value of the common attribute information at the first moment, < >>For the number average value of the common attribute information at the second moment, +.>The number of common attribute information for the first time is derived as follows:

due to alpha<1,(1-α)<1, so (1-alpha) ² α<(1-α)α<Alpha, obviously, the latest time systemCalculated data count ₃ For a pair ofThe weight of the impact is the largest.

It should be noted that, in the embodiment of the present application, one weight function may be set to reduce the target weights of all the IP attribute information, but the null attribute mechanism has the following advantages with respect to setting one weight function to reduce the target weights of all the IP attribute information:

firstly, the influence of the null attribute mechanism on the target weight is limited in time, and when the number of the common IP attribute information reaches a threshold (namely H) in time, a null IP is entered in the queue, so that the target weight of all the IP attribute information is subtracted by 1 more. As new IP attribute information is entered, the empty IP will move towards the tail of the queue and will decrease the impact on the whole queue as the index number increases, then be dequeued, automatically clearing its impact on the queue. And the target weight of all IP attribute information is directly reduced, so that the effective time of the change needs to be set, and the design complexity of the scheme is increased.

Second, the null attribute mechanism is dynamically adjustable, and will vary with the amount of common IP attribute information. When the number of the common IP attribute information reaches the threshold value, a null IP is entered to decrease the target weight of all the IP attribute information by 1 more, however, if the number of the common IP attribute information is not decreased at this time, then the null IP is entered to influence the target weight again.

Finally, referring to fig. 8, the impact of the null attribute mechanism on the target weights of all IP attribute information is not uniform. Since each empty IP affects only the IP attribute information that entered the queue before it, if there are multiple empty IPs in this queue, their impact on the target weight of the IP attribute information in the queue is staged, and the degree of superposition is gradually increased as the index number increases. If the method is directly segmented according to the index number, a segmentation function affecting the target weight of the IP attribute information is set, and the complexity of scheme design is increased.

In the embodiment of the application, the time complexity of the scheme is as follows: o (n), the spatial complexity is: o (n). The simple queue model is utilized, meanwhile, the weight calculation algorithm is not complex, and the technical scheme is simpler. And the counted quantity of the common attribute information is dynamically changed, so that the personalized requirements of the user can be met.

Furthermore, due to the limitation of the size of the queue for storing data, the number of the common attribute information is in the range of [1, L/2] according to the previous analysis, and meanwhile, due to the introduction of the null attribute mechanism, after the number of the common attribute information reaches the corresponding threshold value, the increase or even the decrease of the number of the common attribute information can be slowed down, so that the number of the common attribute information is controlled in a reasonable range, and the accuracy of the determined common attribute information is improved.

Furthermore, other attributes such as login equipment and login addresses can also be used for screening common attribute information through the user behavior baseline generation method, so that high reusability is realized, and redundant scheme design aiming at different attributes is avoided.

Based on the same inventive concept, referring to fig. 9, an embodiment of the present application provides a user behavior baseline generation device, including:

an obtaining unit 901, configured to obtain current attribute information corresponding to a target attribute in a login success operation triggered by a target object for a target service;

a recording unit 902, configured to add the current attribute information to a history access record, where the history access record includes: the target object aims at each piece of history attribute information corresponding to the target attribute triggered by the target service;

A determining unit 903, configured to determine target weights corresponding to the current attribute information and each of the historical attribute information, based on an order of addition of the current attribute information and each of the historical attribute information, and based on an addition time interval between each of the historical attribute information and the current attribute information, respectively;

an accumulating unit 904, configured to accumulate target weights corresponding to attribute information with the same content in the current attribute information and each historical attribute information, and determine at least one common attribute information from the current attribute information and each historical attribute information based on a weight accumulated value;

a generating unit 905, configured to generate a user behavior baseline based on the target attribute and the at least one common attribute information.

As a possible implementation manner, when determining the target weights corresponding to the current attribute information and the historical attribute information respectively based on the joining order of the current attribute information and the historical attribute information and based on the joining time interval between the historical attribute information and the current attribute information respectively, the determining unit 903 is specifically configured to:

For the current attribute information and each history attribute information, the following operations are respectively executed:

taking the current attribute information and one attribute information in the historical attribute information as target attribute information, and determining initial weight corresponding to the target attribute information based on the adding sequence;

determining a weight correction value corresponding to the target attribute information based on the adding time interval between the current attribute information and the target attribute information;

and determining the target weight corresponding to the target attribute information based on the initial weight and the weight correction value.

As a possible implementation manner, when determining the weight correction value corresponding to the target attribute information based on the joining time interval between the current attribute information and the target attribute information, the determining unit 903 is specifically configured to:

determining a reference time interval corresponding to the target attribute information based on the joining time interval between the target attribute information and the adjacent attribute information; the adjacent attribute information is attribute information adjacent to the target attribute information according to the addition order;

and determining a weight correction value corresponding to the target attribute information based on a joining time interval between the current attribute information and the target attribute information and the reference time interval.

As a possible implementation manner, when determining the reference time interval corresponding to the target attribute information based on the joining time interval between the target attribute information and the neighboring attribute information, the determining unit 903 is specifically configured to:

if the target attribute information is the current attribute information or the historical attribute information added to the historical access record earliest, taking the adding time interval between the target attribute information and the corresponding adjacent attribute information as the reference time interval corresponding to the target attribute information;

and if the target attribute information is not the current attribute information and the historical attribute information added into the historical access record earliest, taking the average value of the enqueue time intervals between the target attribute information and the corresponding two adjacent attribute information as the reference time interval corresponding to the target attribute information.

As a possible implementation manner, when determining the weight correction value corresponding to the target attribute information based on the joining time interval between the current attribute information and the target attribute information and based on the reference time interval, the determining unit 903 is specifically configured to:

If the adding time interval between the current attribute information and the target attribute information is smaller than or equal to the reference adding time length, determining that the weight correction value corresponding to the target attribute information is a first set value;

if the adding time interval between the current attribute information and the target attribute information is larger than or equal to the reference adding time length, taking the minimum value of a second set value and a difference value as a weight correction value corresponding to the target attribute information, wherein the difference value is the ratio of the difference value between the corresponding adding time interval and the reference adding time length to the reference adding time length;

wherein the reference joining duration is determined according to the reference time interval and the position of the target attribute information in the joining order.

As a possible implementation manner, when determining the target weight corresponding to the target attribute information based on the initial weight and the weight correction value, the determining unit 903 is specifically configured to:

acquiring easiness preset for the target attribute information;

and determining a target weight corresponding to the target attribute information based on the initial weight and the weight correction value and based on the easiness.

As a possible implementation manner, when the current attribute information is added to the history access record, the recording unit 902 is specifically configured to:

determining the number of common attribute information at the current moment based on the number of common attribute information at the previous moment, and determining a common data information number threshold based on the number of common attribute information at the current moment, wherein the current moment is the moment of acquiring the current attribute information, and the previous moment is the latest entry moment of each historical attribute information;

if the number of the common attribute information at the current moment is larger than the threshold value of the number of the common data information, adding the current attribute information into the history access record after adding the appointed attribute information into the history access record.

As a possible implementation manner, the common data number threshold value is calculated by using the following formula:

where H represents a threshold value of the number of common data,representing the number average value and count of the common attribute information at the current moment _max The maximum historical number of the common attribute information is represented, alpha and beta are preset parameters, and +.>The count represents the number of the common attribute information at the current moment. / >

As a possible implementation manner, when determining at least one common attribute information from the current attribute information and the historical attribute information based on the weight accumulated value, the accumulating unit 904 is specifically configured to:

aiming at the attribute information with the same content in the current attribute information and each history attribute information, when the weight accumulated value is not smaller than a preset weight threshold value which is larger than a preset threshold value, the attribute information with the same content is used as common attribute information;

and aiming at other attribute information except the attribute information with the same content in the current attribute information and the historical attribute information, when the target weight of the other attribute information is not smaller than or greater than a preset weight threshold value, the other attribute information is used as common attribute information.

Based on the same inventive concept, referring to fig. 10, a schematic structural diagram of an electronic device according to an embodiment of the present application includes: the processor 101, the communication interface 102, the memory 103 and the communication bus 104, wherein the processor 101, the communication interface 102 and the memory 103 complete communication with each other through the communication bus 104;

the memory 103 has stored therein a computer program which, when executed by the processor 101, causes the processor 41 to perform the user behavior baseline generation method as in fig. 1, 3 or 4.

The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.

The communication interface 102 is used for communication between the electronic device and other devices.

The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.

The processor may be a general-purpose processor, including a central processing unit, a network processor (Network Processor, NP), etc.; but also digital instruction processors (Digital Signal Processing, DSP), application specific integrated circuits, field programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.

Based on the same inventive concept, an embodiment of the present application provides a computer readable storage medium, in which a computer program executable by a processor is stored, which when run on the processor, enables the processor to perform the above-described user behavior baseline generation method as in fig. 1, 3 or 4.

Based on the same inventive concept, embodiments of the present application provide a computer program product comprising: computer program code which, when run on a computer, causes the computer to perform the user behavior baseline generation method as described above in fig. 1, 3 or 4.

For system/device embodiments, the description is relatively simple as it is substantially similar to method embodiments, with reference to the description of method embodiments in part.

It should be noted that in this document relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A method for generating a user behavior baseline, comprising:

2. The method of claim 1, wherein the determining the target weights for the current attribute information and the respective historical attribute information based on the order of addition of the current attribute information and the respective historical attribute information, and based on the time intervals of addition between the respective historical attribute information and the current attribute information, respectively, comprises:

3. The method of claim 2, wherein the determining the weight correction value corresponding to the target attribute information based on the joining time interval between the current attribute information and the target attribute information comprises:

4. The method of claim 3, wherein the determining the reference time interval corresponding to the target attribute information based on the joining time interval between the target attribute information and the neighboring attribute information comprises:

and if the target attribute information is not the current attribute information and the historical attribute information added into the historical access record earliest, taking the average value of the enqueue time intervals between the two corresponding adjacent attribute information as the reference time interval corresponding to the target attribute information.

5. The method of claim 3, wherein the determining the weight correction value corresponding to the target attribute information based on the joining time interval between the current attribute information and the target attribute information and based on the reference time interval comprises:

if the adding time interval between the current attribute information and the target attribute information is smaller than the reference adding time length, determining that the weight correction value corresponding to the target attribute information is a first set value;

if the adding time interval between the current attribute information and the target attribute information is not smaller than the reference adding time length, taking the minimum value of a second set value and a difference value as a weight correction value corresponding to the target attribute information, wherein the difference value is the ratio of the difference value between the corresponding adding time interval and the reference adding time length to the reference adding time length;

6. The method according to any one of claims 2-5, wherein the determining a target weight corresponding to the target attribute information based on the initial weight and the weight correction value includes:

Acquiring easiness preset for the target attribute information, wherein the easiness is used for representing the difficulty degree of the target attribute information becoming common attribute information;

7. The method of any of claims 1-5, wherein the adding the current attribute information to a history access record comprises:

and if the number of the common attribute information at the current moment is larger than the common information number threshold, adding the current attribute information into the history access record after adding the appointed attribute information into the history access record.

8. The method of claim 7, wherein the common information number threshold is calculated using the following formula:

Where H represents a threshold value of the number of common information,representing the number average value and count of the common attribute information at the current moment _max The maximum historical number of the common attribute information is represented, alpha and beta are preset parameters, and +.>The count represents the number of the common attribute information at the current moment.

9. The method of any of claims 1-5, wherein determining at least one common attribute information from the current attribute information and the historical attribute information based on a weight accumulation value comprises:

aiming at the attribute information with the same content in the current attribute information and each history attribute information, when the weight accumulated value is not smaller than a preset weight threshold value, the attribute information with the same content is used as common attribute information;

and regarding other attribute information except the attribute information with the same content in the current attribute information and the historical attribute information, when the target weight of the other attribute information is not smaller than a preset weight threshold value, the other attribute information is used as common attribute information.

10. A user behavior baseline generation apparatus, the apparatus comprising:

11. An electronic device comprising at least a processor and a memory, the processor being adapted to implement the steps of the user behavior baseline generation method according to any one of claims 1-9 when executing a computer program stored in the memory.

12. A computer readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the steps of the user behavior baseline generation method according to any one of claims 1-9.