CN117033052A - Object abnormality diagnosis method and system based on model identification - Google Patents

Object abnormality diagnosis method and system based on model identification Download PDF

Info

Publication number
CN117033052A
CN117033052A CN202311019328.3A CN202311019328A CN117033052A CN 117033052 A CN117033052 A CN 117033052A CN 202311019328 A CN202311019328 A CN 202311019328A CN 117033052 A CN117033052 A CN 117033052A
Authority
CN
China
Prior art keywords
behavior data
abnormal
object behavior
generating
online session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311019328.3A
Other languages
Chinese (zh)
Other versions
CN117033052B (en
Inventor
曹印年
赵景辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qipocket Chongqing Digital Technology Co ltd
Original Assignee
Guizhou Huima Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guizhou Huima Technology Co ltd filed Critical Guizhou Huima Technology Co ltd
Priority to CN202311019328.3A priority Critical patent/CN117033052B/en
Priority claimed from CN202311019328.3A external-priority patent/CN117033052B/en
Publication of CN117033052A publication Critical patent/CN117033052A/en
Application granted granted Critical
Publication of CN117033052B publication Critical patent/CN117033052B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/079Root cause analysis, i.e. error or fault diagnosis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0475Generative networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biomedical Technology (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Health & Medical Sciences (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Quality & Reliability (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the invention provides an object abnormality diagnosis method and system based on model identification, which are used for acquiring candidate object behavior data corresponding to a target online session user; inputting the candidate object behavior data into a preset abnormal knowledge point prediction network, and generating information for representing whether each object behavior data block comprises an abnormal behavior knowledge point; the candidate object behavior data includes a plurality of object behavior data chunks; based on the behavior knowledge points of the object behavior data blocks, generating related abnormal node information corresponding to related object behavior data block sequences; determining an abnormal mining result of the object behavior data block based on the related abnormal node information; and generating an abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, and performing abnormal interception diagnosis on the target online session user based on the abnormal positioning root cause, so that the accuracy of the subsequent abnormal interception diagnosis on the target online session user can be improved.

Description

Object abnormality diagnosis method and system based on model identification
Technical Field
The invention relates to the technical field of AI (advanced technology attachment), in particular to an object abnormality diagnosis method and system based on model identification.
Background
With the development of AI digitization, model identification is widely used, and model identification is to determine a model equivalent to a measured system from a given set of model classes based on input and output data. The model identification comprises three elements, namely data, a model and a criterion, wherein the identification is to select a model which is best fitted with the data from a group of model classes according to the criterion, when an on-line user has abnormal behaviors, the abnormal locating root cause needs to be quickly found so as to be convenient for subsequent interception diagnosis, and how to quickly find the abnormal locating root cause is a technical problem to be solved urgently in the field.
Disclosure of Invention
In view of the above, an object of the embodiments of the present invention is to provide a method and a system for diagnosing object anomalies based on model identification, which acquire candidate object behavior data corresponding to a target online session user; inputting the candidate object behavior data into a preset abnormal knowledge point prediction network, and generating information for representing whether each object behavior data block comprises an abnormal behavior knowledge point; the candidate object behavior data includes a plurality of object behavior data chunks; based on the behavior knowledge points of the object behavior data blocks, generating related abnormal node information corresponding to related object behavior data block sequences; determining an abnormal mining result of the object behavior data block based on the related abnormal node information; and generating an abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, and performing abnormal interception diagnosis on the target online session user based on the abnormal positioning root cause, so that the accuracy of the subsequent abnormal interception diagnosis on the target online session user can be improved.
According to an aspect of the embodiment of the present invention, there is provided a method and a system for diagnosing an abnormality of an object based on model identification, the method including:
acquiring candidate object behavior data corresponding to a target online session user;
inputting the candidate object behavior data into a preset abnormal knowledge point prediction network, and generating information for representing whether each object behavior data block comprises an abnormal behavior knowledge point or not; the candidate object behavior data comprises a plurality of object behavior data blocks;
based on the behavior knowledge points of the object behavior data blocks, generating related abnormal node information corresponding to related object behavior data block sequences; the related object behavior data block sequence comprises a plurality of mutually connected object behavior data blocks;
determining an abnormal mining result of the object behavior data block based on the related abnormal node information;
and generating an abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, and carrying out abnormal interception diagnosis on the target online session user based on the abnormal positioning root cause.
In an alternative embodiment, the generating, based on the behavior knowledge points of the object behavior data blocks, related abnormal node information corresponding to the related object behavior data block sequences includes;
determining a first behavior knowledge point of a target object behavior data block in all the object behavior data blocks;
determining associated object behavior data blocks which accord with behavior association conditions with the target object behavior data blocks in all the object behavior data blocks; the related object behavior data block sequence comprises:
the target object behavior data blocks and the associated object behavior data blocks;
determining second behavior knowledge points corresponding to the behavior data blocks of the associated objects;
generating associated abnormal node information corresponding to the associated object behavior data blocks based on the second behavior knowledge points;
and generating the related abnormal node information based on the first behavior knowledge point and the related abnormal node information.
In an alternative embodiment, the generating the related abnormal node information based on the first behavior knowledge point and the related abnormal node information includes:
generating overall abnormal node information corresponding to the candidate object behavior data based on the behavior knowledge points of each object behavior data block;
calculating the first behavior knowledge points, the associated abnormal node information and the overall abnormal node information based on a set fusion model to generate fusion characteristic information;
and generating the related abnormal node information based on the fusion characteristic information.
In an alternative embodiment, the method further comprises:
acquiring template object behavior data for updating network weight parameters of an initialized neural network;
determining a dismantling rule for dismantling the template object behavior data;
based on the dismantling rule, dismantling the template object behavior data to generate a plurality of dismantling member object behavior data;
generating an abnormal mining array corresponding to the template object behavior data based on the first behavior trigger information and the abnormal training content of each disassembled member object behavior data;
the first behavior trigger information and the second behavior trigger information corresponding to the same behavior data of the disassembled member object are correspondingly associated and configured;
the first behavior trigger information is used for representing the position of the disassembled member object behavior data in the candidate object behavior data; the second behavior trigger information is used for representing the position of a preset behavior knowledge point generated based on abnormal training content corresponding to the behavior data of the disassembled member object in the abnormal mining array;
generating sample learning data and sample test data based on the template object behavior data and an anomaly mining array corresponding to each of the template object behavior data;
updating the network weight parameters of the initialized neural network through the sample learning data to generate an updated neural network;
and after the updated neural network is tested through the sample test data and meets the set test validity conditions, the updated neural network is used as the abnormal knowledge point prediction network.
In an alternative embodiment, the generating the anomaly mining array corresponding to the template object behavior data based on the first behavior trigger information of the respective disassembled member object behavior data and the anomaly training content includes:
acquiring abnormal prior label configuration information generated by carrying out abnormal prior label configuration on the template object behavior data;
generating the abnormal training content corresponding to each disassembled member object behavior data based on the abnormal coding mapping information of the abnormal priori label configuration information included in each disassembled member object behavior data;
determining whether abnormal coding mapping information of the abnormal priori label configuration information included in the behavior data of each disassembled member object is in a preset mapping interval or not based on the abnormal training content, and generating preset behavior knowledge points corresponding to the behavior data of each disassembled member object;
generating the first behavior trigger information corresponding to each piece of disassembled member object behavior data based on the position of each piece of disassembled member object behavior data in the template object behavior data;
and generating an abnormal mining array corresponding to the template object behavior data based on the first behavior trigger information and the preset behavior knowledge points corresponding to the disassembled member object behavior data.
In an alternative embodiment, when the attribute type of the target online session user is a first preset attribute type; after the generating of the abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, the method further comprises:
determining abnormal thermodynamic diagram information of the target online session user based on the abnormal positioning root cause;
when the abnormal thermodynamic diagram information has an abnormal session link larger than a set thermodynamic value, judging that the target online session user is an abnormal online session user;
acquiring target online session user behavior trigger information of the target online session user;
and generating interception configuration information corresponding to the target online session user based on the target online session user behavior trigger information.
In an alternative embodiment, when the attribute type of the target online session user is a second preset attribute type; after the generating of the abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, the method further comprises:
determining abnormal thermodynamic diagram information of the target online session user based on the abnormal positioning root cause;
when the abnormal thermodynamic diagram information has an abnormal session link larger than a set thermodynamic value, acquiring cooperative node information of the target online session user;
and generating interception configuration information corresponding to the target online session user based on the cooperative node information.
According to another aspect of the embodiment of the present invention, there is provided a method and a system for diagnosing an abnormality of an object based on model identification, the system including:
the acquisition unit is used for acquiring candidate object behavior data corresponding to the target online session user;
the first generation unit is used for inputting the candidate object behavior data into a preset abnormal knowledge point prediction network and generating information for representing whether each object behavior data block comprises an abnormal behavior knowledge point or not; the candidate object behavior data comprises a plurality of object behavior data blocks;
the second generation unit is used for generating related abnormal node information corresponding to the related object behavior data block sequence based on the behavior knowledge points of the object behavior data blocks; the related object behavior data block sequence comprises a plurality of mutually connected object behavior data blocks;
the determining unit is used for determining an abnormal mining result of the object behavior data block based on the related abnormal node information;
and the diagnosis unit is used for generating an abnormality locating root cause corresponding to the target online session user based on the abnormality mining result and carrying out abnormality interception diagnosis on the target online session user based on the abnormality locating root cause.
According to another aspect of an embodiment of the present invention, there is provided an electronic apparatus including: the device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; the memory is used for storing a computer program; the processor is configured to implement the object abnormality diagnosis method step based on model identification described in any one of the above when executing the computer program.
According to another aspect of the embodiments of the present invention, there is provided a readable storage medium having stored thereon a computer program which, when executed by a processor, can perform the steps of the above-described object abnormality diagnosis method based on model identification.
The foregoing objects, features and advantages of embodiments of the invention will be more readily apparent from the following detailed description of the embodiments taken in conjunction with the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 shows a schematic diagram of components of a server provided by an embodiment of the present invention;
FIG. 2 is a schematic flow chart of an object anomaly diagnosis method and system based on model identification according to an embodiment of the present invention;
FIG. 3 illustrates a functional block diagram of an object anomaly diagnostic system in accordance with model-based recognition, provided by an embodiment of the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the present invention, a technical solution of the present embodiment of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiment of the present invention, and it is apparent that the described embodiment is only a part of the embodiment of the present invention, not all the embodiments. All other embodiments, which can be made by those skilled in the art without the benefit of the teachings of this invention, are intended to fall within the scope of the invention.
The terms first, second, third and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented, for example, in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 shows an exemplary component diagram of a server 100. The server 100 may include one or more processors 104, such as one or more Central Processing Units (CPUs), each of which may implement one or more hardware threads. The server 100 may also include any storage medium 106 for storing any kind of information such as code, settings, data, etc. For example, and without limitation, storage medium 106 may include any one or more of the following combinations: any type of RAM, any type of ROM, flash memory devices, hard disks, optical disks, etc. More generally, any storage medium may store information using any technique. Further, any storage medium may provide volatile or non-volatile retention of information. Further, any storage medium may represent fixed or removable components of server 100. In one case, the server 100 may perform any of the operations of the associated instructions when the processor 104 executes the associated instructions stored in any storage medium or combination of storage media. The server 100 also includes one or more drive units 108, such as a hard disk drive unit, an optical disk drive unit, etc., for interacting with any storage media.
The server 100 also includes input/output 110 (I/O) for receiving various inputs (via input unit 112) and for providing various outputs (via output unit 114). One particular output mechanism may include a presentation device 116 and an associated Graphical User Interface (GUI) 118. The server 100 may also include one or more network interfaces 120 for exchanging data with other devices via one or more communication units 122. One or more communication buses 124 couple the components described above together.
The communication unit 122 may be implemented in any manner, for example, via a local area network, a wide area network (e.g., the internet), a point-to-point connection, etc., or any combination thereof. The communication unit 122 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers 100, etc., governed by any protocol or combination of protocols.
Fig. 2 is a schematic flow chart of a method and a system for diagnosing object abnormality based on model recognition according to an embodiment of the present invention, which may be executed by the server 100 shown in fig. 1, and detailed steps of the method and the system for diagnosing object abnormality based on model recognition are described below.
Step S110, candidate object behavior data corresponding to a target online session user is obtained;
step S120, inputting the candidate object behavior data into a preset abnormal knowledge point prediction network, and generating information for representing whether each object behavior data block comprises abnormal behavior knowledge points or not; the candidate object behavior data comprises a plurality of object behavior data blocks;
step S130, based on the behavior knowledge points of the object behavior data blocks, generating related abnormal node information corresponding to related object behavior data block sequences; the related object behavior data block sequence comprises a plurality of mutually connected object behavior data blocks;
step S140, determining an abnormal mining result of the object behavior data block based on the related abnormal node information;
and step S150, generating an abnormality locating root cause corresponding to the target online session user based on the abnormality mining result, and carrying out abnormality interception diagnosis on the target online session user based on the abnormality locating root cause.
Based on the above steps, the embodiment obtains candidate object behavior data corresponding to the target online session user; inputting the candidate object behavior data into a preset abnormal knowledge point prediction network, and generating information for representing whether each object behavior data block comprises an abnormal behavior knowledge point; the candidate object behavior data includes a plurality of object behavior data chunks; based on the behavior knowledge points of the object behavior data blocks, generating related abnormal node information corresponding to related object behavior data block sequences; determining an abnormal mining result of the object behavior data block based on the related abnormal node information; and generating an abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, and performing abnormal interception diagnosis on the target online session user based on the abnormal positioning root cause, so that the accuracy of the subsequent abnormal interception diagnosis on the target online session user can be improved.
In an alternative embodiment, the generating, based on the behavior knowledge points of the object behavior data blocks, related abnormal node information corresponding to the related object behavior data block sequences includes;
determining a first behavior knowledge point of a target object behavior data block in all the object behavior data blocks;
determining associated object behavior data blocks which accord with behavior association conditions with the target object behavior data blocks in all the object behavior data blocks; the related object behavior data block sequence comprises:
the target object behavior data blocks and the associated object behavior data blocks;
determining second behavior knowledge points corresponding to the behavior data blocks of the associated objects;
generating associated abnormal node information corresponding to the associated object behavior data blocks based on the second behavior knowledge points;
and generating the related abnormal node information based on the first behavior knowledge point and the related abnormal node information.
In an alternative embodiment, the generating the related abnormal node information based on the first behavior knowledge point and the related abnormal node information includes:
generating overall abnormal node information corresponding to the candidate object behavior data based on the behavior knowledge points of each object behavior data block;
calculating the first behavior knowledge points, the associated abnormal node information and the overall abnormal node information based on a set fusion model to generate fusion characteristic information;
and generating the related abnormal node information based on the fusion characteristic information.
In an alternative embodiment, the method further comprises:
acquiring template object behavior data for updating network weight parameters of an initialized neural network;
determining a dismantling rule for dismantling the template object behavior data;
based on the dismantling rule, dismantling the template object behavior data to generate a plurality of dismantling member object behavior data;
generating an abnormal mining array corresponding to the template object behavior data based on the first behavior trigger information and the abnormal training content of each disassembled member object behavior data;
the first behavior trigger information and the second behavior trigger information corresponding to the same behavior data of the disassembled member object are correspondingly associated and configured;
the first behavior trigger information is used for representing the position of the disassembled member object behavior data in the candidate object behavior data; the second behavior trigger information is used for representing the position of a preset behavior knowledge point generated based on abnormal training content corresponding to the behavior data of the disassembled member object in the abnormal mining array;
generating sample learning data and sample test data based on the template object behavior data and an anomaly mining array corresponding to each of the template object behavior data;
updating the network weight parameters of the initialized neural network through the sample learning data to generate an updated neural network;
and after the updated neural network is tested through the sample test data and meets the set test validity conditions, the updated neural network is used as the abnormal knowledge point prediction network.
In an alternative embodiment, the generating the anomaly mining array corresponding to the template object behavior data based on the first behavior trigger information of the respective disassembled member object behavior data and the anomaly training content includes:
acquiring abnormal prior label configuration information generated by carrying out abnormal prior label configuration on the template object behavior data;
generating the abnormal training content corresponding to each disassembled member object behavior data based on the abnormal coding mapping information of the abnormal priori label configuration information included in each disassembled member object behavior data;
determining whether abnormal coding mapping information of the abnormal priori label configuration information included in the behavior data of each disassembled member object is in a preset mapping interval or not based on the abnormal training content, and generating preset behavior knowledge points corresponding to the behavior data of each disassembled member object;
generating the first behavior trigger information corresponding to each piece of disassembled member object behavior data based on the position of each piece of disassembled member object behavior data in the template object behavior data;
and generating an abnormal mining array corresponding to the template object behavior data based on the first behavior trigger information and the preset behavior knowledge points corresponding to the disassembled member object behavior data.
In an alternative embodiment, when the attribute type of the target online session user is a first preset attribute type; after the generating of the abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, the method further comprises:
determining abnormal thermodynamic diagram information of the target online session user based on the abnormal positioning root cause;
when the abnormal thermodynamic diagram information has an abnormal session link larger than a set thermodynamic value, judging that the target online session user is an abnormal online session user;
acquiring target online session user behavior trigger information of the target online session user;
and generating interception configuration information corresponding to the target online session user based on the target online session user behavior trigger information.
In an alternative embodiment, when the attribute type of the target online session user is a second preset attribute type; after the generating of the abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, the method further comprises:
determining abnormal thermodynamic diagram information of the target online session user based on the abnormal positioning root cause;
when the abnormal thermodynamic diagram information has an abnormal session link larger than a set thermodynamic value, acquiring cooperative node information of the target online session user;
and generating interception configuration information corresponding to the target online session user based on the cooperative node information.
Fig. 3 shows a functional block diagram of an object abnormality diagnosis system 200 according to model-based recognition, which may correspond to the steps performed by the above-described method according to the function implemented by the object abnormality diagnosis system 200 according to model-based recognition, according to an embodiment of the present invention. The object abnormality diagnosis system 200 according to model recognition may be understood as the above-mentioned server 100 or a processor of the server 100, or may be understood as a component which is independent of the above-mentioned server 100 or processor and implements the functions of the present invention under the control of the server 100, as shown in fig. 3, and the functions of the respective functional modules of the object abnormality diagnosis system 200 according to model recognition will be described in detail below.
An obtaining unit 210, configured to obtain candidate object behavior data corresponding to a target online session user;
a first generating unit 220, configured to input the candidate object behavior data into a preset abnormal knowledge point prediction network, and generate a rule for characterizing whether each object behavior data block includes an abnormal behavior knowledge point; the candidate object behavior data comprises a plurality of object behavior data blocks;
a second generating unit 230, configured to generate relevant abnormal node information corresponding to the relevant object behavior data block sequence based on the behavior knowledge points of the object behavior data blocks; the related object behavior data block sequence comprises a plurality of mutually connected object behavior data blocks;
a determining unit 240, configured to determine an abnormal mining result of the object behavior data block based on the related abnormal node information;
and the diagnosis unit 250 is used for generating an abnormality locating root cause corresponding to the target online session user based on the abnormality mining result and carrying out abnormality interception diagnosis on the target online session user based on the abnormality locating root cause.
In an alternative embodiment, the second generating unit 230 is specifically further configured to;
determining a first behavior knowledge point of a target object behavior data block in all the object behavior data blocks;
determining associated object behavior data blocks which accord with behavior association conditions with the target object behavior data blocks in all the object behavior data blocks; the related object behavior data block sequence comprises:
the target object behavior data blocks and the associated object behavior data blocks;
determining second behavior knowledge points corresponding to the behavior data blocks of the associated objects;
generating associated abnormal node information corresponding to the associated object behavior data blocks based on the second behavior knowledge points;
and generating the related abnormal node information based on the first behavior knowledge point and the related abnormal node information.
In an alternative embodiment, the second generating unit 230 is specifically further configured to;
generating overall abnormal node information corresponding to the candidate object behavior data based on the behavior knowledge points of each object behavior data block;
calculating the first behavior knowledge points, the associated abnormal node information and the overall abnormal node information based on a set fusion model to generate fusion characteristic information;
and generating the related abnormal node information based on the fusion characteristic information.
In an alternative embodiment, the first generating unit 220 is specifically further configured to;
acquiring template object behavior data for updating network weight parameters of an initialized neural network;
determining a dismantling rule for dismantling the template object behavior data;
based on the dismantling rule, dismantling the template object behavior data to generate a plurality of dismantling member object behavior data;
generating an abnormal mining array corresponding to the template object behavior data based on the first behavior trigger information and the abnormal training content of each disassembled member object behavior data;
the first behavior trigger information and the second behavior trigger information corresponding to the same behavior data of the disassembled member object are correspondingly associated and configured;
the first behavior trigger information is used for representing the position of the disassembled member object behavior data in the candidate object behavior data; the second behavior trigger information is used for representing the position of a preset behavior knowledge point generated based on abnormal training content corresponding to the behavior data of the disassembled member object in the abnormal mining array;
generating sample learning data and sample test data based on the template object behavior data and an anomaly mining array corresponding to each of the template object behavior data;
updating the network weight parameters of the initialized neural network through the sample learning data to generate an updated neural network;
and after the updated neural network is tested through the sample test data and meets the set test validity conditions, the updated neural network is used as the abnormal knowledge point prediction network.
In an alternative embodiment, the determining unit 240 is specifically further configured to;
acquiring abnormal prior label configuration information generated by carrying out abnormal prior label configuration on the template object behavior data;
generating the abnormal training content corresponding to each disassembled member object behavior data based on the abnormal coding mapping information of the abnormal priori label configuration information included in each disassembled member object behavior data;
determining whether abnormal coding mapping information of the abnormal priori label configuration information included in the behavior data of each disassembled member object is in a preset mapping interval or not based on the abnormal training content, and generating preset behavior knowledge points corresponding to the behavior data of each disassembled member object;
generating the first behavior trigger information corresponding to each piece of disassembled member object behavior data based on the position of each piece of disassembled member object behavior data in the template object behavior data;
and generating an abnormal mining array corresponding to the template object behavior data based on the first behavior trigger information and the preset behavior knowledge points corresponding to the disassembled member object behavior data.
In an alternative embodiment, the diagnostic unit 250 is specifically further configured to;
determining abnormal thermodynamic diagram information of the target online session user based on the abnormal positioning root cause;
when the abnormal thermodynamic diagram information has an abnormal session link larger than a set thermodynamic value, judging that the target online session user is an abnormal online session user;
acquiring target online session user behavior trigger information of the target online session user;
and generating interception configuration information corresponding to the target online session user based on the target online session user behavior trigger information.
In an alternative embodiment, the diagnostic unit 250 is specifically further configured to;
determining abnormal thermodynamic diagram information of the target online session user based on the abnormal positioning root cause;
when the abnormal thermodynamic diagram information has an abnormal session link larger than a set thermodynamic value, acquiring cooperative node information of the target online session user;
and generating interception configuration information corresponding to the target online session user based on the cooperative node information.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.

Claims (10)

1. A method for diagnosing an abnormality in an object based on model identification, the method comprising:
acquiring candidate object behavior data corresponding to a target online session user;
inputting the candidate object behavior data into a preset abnormal knowledge point prediction network, and generating information for representing whether each object behavior data block comprises an abnormal behavior knowledge point or not; the candidate object behavior data comprises a plurality of object behavior data blocks;
based on the behavior knowledge points of the object behavior data blocks, generating related abnormal node information corresponding to related object behavior data block sequences; the related object behavior data block sequence comprises a plurality of mutually connected object behavior data blocks;
determining an abnormal mining result of the object behavior data block based on the related abnormal node information;
and generating an abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, and carrying out abnormal interception diagnosis on the target online session user based on the abnormal positioning root cause.
2. The object anomaly diagnosis method based on model recognition according to claim 1, wherein the generating related anomaly node information corresponding to a related object behavior data block sequence based on behavior knowledge points of the object behavior data block comprises;
determining a first behavior knowledge point of a target object behavior data block in all the object behavior data blocks;
determining associated object behavior data blocks which accord with behavior association conditions with the target object behavior data blocks in all the object behavior data blocks; the related object behavior data block sequence comprises:
the target object behavior data blocks and the associated object behavior data blocks;
determining second behavior knowledge points corresponding to the behavior data blocks of the associated objects;
generating associated abnormal node information corresponding to the associated object behavior data blocks based on the second behavior knowledge points;
and generating the related abnormal node information based on the first behavior knowledge point and the related abnormal node information.
3. The object anomaly diagnosis method based on model identification according to claim 2, wherein the generating the relevant anomaly node information based on the first behavior knowledge points and the relevant anomaly node information comprises:
generating overall abnormal node information corresponding to the candidate object behavior data based on the behavior knowledge points of each object behavior data block;
calculating the first behavior knowledge points, the associated abnormal node information and the overall abnormal node information based on a set fusion model to generate fusion characteristic information;
and generating the related abnormal node information based on the fusion characteristic information.
4. The model identification-based object abnormality diagnosis method according to claim 1, further comprising:
acquiring template object behavior data for updating network weight parameters of an initialized neural network;
determining a dismantling rule for dismantling the template object behavior data;
based on the dismantling rule, dismantling the template object behavior data to generate a plurality of dismantling member object behavior data;
generating an abnormal mining array corresponding to the template object behavior data based on the first behavior trigger information and the abnormal training content of each disassembled member object behavior data;
the first behavior trigger information and the second behavior trigger information corresponding to the same behavior data of the disassembled member object are correspondingly associated and configured;
the first behavior trigger information is used for representing the position of the disassembled member object behavior data in the candidate object behavior data; the second behavior trigger information is used for representing the position of a preset behavior knowledge point generated based on abnormal training content corresponding to the behavior data of the disassembled member object in the abnormal mining array;
generating sample learning data and sample test data based on the template object behavior data and an anomaly mining array corresponding to each of the template object behavior data;
updating the network weight parameters of the initialized neural network through the sample learning data to generate an updated neural network;
and after the updated neural network is tested through the sample test data and meets the set test validity conditions, the updated neural network is used as the abnormal knowledge point prediction network.
5. The object anomaly diagnosis method based on model recognition according to claim 4, wherein the generating an anomaly mining array corresponding to the template object behavior data based on the first behavior trigger information and anomaly training content of each of the disassembled member object behavior data comprises:
acquiring abnormal prior label configuration information generated by carrying out abnormal prior label configuration on the template object behavior data;
generating the abnormal training content corresponding to each disassembled member object behavior data based on the abnormal coding mapping information of the abnormal priori label configuration information included in each disassembled member object behavior data;
determining whether abnormal coding mapping information of the abnormal priori label configuration information included in the behavior data of each disassembled member object is in a preset mapping interval or not based on the abnormal training content, and generating preset behavior knowledge points corresponding to the behavior data of each disassembled member object;
generating the first behavior trigger information corresponding to each piece of disassembled member object behavior data based on the position of each piece of disassembled member object behavior data in the template object behavior data;
and generating an abnormal mining array corresponding to the template object behavior data based on the first behavior trigger information and the preset behavior knowledge points corresponding to the disassembled member object behavior data.
6. The model identification-based object anomaly diagnosis method according to claim 1, wherein when the attribute category of the target online session user is a first preset attribute category; after the generating of the abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, the method further comprises:
determining abnormal thermodynamic diagram information of the target online session user based on the abnormal positioning root cause;
when the abnormal thermodynamic diagram information has an abnormal session link larger than a set thermodynamic value, judging that the target online session user is an abnormal online session user;
acquiring target online session user behavior trigger information of the target online session user;
and generating interception configuration information corresponding to the target online session user based on the target online session user behavior trigger information.
7. The model identification-based object anomaly diagnosis method according to claim 1, wherein when the attribute category of the target online session user is a second preset attribute category; after the generating of the abnormal positioning root cause corresponding to the target online session user based on the abnormal mining result, the method further comprises:
determining abnormal thermodynamic diagram information of the target online session user based on the abnormal positioning root cause;
when the abnormal thermodynamic diagram information has an abnormal session link larger than a set thermodynamic value, acquiring cooperative node information of the target online session user;
and generating interception configuration information corresponding to the target online session user based on the cooperative node information.
8. An object anomaly diagnostic system based on model identification, comprising:
the acquisition unit is used for acquiring candidate object behavior data corresponding to the target online session user;
the first generation unit is used for inputting the candidate object behavior data into a preset abnormal knowledge point prediction network and generating information for representing whether each object behavior data block comprises an abnormal behavior knowledge point or not; the candidate object behavior data comprises a plurality of object behavior data blocks;
the second generation unit is used for generating related abnormal node information corresponding to the related object behavior data block sequence based on the behavior knowledge points of the object behavior data blocks; the related object behavior data block sequence comprises a plurality of mutually connected object behavior data blocks;
the determining unit is used for determining an abnormal mining result of the object behavior data block based on the related abnormal node information;
and the diagnosis unit is used for generating an abnormality locating root cause corresponding to the target online session user based on the abnormality mining result and carrying out abnormality interception diagnosis on the target online session user based on the abnormality locating root cause.
9. An electronic device, comprising: the device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; the memory is used for storing a computer program; the processor being adapted to carry out the method steps of any one of claims 1-7 when the computer program is executed.
10. A readable storage medium, characterized in that it has stored thereon a computer program which, when being executed by a processor, is adapted to carry out the method steps of any of claims 1-7.
CN202311019328.3A 2023-08-14 Object abnormality diagnosis method and system based on model identification Active CN117033052B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311019328.3A CN117033052B (en) 2023-08-14 Object abnormality diagnosis method and system based on model identification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311019328.3A CN117033052B (en) 2023-08-14 Object abnormality diagnosis method and system based on model identification

Publications (2)

Publication Number Publication Date
CN117033052A true CN117033052A (en) 2023-11-10
CN117033052B CN117033052B (en) 2024-05-24

Family

ID=

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111666502A (en) * 2020-07-08 2020-09-15 腾讯科技(深圳)有限公司 Abnormal user identification method and device based on deep learning and storage medium
CN111898758A (en) * 2020-09-29 2020-11-06 苏宁金融科技(南京)有限公司 User abnormal behavior identification method and device and computer readable storage medium
US20210185066A1 (en) * 2017-09-15 2021-06-17 Spherical Defence Labs Limited Detecting anomalous application messages in telecommunication networks
FR3105489A3 (en) * 2019-12-20 2021-06-25 Amadeus Sas FRAUD DETECTION DEVICE AND METHOD
CN115795454A (en) * 2022-12-23 2023-03-14 刘勇 Service optimization method and artificial intelligence optimization system based on online operation big data
CN116016468A (en) * 2022-12-29 2023-04-25 杭州网易智企科技有限公司 Session problem diagnosis method, device, medium and electronic equipment
WO2023093100A1 (en) * 2021-11-26 2023-06-01 浪潮通信信息系统有限公司 Method and apparatus for identifying abnormal calling of api gateway, device, and product
CN116383503A (en) * 2023-04-07 2023-07-04 西南大学 Knowledge tracking method and system based on countermeasure learning and sequence recommendation
CN116415957A (en) * 2023-03-28 2023-07-11 中国工商银行股份有限公司 Abnormal transaction object identification method, device, computer equipment and storage medium
CN116451050A (en) * 2022-01-07 2023-07-18 腾讯科技(深圳)有限公司 Abnormal behavior recognition model training and abnormal behavior recognition method and device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210185066A1 (en) * 2017-09-15 2021-06-17 Spherical Defence Labs Limited Detecting anomalous application messages in telecommunication networks
FR3105489A3 (en) * 2019-12-20 2021-06-25 Amadeus Sas FRAUD DETECTION DEVICE AND METHOD
CN111666502A (en) * 2020-07-08 2020-09-15 腾讯科技(深圳)有限公司 Abnormal user identification method and device based on deep learning and storage medium
CN111898758A (en) * 2020-09-29 2020-11-06 苏宁金融科技(南京)有限公司 User abnormal behavior identification method and device and computer readable storage medium
WO2023093100A1 (en) * 2021-11-26 2023-06-01 浪潮通信信息系统有限公司 Method and apparatus for identifying abnormal calling of api gateway, device, and product
CN116451050A (en) * 2022-01-07 2023-07-18 腾讯科技(深圳)有限公司 Abnormal behavior recognition model training and abnormal behavior recognition method and device
CN115795454A (en) * 2022-12-23 2023-03-14 刘勇 Service optimization method and artificial intelligence optimization system based on online operation big data
CN116016468A (en) * 2022-12-29 2023-04-25 杭州网易智企科技有限公司 Session problem diagnosis method, device, medium and electronic equipment
CN116415957A (en) * 2023-03-28 2023-07-11 中国工商银行股份有限公司 Abnormal transaction object identification method, device, computer equipment and storage medium
CN116383503A (en) * 2023-04-07 2023-07-04 西南大学 Knowledge tracking method and system based on countermeasure learning and sequence recommendation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王佳楠等: "基于语义向量与OCSVM的工控网络异常行为识别", 《计算机系统应用》, no. 07, 15 July 2018 (2018-07-15), pages 236 *

Similar Documents

Publication Publication Date Title
EP2478423A1 (en) Supervised fault learning using rule-generated samples for machine condition monitoring
CN109143094B (en) Abnormal data detection method and device for power battery
CN112183555B (en) Method and system for detecting welding quality, electronic device and storage medium
CN117033052B (en) Object abnormality diagnosis method and system based on model identification
CN117033052A (en) Object abnormality diagnosis method and system based on model identification
CN111737143B (en) Method and system for troubleshooting AB test of webpage
CN113282482A (en) Compatibility test method and system for software package
CN117729119A (en) Equipment operation data processing method and system for edge computing gateway
CN117401179A (en) Unmanned aerial vehicle-based flight performance testing method and system
CN113905407B (en) Terminal equipment monitoring information acquisition method and system in distributed wireless networking
CN117216701B (en) Intelligent bridge monitoring and early warning method and system
CN117272207A (en) Data center anomaly analysis method and system
CN117031421A (en) Anomaly analysis method and system of radar signal simulation system
CN117910541A (en) Production operation abnormity positioning method and system based on edge computing gateway
CN113570333B (en) Process design method suitable for integration
CN117540253A (en) Data analysis method and system of square box quality detection system
CN117519034A (en) Abnormality monitoring method and system applied to corrugated board production control system
CN116890342A (en) Chemical pipe gallery inspection robot control method and system
CN117077809A (en) Abnormal data analysis method and system based on wind control decision and visualization
CN117952252A (en) Intelligent scheduling early warning method and system for hardware processing
CN117914734A (en) Gateway equipment switching method and system based on data analysis
CN117110782A (en) Method and system for testing network-related performance of energy storage power station
CN114398818B (en) Textile jacquard detection method and system based on deep learning
Pushak et al. Empirical scaling analyzer: An automated system for empirical analysis of performance scaling
CN116926241A (en) Immune cell culture control method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20240428

Address after: 400000 RMB, 2nd Floor, Building K, Industrial Park, Guiyang Street, Dianjiang County, Chongqing (self committed)

Applicant after: QiPocket (Chongqing) Digital Technology Co.,Ltd.

Country or region after: China

Address before: Floor 24, Unit 1, Building 2, Zone F, Huaguoyuan Project, Nanming District, Guiyang City, Guizhou Province, 550000

Applicant before: Guizhou Huima Technology Co.,Ltd.

Country or region before: China

GR01 Patent grant