這裡將詳細地對示例性實施例進行說明,其示例表示在圖式中。下面的描述涉及圖式時,除非另有表示,不同圖式中的相同數字表示相同或相似的要素。以下示例性實施例中所描述的實施方式並不代表與本說明書相一致的所有實施方式。相反,它們僅是與如所附申請專利範圍中所詳述的、本說明書的一些方面相一致的裝置和方法的例子。 在本說明書使用的術語是僅僅出於描述特定實施例的目的,而非旨在限制本說明書。在本說明書和所附申請專利範圍中所使用的單數形式的“一種”、“所述”和“該”也旨在包括多數形式,除非上下文清楚地表示其他含義。還應當理解,本文中使用的術語“和/或”是指並包含一個或多個相關聯的列出項目的任何或所有可能組合。 應當理解,儘管在本說明書可能採用術語第一、第二、第三等來描述各種資訊,但這些資訊不應限於這些術語。這些術語僅用來將同一類型的資訊彼此區分開。例如,在不脫離本說明書範圍的情況下,第一資訊也可以被稱為第二資訊,類似地,第二資訊也可以被稱為第一資訊。取決於語境,如在此所使用的詞語“如果”可以被解釋成為“在……時”或“當……時”或“響應於確定”。 圖1是本說明書一示例性實施例示出的一種異常資料存取的識別方法的流程示意圖。 所述異常資料存取的識別方法可以應用在開放平臺,所述開放平臺對外提供有資料調用介面,所述開放平臺的物理載體通常是伺服器或者伺服器集群。 請參考圖1,所述異常資料存取的識別方法可以包括以下步驟: 步驟102,獲取目標資料存取行為的原始存取資訊。 在本實施例中,在判斷目標資料存取行為是否為異常資料存取行為時,可以獲取目標資料存取行為的原始存取資訊。 其中,所述目標資料存取行為是否為異常資料存取行為的判斷時機可以預先設置,例如:可依據24小時、48小時等判斷週期進行判斷,也可以在接收到管理員下發的判斷指令時進行判斷,本說明書對此不作特殊限制。 所述原始存取資訊可以包括:存取發起方資訊、存取時間點、存取資料量等。 步驟104,將所述原始存取資訊量化為多個維度的目標存取特徵參數。 基於前述步驟102,在獲取到所述原始存取資訊後,可以基於預設的維度,將所述原始存取資訊量化為各個維度的存取特徵參數,為便於區分,在本說明書中,可將該存取特徵參數稱為目標存取特徵參數。 其中,所述預設的維度可以由開發人員預先進行設置,例如,所述預設的維度可以包括:數量維度、時間維度、位置維度等。 步驟106,將所述多個維度的目標存取特徵參數作為輸入參數輸入已訓練的存取模型。 步驟108,根據所述存取模型的輸出結果判斷所述目標資料存取行為是否異常。 在本實施例中,所述存取模型可以為有監督模型,例如,神經網路模型等。所述存取模型也可以為無監督模型,例如,Isolation Forest(孤立點檢測演算法)模型、聚類模型等。 在本實施例中,基於不同的存取模型,所述輸出結果的判斷方式也不相同,例如,若採用Isolation Forest模型,如果輸出結果是孤立點的話,可確定目標資料存取行為異常。本領域技術人員可以依據存取模型的特點進行判斷,本說明書在此不再一一贅述。 由以上描述可以看出,本說明書可將目標資料存取行為的原始存取資訊量化為多個維度的目標存取特徵參數,並基於已訓練的存取模型識別目標資料存取行為是否異常,從而實現對資料存取行為的有效識別與監管。 下面分別從存取模型的訓練、已訓練的存取模型的應用兩個方面來描述本說明書的具體實現過程。 一、存取模型的訓練 在本實施例中,在訓練存取模型時,可先選擇原始存取模型。所述原始存取模型可以為有監督模型,也可以為無監督模型,下面以無監督模型為例進行描述。 在本實施例中,可先獲取一段時間內不同存取發起方的歷史存取資訊。所述歷史存取資訊是各存取發起方歷史上調用資料介面進行資料存取的存取資訊,可包括:存取時間點、存取資料量、存取資料的所屬地等。 在獲取到所述歷史存取資訊後,可以將所述歷史存取資訊量化為多個維度的歷史存取特徵參數。 所述歷史存取特徵參數的維度可以由開發人員根據業務特點預先進行設置,例如,所述多個維度的目標存取特徵參數包括以下一種或多種: 1、存取數量參數。所述存取數量參數可以包括:存取資料總量、單位時間內的存取資料量等。 其中,所述存取資料總量可以為存取資料的條數,例如,存取了5萬條資料,則存取資料總量是5萬。 上述單位時間可以為24小時,也可以為7天等,本說明書對此不作特殊限制。 2、存取數量參數與存取行為發起方所屬類別的存取數量參數均值的比對結果參數。 在本實施例中,存取發起方可包括:醫院、事業單位、商戶等各種企事業單位或政府機構,不同類別的存取發起方調用資料的目的和特點通常也不相同。由此,本實施例將所述存取資料參數與存取行為發起方所屬類別的存取數量參數的均值進行比對,並將比對結果參數作為一個維度的存取特徵參數。 其中,所述比對結果參數可以為存取數量與存取發起方所屬類別的存取數量參數均值的比值,舉例來說,假設存取數量是存取資料總量5萬,存取發起方是某醫院,而醫院行業的存取資料總量的均值是6萬,那麼上述比對結果參數為5/6。 當然,所述比對結果參數也可以為存取數量占存取發起方所屬類別的存取數量參數均值百分比等,本說明書對此不作特殊限制。 3、存取時間參數與存取行為發起方所屬類別的存取時間參數均值的比對結果參數。 在本實施例中,所述存取時間參數可以包括:所述資料存取行為中每次資料存取的平均存取時間間隔等。舉例來說,仍以醫院為例,假設歷史存取資訊中每次資料存取的平均存取時間間隔是5分鐘,而醫院行業的平均存取時間間隔是60分鐘,那麼上述比對結果參數可以為5/60。 當然,與前述存取數量類似,該比對結果參數也可以為百分比等,本說明書對此不作特殊限制。 4、資料存取行為所存取的資料中與資料存取行為發起方所在地不同的資料量比例。 仍以醫院為例,去醫院看病的患者大部分是本地患者,醫院在存取患者資訊時,所存取的患者所在地也應該大部分與醫院所在地相同。若醫院存取了大量外地使用者的資訊,則說明存取介面被不法人員盜用的概率較高。 針對這樣的特點,可先確定存取發起方所在地,例如,杭州。然後統計存取發起方存取的資料中所在地不在杭州或者不在浙江省的資料的數量,並用統計到的該數量除以存取資料總量,得到資料存取行為所存取的資料中與資料存取行為發起方所在地不同的資料量比例。 當然,在實際應用中,也可以採用資料存取行為中與資料存取行為發起方所在地相同的資料量比例以作為存取特徵參數,本說明書對此不作特殊限制。 在本實施例中,在將歷史存取資訊量化為多個維度的歷史存取特徵參數後,可以使用該歷史存取特徵參數對原始存取模型進行訓練,得到訓練後的存取模型。 在本實施例中,採用無監督模型作為原始存取模型,無需對標識歷史存取資訊的存取標籤,節省了大量處理資源。其中,所述存取標籤用於標記正常資料存取行為和異常資料存取行為。 在本實施例中,為確保存取模型的準確性,在對存取模型進行訓練後,可以人工對訓練後的存取模型進行檢測。 若檢測合格,可以將存取模型上線,以識別異常資料存取行為。 若檢測不合格,可以對上述多維度的存取特徵參數進行調整,例如,增加存取特徵參數,或減少存取特徵參數等,以對模型進行優化。 二、已訓練的存取模型的應用 在本實施例中,當存取模型訓練完畢後,可以將存取模型上線,以對實際中的資料存取行為進行識別。 在一個例子中,可以依據24小時的時間週期獲取各個存取發起方的資料存取行為的存取資訊,為便於描述,可將該存取資訊稱為原始存取資訊。 其中,所述原始存取資訊可以包括:存取發起方資訊、存取時間點、存取資料量、存取資料的所在地等。 上述時間週期也可以為48小時、36小時等,本說明書對此不作特殊限制。 在本實施例中,在獲取到所述原始存取資訊後,可將所述原始存取資訊量化為多個維度的目標存取特徵參數。所述目標存取特徵參數的維度以及量化規則可以參考前述存取模型的訓練過程,本說明書再次不再一一贅述。 在本實施例中,可將量化後的所述多個維度的目標存取特徵參數作為輸入參數輸入已訓練的存取模型,並根據存取模型的輸出結果判斷所述目標資料存取行為是否異常。 舉例來說,可每天零時獲取前一天(24小時)各醫院的原始存取資訊,針對每個醫院的原始存取資訊,可以將其量化為多個維度的目標存取特徵參數,並可將所述多個維度的目標存取特徵參數作為輸入參數輸入已訓練的存取模型,以根據存取模型的輸出結果判斷該醫院在前一天的資料存取行為是否異常。若異常,則可提示管理員進行排查,確定是否有非法人員調用資料介面竊取資料。 與前述異常資料存取的識別方法的實施例相對應,本說明書還提供了異常資料存取的識別裝置的實施例。 本說明書異常資料存取的識別裝置的實施例可以應用在伺服器上。裝置實施例可以藉由軟體實現,也可以藉由硬體或者軟硬體結合的方式實現。以軟體實現為例,作為一個邏輯意義上的裝置,是藉由其所在伺服器的處理器將非易失性記憶體中對應的電腦程式指令讀取到記憶體中運行形成的。從硬體層面而言,如圖2所示,為本說明書異常資料存取的識別裝置所在伺服器的一種硬體結構圖,除了圖2所示的處理器、記憶體、網路介面、以及非易失性記憶體之外,實施例中裝置所在的伺服器通常根據該伺服器的實際功能,還可以包括其他硬體,對此不再贅述。 圖3是本說明書一示例性實施例示出的一種異常資料存取的識別裝置的方塊圖。 請參考圖3,所述異常資料存取的識別裝置200可以應用在前述圖2所示的伺服器中,包括有:資訊獲取單元201、資訊量化單元202、模型使用單元203、異常判斷單元204以及模型訓練單元205。 其中,資訊獲取單元201,獲取目標資料存取行為的原始存取資訊; 資訊量化單元202,將所述原始存取資訊量化為多個維度的目標存取特徵參數; 模型使用單元203,將所述多個維度的目標存取特徵參數作為輸入參數輸入已訓練的存取模型; 異常判斷單元204,根據所述存取模型的輸出結果判斷所述目標資料存取行為是否異常。 模型訓練單元205,獲取歷史存取資訊; 將所述歷史存取資訊量化為多個維度的歷史存取特徵參數; 根據所述歷史存取特徵參數對原始存取模型進行訓練,得到已訓練的存取模型。 可選的,當所述原始存取模型是無監督模型時,所述歷史存取資訊不包括存取標籤;所述存取標籤用於標記正常資料存取行為和異常資料存取行為。 可選的,所述多個維度的目標存取特徵參數包括以下一種或多種: 目標資料存取行為的存取數量參數; 目標資料存取行為的存取數量參數與目標資料存取行為發起方所屬類別的存取數量參數均值的比對結果參數; 目標資料存取行為的存取時間參數與目標資料存取行為發起方所屬類別的存取時間參數均值的比對結果參數; 目標資料存取行為所存取的資料中與目標資料存取行為發起方所在地不同的資料量比例。 可選的,所述存取數量參數包括:存取資料總量、單位時間內的存取資料量; 所述存取時間參數包括:所述目標資料存取行為中資料存取的平均存取時間間隔。 上述裝置中各個單元的功能和作用的實現過程具體詳見上述方法中對應步驟的實現過程,在此不再贅述。 對於裝置實施例而言,由於其基本對應於方法實施例,所以相關之處參見方法實施例的部分說明即可。以上所描述的裝置實施例僅僅是示意性的,其中所述作為分離部件說明的單元可以是或者也可以不是物理上分開的,作為單元顯示的部件可以是或者也可以不是物理單元,即可以位於一個地方,或者也可以分佈到多個網路單元上。可以根據實際的需要選擇其中的部分或者全部模組來實現本說明書方案的目的。本領域具有通常知識者在不付出創造性勞動的情況下,即可以理解並實施。 上述實施例闡明的系統、裝置、模組或單元,具體可以由電腦晶片或實體實現,或者由具有某種功能的產品來實現。一種典型的實現設備為電腦,電腦的具體形式可以是個人電腦、膝上型電腦、蜂窩電話、相機電話、智慧型電話、個人數位助理、媒體播放器、導航設備、電子郵件收發設備、遊戲控制台、平板電腦、可穿戴設備或者這些設備中的任意幾種設備的組合。 與前述異常資料存取的識別方法的實施例相對應,本說明書還提供一種異常資料存取的識別裝置,該異常資料存取的識別裝置包括:處理器以及用於儲存機器可執行指令的記憶體。其中,處理器和記憶體通常借由內部匯流排相互連接。在其他可能的實現方式中,所述設備還可能包括外部介面,以能夠與其他設備或者部件進行通信。 在本實施例中,藉由讀取並執行所述記憶體儲存的與異常資料存取的識別邏輯對應的機器可執行指令,所述處理器被促使: 獲取目標資料存取行為的原始存取資訊; 將所述原始存取資訊量化為多個維度的目標存取特徵參數; 將所述多個維度的目標存取特徵參數作為輸入參數輸入已訓練的存取模型; 根據所述存取模型的輸出結果判斷所述目標資料存取行為是否異常。 可選的,在存取模型的訓練時,藉由讀取並執行所述記憶體儲存的與異常資料存取的識別邏輯對應的機器可執行指令,所述處理器還被促使: 獲取歷史存取資訊; 將所述歷史存取資訊量化為多個維度的歷史存取特徵參數; 根據所述歷史存取特徵參數對原始存取模型進行訓練,得到已訓練的存取模型。 可選的,當所述原始存取模型是無監督模型時,所述歷史存取資訊不包括存取標籤;所述存取標籤用於標記正常資料存取行為和異常資料存取行為。 可選的,所述多個維度的目標存取特徵參數包括以下一種或多種: 目標資料存取行為的存取數量參數; 目標資料存取行為的存取數量參數與目標資料存取行為發起方所屬類別的存取數量參數均值的比對結果參數; 目標資料存取行為的存取時間參數與目標資料存取行為發起方所屬類別的存取時間參數均值的比對結果參數; 目標資料存取行為所存取的資料中與目標資料存取行為發起方所在地不同的資料量比例。 可選的,所述存取數量參數包括:存取資料總量、單位時間內的存取資料量; 所述存取時間參數包括:所述目標資料存取行為中資料存取的平均存取時間間隔。 與前述異常資料存取的識別方法的實施例相對應,本說明書還提供一種電腦可讀儲存媒體,所述電腦可讀儲存媒體上儲存有電腦程式,該程式被處理器執行時實現以下步驟: 獲取目標資料存取行為的原始存取資訊; 將所述原始存取資訊量化為多個維度的目標存取特徵參數; 將所述多個維度的目標存取特徵參數作為輸入參數輸入已訓練的存取模型; 根據所述存取模型的輸出結果判斷所述目標資料存取行為是否異常。 可選的,存取模型的訓練過程,包括: 獲取歷史存取資訊; 將所述歷史存取資訊量化為多個維度的歷史存取特徵參數; 根據所述歷史存取特徵參數對原始存取模型進行訓練,得到已訓練的存取模型。 可選的,當所述原始存取模型是無監督模型時,所述歷史存取資訊不包括存取標籤;所述存取標籤用於標記正常資料存取行為和異常資料存取行為。 可選的,所述多個維度的目標存取特徵參數包括以下一種或多種: 目標資料存取行為的存取數量參數; 目標資料存取行為的存取數量參數與目標資料存取行為發起方所屬類別的存取數量參數均值的比對結果參數; 目標資料存取行為的存取時間參數與目標資料存取行為發起方所屬類別的存取時間參數均值的比對結果參數; 目標資料存取行為所存取的資料中與目標資料存取行為發起方所在地不同的資料量比例。 可選的,所述存取數量參數包括:存取資料總量、單位時間內的存取資料量; 所述存取時間參數包括:所述目標資料存取行為中資料存取的平均存取時間間隔。 上述對本說明書特定實施例進行了描述。其它實施例在所附申請專利範圍的範圍內。在一些情況下,在申請專利範圍中記載的動作或步驟可以按照不同於實施例中的順序來執行並且仍然可以實現期望的結果。另外,在圖式中描繪的過程不一定要求示出的特定順序或者連續順序才能實現期望的結果。在某些實施方式中,多任務處理和並行處理也是可以的或者可能是有利的。 以上所述僅為本說明書的較佳實施例而已,並不用以限制本說明書,凡在本說明書的精神和原則之內,所做的任何修改、等同替換、改進等,均應包含在本說明書保護的範圍之內。The exemplary embodiments will be described in detail here, and examples thereof are shown in the drawings. When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements. The implementation manners described in the following exemplary embodiments do not represent all implementation manners consistent with this specification. On the contrary, they are merely examples of devices and methods consistent with some aspects of this specification as detailed in the scope of the appended application. The terms used in this specification are only for the purpose of describing specific embodiments, and are not intended to limit the specification. The singular forms of "a", "said" and "the" used in this specification and the scope of the appended applications are also intended to include plural forms, unless the context clearly indicates other meanings. It should also be understood that the term "and/or" as used herein refers to and includes any or all possible combinations of one or more associated listed items. It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, the information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of this specification, the first information can also be referred to as second information, and similarly, the second information can also be referred to as first information. Depending on the context, the word "if" as used herein can be interpreted as "when" or "when" or "in response to determination". Fig. 1 is a schematic flowchart of a method for identifying abnormal data access according to an exemplary embodiment of this specification. The method for identifying abnormal data access can be applied to an open platform that provides a data calling interface to the outside, and the physical carrier of the open platform is usually a server or a server cluster. Referring to FIG. 1, the method for identifying abnormal data access may include the following steps: Step 102: Obtain original access information of the target data access behavior. In this embodiment, when determining whether the target data access behavior is an abnormal data access behavior, the original access information of the target data access behavior can be obtained. Wherein, the timing for judging whether the target data access behavior is abnormal data access behavior can be preset, for example, it can be judged according to the judgment cycle of 24 hours, 48 hours, etc., or it can be judged after receiving the judgment instruction issued by the administrator. When making judgments, this manual does not impose special restrictions on this. The original access information may include: access initiator information, access time point, access data amount, etc. Step 104: Quantify the original access information into target access characteristic parameters of multiple dimensions. Based on the foregoing step 102, after the original access information is obtained, the original access information can be quantified into access characteristic parameters of each dimension based on a preset dimension. For the convenience of distinguishing, in this specification, you can This access feature parameter is called the target access feature parameter. Wherein, the preset dimensions may be set in advance by a developer. For example, the preset dimensions may include: a quantity dimension, a time dimension, a location dimension, and so on. Step 106: Input the target access feature parameters of the multiple dimensions as input parameters into the trained access model. Step 108: Determine whether the target data access behavior is abnormal according to the output result of the access model. In this embodiment, the access model may be a supervised model, such as a neural network model. The access model may also be an unsupervised model, for example, an Isolation Forest (outlier detection algorithm) model, a clustering model, etc. In this embodiment, based on different access models, the output results are determined in different ways. For example, if the Isolation Forest model is used, if the output results are isolated points, it can be determined that the target data access behavior is abnormal. Those skilled in the art can make judgments based on the characteristics of the access model, and this specification will not repeat them one by one here. As can be seen from the above description, this manual can quantify the original access information of the target data access behavior into multiple dimensions of target access characteristic parameters, and identify whether the target data access behavior is abnormal based on the trained access model. So as to realize the effective identification and supervision of data access behavior. The following describes the specific implementation process of this specification from two aspects: the training of the access model and the application of the trained access model. 1. Training of the access model In this embodiment, when training the access model, the original access model can be selected first. The original access model may be a supervised model or an unsupervised model. The following describes the unsupervised model as an example. In this embodiment, the historical access information of different access initiators within a period of time can be acquired first. The historical access information is the access information used by each access initiator to call the data interface for data access in the history, and may include: access time point, access data amount, access location of the data, and so on. After obtaining the historical access information, the historical access information can be quantified into multiple dimensions of historical access characteristic parameters. The dimensions of the historical access feature parameters can be pre-set by the developer according to business characteristics. For example, the target access feature parameters of the multiple dimensions include one or more of the following: 1. Access quantity parameter. The access quantity parameter may include: the total amount of accessed data, the amount of accessed data per unit time, and so on. Wherein, the total amount of accessed data may be the number of pieces of accessed data. For example, if 50,000 pieces of data are accessed, the total amount of accessed data is 50,000. The above unit time can be 24 hours, or 7 days, etc. This specification does not make special restrictions on this. 2. The comparison result parameter between the access quantity parameter and the average access quantity parameter of the category of the originator of the access behavior. In this embodiment, the access initiator may include various enterprises, institutions, or government agencies such as hospitals, public institutions, merchants, etc., and different types of access initiators usually have different purposes and characteristics of calling data. Therefore, in this embodiment, the access data parameter is compared with the average value of the access quantity parameter of the category to which the access behavior initiator belongs, and the comparison result parameter is used as a one-dimensional access feature parameter. Wherein, the comparison result parameter may be the ratio of the access quantity to the average value of the access quantity parameter of the category to which the access initiator belongs. For example, assuming that the access quantity is 50,000 total access data, the access initiator It is a hospital, and the average value of the total access data of the hospital industry is 60,000, then the above comparison result parameter is 5/6. Of course, the comparison result parameter may also be the percentage of the access quantity to the average value of the access quantity parameter of the category to which the access initiator belongs, etc., which is not particularly limited in this specification. 3. The comparison result parameter of the access time parameter and the average value of the access time parameter of the category of the initiator of the access behavior. In this embodiment, the access time parameter may include: the average access time interval of each data access in the data access behavior, etc. For example, still taking the hospital as an example, assuming that the average access time interval for each data access in the historical access information is 5 minutes, and the average access time interval in the hospital industry is 60 minutes, then the above comparison result parameters It can be 5/60. Of course, similar to the aforementioned access quantity, the comparison result parameter can also be a percentage, etc., which is not particularly limited in this specification. 4. The ratio of the amount of data that is different from the location of the originator of the data access behavior among the data accessed by the data access behavior. Taking the hospital as an example, most of the patients who go to the hospital to see a doctor are local patients. When the hospital accesses patient information, the location of the patient accessed should be mostly the same as the location of the hospital. If the hospital accesses a large number of foreign users' information, it means that the access interface is more likely to be stolen by illegal personnel. In view of this feature, the location of the access initiator can be determined first, for example, Hangzhou. Then count the number of data that are not located in Hangzhou or Zhejiang province in the data accessed by the access initiator, and divide the counted number by the total amount of data accessed to obtain the data and data accessed by the data access behavior. The ratio of the amount of data at the location of the originator of the access behavior. Of course, in practical applications, the same data volume ratio in the data access behavior as the location of the originator of the data access behavior can also be used as the access feature parameter, and this specification does not impose special restrictions on this. In this embodiment, after the historical access information is quantified into multiple dimensions of historical access feature parameters, the historical access feature parameters can be used to train the original access model to obtain the trained access model. In this embodiment, the unsupervised model is used as the original access model, and there is no need to access tags that identify historical access information, which saves a lot of processing resources. Wherein, the access tag is used to mark normal data access behavior and abnormal data access behavior. In this embodiment, in order to ensure the accuracy of the access model, after the access model is trained, the trained access model can be manually tested. If the test is qualified, the access model can be launched to identify abnormal data access behaviors. If the test fails, the above-mentioned multi-dimensional access feature parameters can be adjusted, for example, the access feature parameters can be increased, or the access feature parameters can be reduced, so as to optimize the model. 2. Application of the trained access model In this embodiment, after the access model is trained, the access model can be launched online to identify actual data access behaviors. In an example, the access information of the data access behavior of each access initiator can be obtained according to a 24-hour time period. For ease of description, the access information can be referred to as the original access information. Wherein, the original access information may include: access initiator information, access time point, access data volume, location of access data, etc. The above-mentioned time period can also be 48 hours, 36 hours, etc., which are not particularly limited in this specification. In this embodiment, after the original access information is obtained, the original access information can be quantified into multiple dimensions of target access characteristic parameters. The dimensions and quantization rules of the target access feature parameters can refer to the training process of the aforementioned access model, and this specification will not repeat them one by one again. In this embodiment, the quantized target access feature parameters of the multiple dimensions can be used as input parameters into the trained access model, and the output result of the access model can be used to determine whether the target data access behavior is abnormal. For example, the original access information of each hospital in the previous day (24 hours) can be obtained at zero o'clock every day. For each hospital’s original access information, it can be quantified as target access feature parameters in multiple dimensions, and The target access feature parameters of the multiple dimensions are input as input parameters into the trained access model to determine whether the hospital’s data access behavior in the previous day is abnormal according to the output result of the access model. If it is abnormal, the administrator can be prompted to investigate and determine whether illegal personnel call the data interface to steal data. Corresponding to the foregoing embodiment of the method for identifying abnormal data access, this specification also provides an embodiment of the device for identifying abnormal data access. The embodiment of the identification device for abnormal data access in this specification can be applied to the server. The device embodiments can be implemented by software, or can be implemented by hardware or a combination of software and hardware. Taking software implementation as an example, as a logical device, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory by the processor of the server where it is located. From a hardware perspective, as shown in Figure 2, it is a hardware structure diagram of the server where the identification device for abnormal data access in this manual is located, except for the processor, memory, network interface, and network interface shown in Figure 2. In addition to the non-volatile memory, the server where the device is located in the embodiment usually includes other hardware according to the actual function of the server, which will not be repeated here. Fig. 3 is a block diagram of a device for identifying abnormal data access according to an exemplary embodiment of this specification. Please refer to FIG. 3. The device 200 for identifying abnormal data access can be applied to the server shown in FIG. And the model training unit 205. Wherein, the information obtaining unit 201 obtains the original access information of the target data access behavior; the information quantization unit 202 quantifies the original access information into target access characteristic parameters of multiple dimensions; the model using unit 203 compares all The target access feature parameters of the multiple dimensions are input as input parameters into the trained access model; the abnormality determination unit 204 determines whether the target data access behavior is abnormal according to the output result of the access model. The model training unit 205 obtains historical access information; quantifies the historical access information into historical access feature parameters of multiple dimensions; trains the original access model according to the historical access feature parameters to obtain the trained Access model. Optionally, when the original access model is an unsupervised model, the historical access information does not include an access tag; the access tag is used to mark normal data access behaviors and abnormal data access behaviors. Optionally, the target access characteristic parameters of the multiple dimensions include one or more of the following: an access quantity parameter of the target data access behavior; an access quantity parameter of the target data access behavior and the initiator of the target data access behavior The comparison result parameter of the average value of the access quantity parameter of the category; the comparison result parameter of the access time parameter of the target data access behavior and the average access time parameter of the category of the initiator of the target data access behavior; target data access The proportion of the data accessed by the behavior that is different from the location of the initiator of the target data access behavior. Optionally, the access quantity parameter includes: the total amount of access data and the amount of access data per unit time; the access time parameter includes: the average access of data access in the target data access behavior time interval. For the implementation process of the functions and roles of each unit in the above-mentioned device, please refer to the implementation process of the corresponding steps in the above-mentioned method for details, which will not be repeated here. For the device embodiment, since it basically corresponds to the method embodiment, the relevant part can refer to the part of the description of the method embodiment. The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in this specification. Those with ordinary knowledge in the field can understand and implement it without creative work. The systems, devices, modules, or units explained in the above embodiments may be implemented by computer chips or entities, or implemented by products with certain functions. A typical implementation device is a computer. The specific form of the computer can be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email receiving and sending device, and a game control A desktop, a tablet, a wearable device, or a combination of any of these devices. Corresponding to the aforementioned embodiment of the method for identifying abnormal data access, this specification also provides a device for identifying abnormal data access. The device for identifying abnormal data access includes a processor and a memory for storing machine executable instructions. body. Among them, the processor and the memory are usually connected to each other through an internal bus. In other possible implementation manners, the device may also include an external interface to be able to communicate with other devices or components. In this embodiment, by reading and executing the machine executable instructions corresponding to the identification logic of abnormal data access stored in the memory, the processor is prompted to: obtain the original access of the target data access behavior Information; quantifying the original access information into target access feature parameters of multiple dimensions; inputting the target access feature parameters of the multiple dimensions as input parameters into the trained access model; according to the access model The output result of determines whether the target data access behavior is abnormal. Optionally, during the training of the access model, by reading and executing the machine executable instructions stored in the memory and corresponding to the identification logic of abnormal data access, the processor is also prompted to: obtain historical memory Fetching information; quantifying the historical access information into historical access feature parameters of multiple dimensions; training the original access model according to the historical access feature parameters to obtain a trained access model. Optionally, when the original access model is an unsupervised model, the historical access information does not include an access tag; the access tag is used to mark normal data access behaviors and abnormal data access behaviors. Optionally, the target access characteristic parameters of the multiple dimensions include one or more of the following: an access quantity parameter of the target data access behavior; an access quantity parameter of the target data access behavior and the initiator of the target data access behavior The comparison result parameter of the average value of the access quantity parameter of the category; the comparison result parameter of the access time parameter of the target data access behavior and the average access time parameter of the category of the initiator of the target data access behavior; target data access The proportion of the data accessed by the behavior that is different from the location of the initiator of the target data access behavior. Optionally, the access quantity parameter includes: the total amount of access data and the amount of access data per unit time; the access time parameter includes: the average access of data access in the target data access behavior time interval. Corresponding to the aforementioned embodiment of the method for identifying abnormal data access, this specification also provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the following steps are implemented: Obtain the original access information of the target data access behavior; quantify the original access information into target access feature parameters of multiple dimensions; input the target access feature parameters of the multiple dimensions as input parameters into the trained Access model; judging whether the target data access behavior is abnormal according to the output result of the access model. Optionally, the training process of the access model includes: obtaining historical access information; quantifying the historical access information into historical access characteristic parameters of multiple dimensions; The model is trained to obtain the trained access model. Optionally, when the original access model is an unsupervised model, the historical access information does not include an access tag; the access tag is used to mark normal data access behaviors and abnormal data access behaviors. Optionally, the target access characteristic parameters of the multiple dimensions include one or more of the following: an access quantity parameter of the target data access behavior; an access quantity parameter of the target data access behavior and the initiator of the target data access behavior The comparison result parameter of the average value of the access quantity parameter of the category; the comparison result parameter of the access time parameter of the target data access behavior and the average access time parameter of the category of the initiator of the target data access behavior; target data access The proportion of the data accessed by the behavior that is different from the location of the initiator of the target data access behavior. Optionally, the access quantity parameter includes: total access data, and access data volume per unit time; the access time parameter includes: average access of data access in the target data access behavior time interval. The foregoing describes specific embodiments of this specification. Other embodiments are within the scope of the attached patent application. In some cases, the actions or steps described in the scope of the patent application may be performed in a different order than in the embodiments and still achieve desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or sequential order shown in order to achieve the desired result. In some embodiments, multitasking and parallel processing are also possible or may be advantageous. The above descriptions are only the preferred embodiments of this specification and are not intended to limit this specification. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this specification shall be included in this specification. Within the scope of protection.
