CN101615186B - BBS user abnormal behavior auditing method based on Hidden Markov theory - Google Patents
BBS user abnormal behavior auditing method based on Hidden Markov theory Download PDFInfo
- Publication number
- CN101615186B CN101615186B CN2009100127726A CN200910012772A CN101615186B CN 101615186 B CN101615186 B CN 101615186B CN 2009100127726 A CN2009100127726 A CN 2009100127726A CN 200910012772 A CN200910012772 A CN 200910012772A CN 101615186 B CN101615186 B CN 101615186B
- Authority
- CN
- China
- Prior art keywords
- parameter
- observed value
- value sequence
- user
- audit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a BBS user abnormal behavior auditing method based on Hidden Markov theory, belonging to the technical field of computer and information safety. The method comprises the following steps: reading auditing data from a database to obtain behavior observed sequence to be detected; reading trained model parameters from a Hidden Markov model database; calculating a state value sequence by utilizing a Viterbi algorithm; calculating the observed value sequence probability by forward and afterward algorithms, comparing the observed value sequence probability with the preset threshold, and giving an alarm if the observed value sequence probability is lower than the threshold, otherwise, belonging to normal behavior, correcting the Hidden Markov model parameter and storing the Hidden Markov model parameter into a parameter file of the Hidden Marko model. The BBS added with audit tracking helps system managers to prevent systems and resources from being damaged by illegal authorized users and provides help when data is recovered. The audit tacking can realize associated targets of safety, comprising personal function, event reconstruction, intrusion detection and fault analysis, and greatly improves the safety of the system.
Description
Technical field
The invention belongs to computing machine and field of information security technology, particularly a kind of BBS user's abnormal behaviour auditing method based on Hidden Markov theory.
Background technology
The English full name of BBS is Bulletin Board System, and being translated as Chinese is exactly " BBS ".
At present BBS system can offer various users to various shared resources, everyone can be after the registration account number article in the browing system, the file in the shared system.At present, domestic except the BBS that the public is provided, the BBS that comprises various commercial uses also is provided the service station.BBS provides such as multiple work columns such as zone of discussion, mail district, Free Talk, file-sharing districts, also can preside over and open up new BBS column according to the head of a station at BBS station or user's oneself needs.
But; In the current all kinds of BBS system; Often only be concerned about the safety of data of transmission over networks and the identity security in the access process; The user has been used the time of which information, resource, use and how to have used (carrying out which kind of operation) to produce evidence with written mode, caused the keeper after accident takes place, can't carry out cause investigation, analysis and responsibility and identify.
Summary of the invention
In order to overcome the weak point of prior art, a kind of BBS user's abnormal behaviour auditing method based on Markov theory is proposed during the object of the invention.
It is following, as shown in Figure 1 to handle concrete performing step based on the audit-trail of HMM (HMM):
Step 1: read Audit data from database, obtain the observed value sequence of behavior to be detected;
Step 2: get trained model parameter from the HMM database read;
Step 3. is utilized the Viterbi algorithm, through observed value sequence computing mode value sequence, is saved in the database;
Step 4. is called forward direction, back to algorithm, calculates the probability that the observed value sequence occurs, and compares with pre-set threshold, is lower than threshold value, gets into step 5, otherwise gets into step 6;
Step 5. is lower than threshold value as abnormal behaviour, produces alarm;
Step 6. normal behaviour, the correction of HMM parameter, and deposit in the Parameter File of HMM.
The described observed value sequence of step 1 is meant BBS user's behavior, and user behavior main in BBS is following: read article, publish an article; Revise article, deletion article, amusement; Receiving and dispatching mail,, the deletion user, forbid that the user publishes an article, arbitrates, audit and stealthy.Because the deletion user, forbid that the user publishes an article, arbitrates, audit and stealthy be that the user with certain authority just can carry out, belong to special behavior, unifiedly be classified as other.The observed value sequence of confirming be read article, publish an article, revise article, delete article, amusement, receiving and dispatching mail, other.
Confirm good observed value sequence, need to use the information statement that quantizes.The information definition that the inventive method observed value sequence quantizes is: the user operates in the number of times that carries out in a certain period for every kind.Be observed value sequence O (i, t) ∈ { O
1.t..., O
7.t, t representative here be a period of time, can get the time in a week, and the i representative is different operating, its value is 1≤i≤7 here.
The described HMM of step 2, initial parameter is provided with as follows:
A) the observed value sequence read article, publish an article, revise article, the deletion article, chat, receiving and dispatching mail, other };
B) state number often, sometimes, seldom, never };
C) original state probability vector (π) confirms.Owing to be to confirm these parameters for the first time, under data volume also is not very big situation, can thinks and shift with equiprobability between various states.π=(π
1, π
2..., π
N), π wherein
i=p (q
1=S
i), because state S
iHave only often, sometimes, seldom, never such four kinds of states, i.e. N=4 is so have
π
1=π
2=π
3=π
4=1/4。
D) confirming of state transition probability (A): adopt equiprobability to shift and carry out initial setting, promptly all values are 1/4 in the state transition probability matrix.
E) observed value probability (B) is definite, and concrete steps are following:
A. random initializtion observed value probability matrix B constitutes the initial model parameter lambda jointly with original state probability vector π that configures and state transition probability matrix A;
B. call the Baum-Welch algorithm; Initial parameter is carried out maximum likelihood estimates, obtain new model parameter
wherein Baum-Welch be a kind of known algorithm;
D. when normal behaviour being carried out the model parameter training; Be initial parameter also, and progressively be modified to λ with
;
The described state value sequence of step 3 is meant the operation frequency of the various observed values of user, according to the user to the frequent degree of certain operation be divided into often, sometimes, seldom, never } such four kinds of states, i.e. state value sequence q (m)=S
1S
2S
3S
4S
5S
6S
7, S wherein
i∈ often, sometimes, seldom, never }.The described Viterbi algorithm of step 3 is a kind of known algorithm, and the inventive method adopts the method for taking the logarithm that the value of probability matrix is amplified on former Viterbi algorithm basis;
Threshold value described in the step 4, this paper adopts the method for average, and promptly the average of the probability through this observed reading repeatedly occurring is tried to achieve.As detected observed value sequence O={O
1, O
2..., O
TThe Probability p (O| λ) that occurs, when probability of occurrence is lower than preset threshold, think ERST.Forward direction described in the step 4, back also are a kind of known algorithm to algorithm, and the present invention adopts the scale factor method to operate when calculating alpha matrix and beta matrix.Because the middle alpha matrix that obtains; The parameter value that the beta matrix all need call as the Baum-Welch algorithm so their value can not only be amplified, also will have reduction; Also promptly amplify earlier the process of afterwards reducing; What adopt here is that the scale factor method is operated, and amplifies certain scale factor earlier, finally restores to be initial value.
The correction of the described HMM parameter of step 6 is meant that owing to the starting stage not enough for the priori of user model, the initial setting up of HMM is not what fix, needs to revise gradually.Preserve current HMM parameter through file.Model parameter comprises:
1) π: original state probability vector π=(π
1, π
2..., π
N), π wherein
i=p (q
1=S
i), q1 is a state value.Because state S
iHave only often, sometimes, seldom, never such four kinds of states, i.e. N=4, the variable that need write down here has corresponding π
iSubscript and corresponding π
iValue.
2) state transition probability matrix A
A wherein
Ij=p [q
T+1=S
j| q
t=S
i], 1≤i, j≤N.The variable that need preserve has the starting point i of state, the terminal point j and a of state
IjValue.
3) observed value probability matrix B
B wherein
j(k)=p [O
k| q
t=S
j], 1≤j≤N, 1≤k≤T.The variable that need preserve has the starting point j of state, state terminal point k and b
j(k) value.
According to the Baum-Welch algorithm, by observed value sequence O with choose initial value model λ=(π), the revaluation formula is tried to achieve one group of new argument π for A, B
i, a
Ij, b
Jk, then can obtain a new model λ=(A, B π), can prove, p (O| λ)>p (O| λ), the λ that is obtained by the revaluation formula is better at performance observed value sequence O than λ.Then repeat this process, progressively the parameter of improved model restrains up to p (O| λ), and till just no longer obviously increasing, the λ of this moment is exactly the model of being asked.
Beneficial effect: the BBS after the adding audit-trail not only helps the help system keeper to guarantee that system and resource thereof exempt from the infringement of illegal authorized user, can also when data are recovered, offer help simultaneously.Audit-trail can realize multiple safe related objective, comprises individual's function, incident reconstruction, intrusion detection and fault analysis, the security that has improved system greatly.
Description of drawings
Fig. 1, be audit-trail process flow diagram based on HMM.
Fig. 2, be BBS audit module The general frame.
Fig. 3, be Fig. 2 Audit data acquisition module data flow diagram of publishing an article.
Fig. 4, for revising article Audit data acquisition module data flow diagram.
Fig. 5, be deletion article Audit data acquisition module data flow diagram.
Fig. 6, be user profile Audit data acquisition module data flow diagram.
Fig. 7, be layout information Audit data flow diagram.
Fig. 8, be auditor's log-on message Audit data image data flow diagram.
Fig. 9, be auditor's operation information Audit data image data flow diagram.
Figure 10, be abnormality detection part function call process flow diagram.
Figure 11, be foreground BBS and the synoptic diagram that combines of backstage HMM.
Embodiment
BBS audit module The general frame is as shown in Figure 2.
The Audit data of gathering comprises the Audit data of publishing an article, modification article Audit data, deletion article Audit data, user profile Audit data, layout information Audit data and audit module self Audit data.The module of wherein auditing its data is made up of auditor's log-on message Audit data and auditor's operation information Audit data.
The collecting flowchart of Audit data of publishing an article is as shown in Figure 3.Audit data derives from space of a whole page article index file and the article file under the BBS; Space of a whole page index file comprises a plurality of fileheader structures; The corresponding one piece of article of each structure; From index file, can extract corresponding data, from text file, extract the article text, all data are through handling in the Publish_p table and audit document Publish.txt that is kept at database.
The collecting flowchart of revising the article Audit data is as shown in Figure 4.Audit data derives from space of a whole page article index file and the article file under the BBS; The parameter that is provided by the function that calls this module finds space of a whole page index file and article file; The act of revision meeting changes the content of these two files; Need to extract amended data, the data that extract are through handling in the Modify_p table and audit document Modify.txt that is kept at database.To revise the modified logo of respective tuple among publish an article in the database table Publish_p and the audit document Publish.txt in addition, former number is added 1.
The collecting flowchart of deletion article Audit data is as shown in Figure 5.Audit data derives from function and the user profile audit table User that calls this module, and the data that extract are through handling in the Delete_p table and audit document Delete.txt that is kept at database.To revise the deleted marker of respective tuple among publish an article in the database table Publish_p and the audit document Publish.txt in addition, former number is put 1.
The collecting flowchart of user profile Audit data is as shown in Figure 6.Audit data derives from the account number side information file userdata under user account number essential information file PASSWDS and each user's oneself the path; The PASSEDS file comprises a plurality of userec structures; Each user has the userec structure of oneself; Write down this user's main account, extract related data, be kept among database table User and the audit document User.txt according to the requirement of Audit data.
The collecting flowchart of layout information Audit data is as shown in Figure 7.Audit data derives from the boardheader structure among the layout information file BOARDS; A space of a whole page under the corresponding BBS of each boardheader structure; The relevant information of the record space of a whole page, the space of a whole page name that provides according to parameter finds corresponding boardheader structure, therefrom obtains this space of a whole page relevant information; And from the shared drive structure, obtain the total article number of the space of a whole page, and calculate increment.Audit information is kept among database table Board and the audit document Board.txt.
Audit module self Audit data comprises auditor's logon information Audit data and auditor's operation information Audit data.
The collecting flowchart of auditor's log-on message Audit data is as shown in Figure 8.Audit data comprises auditor's user name and login time, deposits database table Audit_1 and audit document audit_log.txt in.
The collecting flowchart of auditor's operation information Audit data is as shown in Figure 9.System carries out a certain operating period the auditor; Write down auditorial ID; Recording operation classification simultaneously also will write down the query term of auditing and carrying out to the query manipulation of article state and user behavior, also will write down the statistical items that the auditor carries out to the inquiry of user behavior.To be kept in the database on the one hand after obtaining these information, will be stored in the audit document on the other hand.
To publish an article, revise article and these three behaviors of deletion article in the present embodiment as the audit target; Audit strategy adopts; The audit module is extracted Audit data voluntarily and is stored from the relevant information of these three behaviors; The Audit data of storage is placed in the audit database, and the audit target is stored in the audit database with form.Comprise following form:
Table 1 Audit data---the table of publishing an article
Table 2 Audit data---revise the article table
Table 3 Audit data---deletion article table
Table 4 Audit data---layout information table
Table 5 Audit data---auditor's log
Table 6 Audit data---auditor's query manipulation table
Audit strategy be (U, M, A, O, APB, C), U={u1 wherein, u2, u3 ..., un} user's set, M is the set that has the user of the right of auditing, A={a1, a2, a3 ..., an} is an operational set, O={o1, and o2, o3 ..., on} is an object set.APB is the audit strategy storehouse, and C representes constraint condition, has defined following relation:
It also is an object that U belongs to O user
It also is an object that M belongs to the O auditor
The corresponding object of each operation of A → O
The audit strategy rule base is by a plurality of audit strategy items, and whether the decision of audit strategy rule base audits to an incident.
The audit strategy item:
<a,o,u,t,r,m>
A representes to treat that audit operation, o represent the object of operating, and u representes that the user that operates, t represent the time range of auditing, and r representes the result that operates, and m representes to formulate the auditor of audit strategy.
Present embodiment is defined as user's behavior model: < B, A, T, IP >.
The user browse the space of a whole page custom B=b1, b2, b3 ..., bn. >.
Bi representes the space of a whole page under the BBS system, according to the degree of concern ordering of user to each space of a whole page.It is select edition that for example some user captures is paid close attention to maximum, secondly is that version is discussed, and other spaces of a whole page were not browsed, and this user's the attribute of browsing space of a whole page custom can be expressed as B=< select edition is discussed version >.
The custom A=of user's operation a1, and a2, a3 ..., an >.
Ai representes the operation that the user of the authority decision of this user role can carry out, the descending in proportion ordering of various operations.For example, the behavior of domestic consumer comprises: read (read), post (publish) revises (modify), deletion (delete), chat (chat), mail (mail).Some users' operating habit is A=< read, publish, chat >.
The time custom T=of logging in system by user t1, and t2, t3 ..., tn >.
With the time of logging in system by user extensive be the morning (morning) [06:00,12:00], afternoon (afternoon) [12:00,18:00], night (evening) [18:00,24:00], four time periods of night (night) [00:00,06:00].For example some user's major parts are logined in the login system in night once in a while in the afternoon, and this user's login time attribute just can be expressed as T=< evening, afternoon >.
The custom IP address ip of logging in system by user=and ip1, ip2, ip3 ..., ipn >
Use the descending ordering of frequency of IP address according to the user.For example the fixing IP of use of a user address 192.168.2.110 surfs the Net, and has once used this address of 202.110.12.25 once in a while, and this behavioural habits can be expressed as IP=< 192.168.2.110,202.110.12.25 >.
Audit data is handled in the HMM audit-trail.Because it is integer that HMM reads in the value of sequence, so, represent read, publish respectively with digital 1-7 according to the difference of operating; Modify, delete, chat, email; Other inputs to the observed value sequence of HMM with user's behavior correspondence, realizes combining of HMM and BBS.
Next be the realization that produces observed value sequence OberserveSequence.txt and observed value sequence NewObserveSequence.txt to be detected; Main through from database, reading in the zero-time of certain operation of user; Calculate the duration of user to this operation; Set every operation at a distance from a user of 30s record then, the time period of just detecting according to auditor's desire automatically produces user's historical information ObserveSequence.txt and user information NewObserveSequence.txt to be detected.The user's abnormal behaviour information that finally calculates through model algorithm can be deposited in the alertinfo table; Use when supplying the foreground to call return results; The testing result table alertinfo table that returns after the traininfo of put user historical operation information table and the abnormality detection in the abnormality detection module background data base, as follows:
Table 7traininfo table
| Field name | Major key | Type | Describe |
| userid | Be | varchar(20) | User name |
| op | Not | varchar(20) | User's operation |
| opdate | Not | date | Date of operation |
| starttime | Not | datetime | The operation start time |
| endtime | Not | datetime | The EO time |
Table 8alertinfo table
| Field name | Major key | Type | Describe |
| auserid | Be | varchar(20) | User name to be detected |
| aresult | Not | varchar(10) | This user's testing result |
| atime | Not | datetime | Detection time |
Idiographic flow is shown in figure 10, and step is gone into down:
Step 1. is called Hidden Markov initial model (InitHMM);
Step 2. is opened observed value sequential file ObserveSequence.txt;
It is 25 that step 3. is provided with window size, and step-length is 1;
Step 4. judges whether read in data finishes, if finish then execution in step 8, if do not finish then execution in step 5;
Step 5. is read in the observed value sequence of window size one by one from observed value sequential file OberveSequence.txt;
Step 6. is revised Hidden Markov (ModifyHMM) training pattern;
The amended model parameter of step 7. writes in the Hmm.txt file;
Step 8. is opened observed value sequence NewObserveSequence.txt file to be detected;
Step 9. is called abnormality detection function (Abnormal Detect) with the HMM that trains;
Step 10. judges whether unusually, if unusually then execution in step 11, otherwise execution in step 12;
Step 11. stops user's abnormal behaviour;
Step 12. writes abnormality detection result among the Alert.txt.
Combining of foreground and background interface is shown in figure 11.
Claims (1)
1. BBS user's abnormal behaviour auditing method based on Hidden Markov theory is characterized in that: may further comprise the steps:
Step 1: read Audit data from database, obtain the observed value sequence of behavior to be detected;
Step 2: get trained model parameter from the HMM database read;
Step 3. is utilized the Viterbi algorithm, through observed value sequence computing mode value sequence, is saved in the database;
Step 4. is called forward direction, back to algorithm, calculates the probability that the observed value sequence occurs, and compares with pre-set threshold, is lower than threshold value, gets into step 5, otherwise gets into step 6;
Step 5. is lower than threshold value as abnormal behaviour, produces alarm;
Step 6. normal behaviour, the correction of HMM parameter, and deposit in the Parameter File of HMM;
The described observed value sequence of step 1 is defined as every kind of user and operates in the number of times that carries out in a certain period;
The method that the described Viterbi algorithm use of step 3 is taken the logarithm is amplified the value of probability matrix;
The described state value sequence of step 3 is meant user's behavior frequency;
The call parameters of the result of generation as Baum-Welch calculated to algorithm in the described forward direction of step 4, back, and this parameter employing scale factor method is amplified and reduced;
The said threshold value of step 4 adopts Mean Method to try to achieve, and promptly the average of the probability through this observed value repeatedly occurring is tried to achieve, the observed value probability confirm that concrete grammar is following:
A. random initializtion observed value probability matrix B constitutes the initial model parameter lambda jointly with original state probability vector π that configures and state transition probability matrix A;
B. call the Baum-Welch algorithm; Initial parameter is carried out maximum likelihood estimate, obtain new model parameter
D. when normal behaviour being carried out the model parameter training; Be initial parameter also, and progressively be modified to
with
The concrete grammar of the described HMM parameter of step 6 correction is following:
1) π: original state probability vector π=(π
1, π
2..., π
N), π wherein
i=p (q
1=S
i), N=4;
2) state transition probability matrix A
A wherein
Ij=p [q
T+1=S
j| q
i=S
i], 1≤i, j≤N, the variable that need preserve has the starting point i of state, the terminal point j and a of state
IjValue;
3) observed value probability matrix B
B wherein
j(k)=p [O
k| q
t=S
j], 1≤j≤N, 1≤k≤T, the variable that need preserve has the starting point j of state, state terminal point k and b
j(k) value;
According to the Baum-Welch algorithm; By observed value sequence O and the initial value model λ=(A that chooses; B; π); The revaluation formula is tried to achieve one group of new argument
and then can be obtained a new model
and can prove;
is better at performance observed value sequence O than λ by
that the revaluation formula obtains; Then repeat this process; The parameter of improved model progressively; Restrain up to
; Till just no longer obviously increasing, this moment
is exactly the model of being asked.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100127726A CN101615186B (en) | 2009-07-28 | 2009-07-28 | BBS user abnormal behavior auditing method based on Hidden Markov theory |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100127726A CN101615186B (en) | 2009-07-28 | 2009-07-28 | BBS user abnormal behavior auditing method based on Hidden Markov theory |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101615186A CN101615186A (en) | 2009-12-30 |
| CN101615186B true CN101615186B (en) | 2012-07-04 |
Family
ID=41494828
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100127726A Expired - Fee Related CN101615186B (en) | 2009-07-28 | 2009-07-28 | BBS user abnormal behavior auditing method based on Hidden Markov theory |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101615186B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106936781A (en) * | 2015-12-29 | 2017-07-07 | 亿阳安全技术有限公司 | A kind of decision method and device of user's operation behavior |
| CN108108588A (en) * | 2014-12-30 | 2018-06-01 | 江苏理工学院 | A kind of ship conflict method for early warning of Rolling Planning |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901251B (en) * | 2010-06-28 | 2012-04-11 | 吉林大学 | Method for analyzing and recognizing complex network cluster structure based on markov process metastability |
| CN104052617A (en) * | 2013-03-13 | 2014-09-17 | 北京千橡网景科技发展有限公司 | Method and device for user behavior analysis based on continuous-time Markov chain |
| CN103366091B (en) * | 2013-07-11 | 2015-08-26 | 西安交通大学 | Based on the abnormal tax return data detection method of multilevel threshold exponent-weighted average |
| CN103345590B (en) * | 2013-07-22 | 2016-05-25 | 电子科技大学 | A kind of infection control quality event based on RFID is location and retroactive method fast |
| CN103400040A (en) * | 2013-07-31 | 2013-11-20 | 中国人民解放军国防科学技术大学 | Fault diagnosis and prediction method utilizing multistep time domain difference value learning |
| CN104348817B (en) * | 2013-08-07 | 2018-09-28 | 深圳市腾讯计算机系统有限公司 | The guard method of user account number and device |
| JP2015060675A (en) * | 2013-09-18 | 2015-03-30 | ソニー株式会社 | Power storage system |
| CN103631145B (en) * | 2013-12-11 | 2016-08-17 | 清华大学 | Multiple operating modes process monitoring method and system based on monitor control index switching |
| CN103853841A (en) * | 2014-03-19 | 2014-06-11 | 北京邮电大学 | Method for analyzing abnormal behavior of user in social networking site |
| CN105787365A (en) * | 2014-12-24 | 2016-07-20 | Tcl集团股份有限公司 | Malicious application detection method and device |
| CN104731914A (en) * | 2015-03-24 | 2015-06-24 | 浪潮集团有限公司 | Method for detecting user abnormal behavior based on behavior similarity |
| CN106815125A (en) * | 2015-12-02 | 2017-06-09 | 阿里巴巴集团控股有限公司 | A kind of log audit method and platform |
| CN105791286B (en) * | 2016-03-01 | 2018-10-02 | 上海海事大学 | The abnormality detection and processing method of cloud virtual environment |
| CN106330949B (en) * | 2016-09-13 | 2019-07-16 | 哈尔滨工程大学 | One kind being based on markovian intrusion detection method |
| CN108256540A (en) * | 2016-12-28 | 2018-07-06 | 中国移动通信有限公司研究院 | A kind of information processing method and system |
| CN106685996A (en) * | 2017-02-23 | 2017-05-17 | 上海万雍科技股份有限公司 | Method for detecting account abnormal logging based on HMM model |
| CN108537243B (en) * | 2017-03-06 | 2020-09-11 | 中国移动通信集团北京有限公司 | Violation warning method and device |
| CN107808168B (en) * | 2017-10-31 | 2023-08-01 | 北京科技大学 | Social network user behavior prediction method based on strong and weak relation |
| CN109639526A (en) * | 2018-12-14 | 2019-04-16 | 中国移动通信集团福建有限公司 | Network Data Control method, apparatus, equipment and medium |
| US11336668B2 (en) * | 2019-01-14 | 2022-05-17 | Penta Security Systems Inc. | Method and apparatus for detecting abnormal behavior of groupware user |
| CN110633569A (en) * | 2019-09-27 | 2019-12-31 | 上海赛可出行科技服务有限公司 | Hidden Markov model-based user behavior and entity behavior analysis method |
| CN110912908B (en) * | 2019-11-28 | 2022-08-02 | 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) | Network protocol anomaly detection method and device, computer equipment and storage medium |
| CN111090885A (en) * | 2019-12-20 | 2020-05-01 | 北京天融信网络安全技术有限公司 | User behavior auditing method and device, electronic equipment and storage medium |
| CN111553726B (en) * | 2020-04-22 | 2023-04-28 | 上海海事大学 | HMM-based bill-of-brush prediction system and method |
-
2009
- 2009-07-28 CN CN2009100127726A patent/CN101615186B/en not_active Expired - Fee Related
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108108588A (en) * | 2014-12-30 | 2018-06-01 | 江苏理工学院 | A kind of ship conflict method for early warning of Rolling Planning |
| CN106936781A (en) * | 2015-12-29 | 2017-07-07 | 亿阳安全技术有限公司 | A kind of decision method and device of user's operation behavior |
| CN106936781B (en) * | 2015-12-29 | 2019-11-15 | 亿阳安全技术有限公司 | A kind of determination method and device of user's operation behavior |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101615186A (en) | 2009-12-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101615186B (en) | BBS user abnormal behavior auditing method based on Hidden Markov theory | |
| CN101222348B (en) | Method and system for calculating number of website real user | |
| Domingos et al. | Mining the network value of customers | |
| CN101166159B (en) | A method and system for identifying rubbish information | |
| Sun et al. | Hiding sensitive frequent itemsets by a border-based approach | |
| CN105373614A (en) | Sub-user identification method and system based on user account | |
| Althebyan et al. | A knowledge-base model for insider threat prediction | |
| CN102654864A (en) | Independent transparent security audit protection method facing real-time database | |
| Takemura et al. | Tweet classification based on their lifetime duration | |
| Palma et al. | A robust optimization approach protected harvest scheduling decisions against uncertainty | |
| Zhan et al. | Anomaly detection in dynamic systems using weak estimators | |
| CN111582955A (en) | Promotion information display method and device, electronic equipment and storage medium | |
| Lin et al. | Fault diagnosis model based on Bayesian network considering information uncertainty and its application in traction power supply system | |
| Fukuda et al. | Estimating the bot population on Twitter via random walk based sampling | |
| Zhang et al. | SKIF: a data imputation framework for concept drifting data streams | |
| Lane | Optimizing the use of micro-data: an overview of the issues | |
| Wan et al. | Link-based event detection in email communication networks | |
| Otgonbayar et al. | $ X-BAND $: Expiration Band for Anonymizing Varied Data Streams | |
| CN116401639A (en) | Big data-based computer network security supervision system and method | |
| West et al. | Autonomous link spam detection in purely collaborative environments | |
| Sloothaak et al. | Robustness of power-law behavior in cascading line failure models | |
| CN114118880A (en) | Method and system for identifying consignment risk figure, electronic device and storage medium | |
| De Choudhury et al. | Multi-scale characterization of social network dynamics in the blogosphere | |
| Hauffa et al. | A Comparative Temporal Analysis of User-Content-Interaction in Social Media | |
| Hu | Data mining in the application of criminal cases based on decision tree |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120704 Termination date: 20140728 |
|
| EXPY | Termination of patent right or utility model |