CN105117477B - A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back - Google Patents
A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back Download PDFInfo
- Publication number
- CN105117477B CN105117477B CN201510570032.XA CN201510570032A CN105117477B CN 105117477 B CN105117477 B CN 105117477B CN 201510570032 A CN201510570032 A CN 201510570032A CN 105117477 B CN105117477 B CN 105117477B
- Authority
- CN
- China
- Prior art keywords
- anomaly
- fictitious assets
- data
- module
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/80—Information retrieval; Database structures therefor; File system structures therefor of semi-structured data, e.g. markup language structured data such as SGML, XML or HTML
- G06F16/83—Querying
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to Networks and information security fields, and the invention discloses a kind of fictitious assets anomaly system of adaptive self feed back and implementation methods.Present system includes data acquisition module, anomaly module, adaptive learning modules, self feed back adjustment module;The data acquisition module connects anomaly module, and the anomaly module is connect with adaptive learning modules and self feed back adjustment module respectively, and the self feed back adjustment module is connect with adaptive learning modules.The method of the present invention includes mainly data acquisition, anomaly, adaptive learning processing, self feed back adjusting processing step, the present invention has fully considered fictitious assets data magnanimity and the features such as complicated, network user's virtual identity is not unique and single anomaly method is inefficient, data exception based on weight summation decides mechanism, effectively contain the detection error that single anomaly method is brought, improves anomaly precision.
Description
Technical field
The invention belongs to Networks and information security fields, and in particular to a kind of fictitious assets exception hair of adaptive self feed back
Existing system and implementation method.
Background technology
Fictitious assets refers to having competitive, persistence present in cyberspace and can exchanging or buy and sell
Article, including Web bank, network account, network game equipment weapon, ideal money etc..With social networks, e-commerce and net
The fast development of the Internet, applications such as network game, routine work, life, the study of netizen are extended to from traditional physical space
Cyberspace.By in December, 2014, China's netizen's scale is up to 6.49 hundred million, wherein online game, shopping at network, online payment etc.
Netizen's utilization rate of application has respectively reached 56.4%, 55.7%, 46.9% (referring to document [1]).It can be seen that fictitious assets
Use penetrated into the every aspect of cyberspace, and have become a kind of important market behavior and life style.It is moving
Under the promotion of dynamic internet, following China netizen scale and the Internet, applications utilization rate will continue that growth trend is presented, virtual to provide
The critical role produced in cyberspace also will be highlighted further.
Currently, being widely used for anomaly is general, including fraud detection, medical treatment, public safety and intrusion detection
Deng.Anomaly is the process found out its behavior and be different from very much expected object, and this object is known as exception, it is different from noise number
According to.Noise is to be observed the random error or variance of variable, and abnormal is to generate their mechanism to be different from generating other data
Mechanism.In general, abnormal can be divided into three classes:Global abnormal, situation (or condition) are abnormal and document (is referred to extremely in collective
[2]).Global abnormal refers in given data set, and a data object departs significantly from remaining object in data set;Feelings
Border refer to extremely in given data set, a data object departed significantly under particular context in data set remaining is right
As;Collective refers to giving a data set extremely, and a subset of data object departs significantly from entire data set as a whole.
In short, data set may there are many exceptions of type, and an object may also belong to a plurality of types of exceptions.Global abnormal is sent out
Now most simple, situation anomaly needs background knowledge to determine that situation attribute and situation, collective's anomaly need background to believe
Breath carrys out the contact modeling between object, to find out abnormal group.
Although the use of fictitious assets provides powerful service function to people for internet and provides convenience, associated
Network security problem also cause huge property damage to people, aggravated distrust degree of the people in network world,
Serious strike is brought to internet economy.2014, there is 46.3% netizen to meet with network security in overall netizen and ask
Topic, the safe condition that China's personal Internet uses allow of no optimist;Wherein, account number or password are stolen, consumption is cheated and information
The exposure of the fictitious assetss associated safety events such as leakage seriously affects the network security perception of netizen.For example, occurring when net purchase
Above-mentioned security incident while causing damages to shopper, has also upset shopping online order, influences the strong of shopping at network industry
Kang Fazhan.When the fictitious assets of netizen occurs abnormal, complaint right-safeguarding generally is carried out by logging in the client service center of corresponding platform,
The inefficiencies of artificial treatment and the limitation of single platform cause to be difficult to note abnormalities and adopt an effective measure in time.For structure
Good fictitious assets use environment is built, relevant departments have put into effect a series of political affairs around themes such as digital certificate, shoppings at network
Plan, regulations and standard criterion, but in face of complicated and magnanimity fictitious assets data, need the anomaly side using automation
Method is protected and management fictitious assets.
However, in the cyberspace of virtualization, same user can possess multiple and different virtual identities, i.e. network account
Number.User can obtain fictitious assets, transfer the possession of and merchandise etc. across flat in different application platforms using respective virtual identity
The operation of platform, which increase the difficulty of fictitious assets anomaly.It is to carry that eID, which is based on cryptographic technique, with intelligent chip,
Body, the network identity mark that citizen is signed and issued to by " Ministry of Public Security citizen network identity identifying system " can not reveal identity letter
Online long-range identification identity, virtual identity correlation technology can effectively solve the above problems and (refer to document under the premise of breath
[3]).User binds the multiple virtual identity in cyberspace with eID, since it has uniqueness, can quickly determine
Position therefore can provide skill to the true identity of user under different application platforms for cross-platform fictitious assets anomaly method
Art supports.
Have both at home and abroad largely about the research of anomaly, whether has field special according to the data sample for analysis
It is that family provides, can be used for building the label of abnormal method model, anomaly method be divided into measure of supervision, semi-supervised method and
Unsupervised approaches;According to the difference to normal subjects and exception object it is assumed that anomaly method can be divided into statistical method, base again
Method in propinquity and the method based on cluster (referring to document [4] [5]).But existing method is both for specific field
Or certain types of exception, in order to ensure that arithmetic accuracy and operational efficiency, practical application needs meet some requirements.For example,
The sample set study that measure of supervision needs domain expert to provide can identify abnormal grader;Unsupervised approaches require normal number
According to the sharpness of border between abnormal data;Statistical method assumes that the normal subjects in data set are generated by a random process;
Method based on cluster assumes that normal data example belongs to a cluster, and abnormal data is not belonging to any one cluster.Document [4]
[5] the detailed analysis advantage of above-mentioned anomaly method, some methods lay particular emphasis on improvement run time, some methods are laid particular emphasis on
Precision is improved, also method lays particular emphasis on the granularity of refinement anomaly.
Fictitious assets data structure is various, and the fictitious assets of existing structure describes data, and has semi-structured daily record
Data and non-structured operation data;Fictitious assets use environment is complicated and changeable, and existing user operates fictitious assets
It is uncertain that there are the fictitious assets application platforms that structure differs again.Therefore, it is difficult to promptly and accurately using the method for unification
It was found that different types of fictitious assets relevant abnormalities.In addition, the interactive mode of user constantly changes in cyberspace, simultaneously
Also promote the evolution of fictitious assets data and its attribute.Therefore, it is necessary to real-time update and fictitious assets abnormal patterns library is improved,
The present invention has fully considered factors above.
Bibliography:
[1] the 35th China Internet network state of development statistical report [EB/ of China Internet Network Information Center (CNNIC)
OL].http://www.cnnic.cn/hlwfzyj/hlwxzbg/201502/P020150203551802054676.pdf
[2]Han J,Kamber M,Pei J.Data mining:concepts and techniques:concepts
and techniques[M].Elsevier,2011.
[3]http://eid.cn/.
[4]Chandola V,Banerjee A,Kumar V.Anomaly detection:A survey[J].ACM
computing surveys(CSUR),2009,41(3):15.
[5]Chandola V,Banerjee A,Kumar V.Anomaly detection for discrete
sequences:A survey[J].Knowledge and Data Engineering,IEEE Transactions on,
2012,24(5):823-839.
Invention content
In order to solve the above technical problems, the present invention has fully considered that fictitious assets data magnanimity and complicated, network are used
A kind of the features such as family virtual identity is not unique and single anomaly method is inefficient, it is proposed that virtual money of adaptive self feed back
Produce anomaly system and implementation method.Specific technical solution is as follows:
A kind of fictitious assets anomaly system of adaptive self feed back, including data acquisition module, anomaly module,
Adaptive learning modules, self feed back adjustment module;The data acquisition module connects anomaly module, the anomaly mould
Block is connect with adaptive learning modules and self feed back adjustment module respectively, the self feed back adjustment module and adaptive learning modules
Connection;Wherein, data acquisition module is responsible for collecting and storing the fictitious assets data that application platform generates in cyberspace;It is described
Data acquisition module is by fictitious assets data transfer to anomaly module;Anomaly module be responsible for build abnormal patterns library with
And fictitious assets data are carried out abnormality detection, and abnormality detection result is transferred to adaptive learning modules;Adaptive learning
Module adjusts the weight coefficient of anomaly method according to abnormality detection result dynamic;Self feed back adjustment module is responsible for feedback modifiers
Relevant parameter in abnormal patterns library and arrangement abnormalities discovery module and adaptive learning modules.
The fictitious assets data include data manipulation daily record, User operation log and system activity running log;Virtually
Assets application platform provides two kinds of data-interfaces:One is data transformation interface, the data conversion for generating application platform
At the fictitious assets data of uniform format;One is data transmission interface, the void of the uniform format for generating application platform
Quasi- asset data is transmitted to fictitious assets database.
The present invention also provides a kind of fictitious assets anomaly network system realization of adaptive self feed back, use is above-mentioned
Adaptive self feed back fictitious assets anomaly system, include the following steps:
(S1) data acquire, and are collected by data acquisition module and store the virtual money generated by fictitious assets application platform
Data are produced, and build fictitious assets database and the virtual identity database of the network user;
(S2) anomaly, by anomaly module to the fictitious assets data of uniform format in fictitious assets database
It carries out abnormality detection, its abnormal score is calculated by N kind anomaly methods, and decide whether data are abnormal;
(S3) adaptive learning processing procedure, actual conditions and step of the adaptive learning modules according to fictitious assets data
(S2) whether the ruling result in is consistent, and dynamic adjusts the corresponding weight coefficient of N kind anomaly methodsI, N is
Integer, i value ranges are 1≤i≤N;
(S4) self feed back adjusts processing procedure, and self feed back adjusts processing module using semi-supervised pattern to anomaly module
Feedback regulation is carried out with adaptive learning modules.
Further, step (S1) the data acquisition detailed process is:
(S11) the fictitious assets data of generation are stored in local data base by fictitious assets application platform;
(S12) fictitious assets database request fictitious assets application platform sends the fictitious assets number in local data base
According to;
(S13) fictitious assets application platform carries out format conversion to the fictitious assets data that will be sent;
(S14) fictitious assets application platform sends the fictitious assets data of uniform format;
(S15) it fictitious assets database purchase fictitious assets data and optimizes;The excellent of index is established in general, can be used
Change method.
(S16) the virtual identity correlation technology based on eID builds the virtual of the network user in conjunction with fictitious assets database
Identity database.
Further, step (S2) the anomaly detailed process is:
Assuming that sharing N kind anomaly methods in anomaly moduleIts corresponding weight coefficient is respectivelyAnd meet conditionN is natural number, is followed the steps below,
(S21) to fictitious assets data to be detected, find out it includes virtual identity;
(S22) Network Search user virtual identity database passes through all virtual identities of eID association users;
(S23) fictitious assets database is searched, all relevant fictitious assets numbers of virtual identity in positioning step (S22)
According to;
(S24) pass through anomaly methodCalculate the abnormal score of fictitious assets data in step (S23)
(S25) the synthesis abnormal index score P of fictitious assets data is calculated by formula (1):
(S26) if P is more than pre-defined outlier threshold δ, exception is decideed as, is otherwise decideed as normal.
Further, step (S3) the adaptive learning processing procedure is specially:
Assuming that anomaly module has carried out M abnormal ruling, i-th kind of anomaly method X in total in time Δ ti
It is associated with a counting variable ci, piIndicate that abnormal score, P indicate that the synthesis abnormal index score of fictitious assets data, δ indicate pre-
The outlier threshold first defined, M are natural number, are carried out in accordance with the following steps;
(S31) count initialized variable ci=0,1≤i≤N;
(S32) judge the abnormal ruling of fictitious assets data as a result, being divided into following four situation:
If i. actual result is normal, exception is decideed as, is gone to step (S33);
If ii. actual result is normal, decide as normally, going to step (S34);
If iii. actual result is abnormal, exception is decideed as, is gone to step (S35);
If iv. actual result is abnormal, decide as normally, going to step (S36);
(S34) if pi< P, then ci=ci+ 1, if P≤pi< δ, thenOtherwise ci=ci+0;
It goes to step (S37);
(S35) if pi>=P, then ci=ci+ 1, if δ≤pi< P, thenOtherwise ci=ci+0;
It goes to step (S37);
(S36) if pi>=δ, then ci=ci+ 1,1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S37) weight coefficient of N kind anomaly methods is updated by formula (2)
(S38) pass through formula (3) standardization weight coefficientIt is set to meet condition
Further, step (S4) the self feed back adjusting processing procedure is:
For the parameter involved in step (S2), step (S3), interface is provided, expert is supported to carry out Initialize installation, including
Weight coefficientOutlier threshold δ etc.;For the fictitious assets data exception ruling in step (S2) as a result, providing interface
Expert is supported to carry out real-time verification;For fictitious assets data exception pattern new in cyberspace, interface is provided and supports expert
Carry out feedback modifiers.
Using the advantageous effect that obtains of the present invention, the present invention fully considered fictitious assets data magnanimity and it is complicated,
The features such as network user's virtual identity is not unique and single anomaly method is inefficient, it is proposed that a kind of adaptive self feed back
Fictitious assets anomaly system and implementation method, to a set of to be provided to the abnormity early warning of fictitious assets in cyberspace
Total solution.Data exception based on weight summation decides mechanism, effectively contains the inspection that single anomaly method is brought
Error is surveyed, anomaly precision is improved.By adaptive learning and weight is adjusted, continues to optimize abnormal ruling mechanism;Pass through by
It is dynamic to obtain newest fictitious assets data exception pattern and semi-supervised feedback modifiers abnormal patterns library, constantly improve anomaly system
System.
Description of the drawings
Fig. 1 is inventive network structural schematic diagram;
Fig. 2 is the method for the present invention flow diagram.
Specific implementation mode
Further technical scheme of the present invention is illustrated below by the drawings and specific embodiments.
As shown in Figure 1, the schematic network structure of the present invention, a kind of fictitious assets anomaly system of adaptive self feed back
System, including data acquisition module, anomaly module, adaptive learning modules, self feed back adjustment module;The data acquisition module
Block connects anomaly module, and the anomaly module is connect with adaptive learning modules and self feed back adjustment module respectively,
The self feed back adjustment module is connect with adaptive learning modules;Wherein, data acquisition module is responsible for collecting and storing network sky
Between the fictitious assets data that generate of middle application platform;The data acquisition module is by fictitious assets data transfer to anomaly mould
Block;Anomaly module, which is responsible for building, abnormal patterns library and to be carried out abnormality detection fictitious assets data, and by abnormality detection
As a result adaptive learning modules are transferred to;Adaptive learning modules are according to abnormality detection result dynamic adjustment anomaly method
Weight coefficient;Self feed back adjustment module is responsible for feedback modifiers abnormal patterns library and arrangement abnormalities discovery module and adaptive learning mould
Relevant parameter in the block.
As shown in Fig. 2, being the method for the present invention flow diagram;It specifically includes following steps:Data collection steps,
The data conversion that fictitious assets application platform is generated is at the fictitious assets data transmission of uniform format to fictitious assets database
And structure network user's virtual identity database.Anomaly step calculates fictitious assets by a variety of anomaly methods
The abnormal score of data, and data are decided extremely based on weight summation mechanism.Adaptive learning step is counted and is verified
Fictitious assets data exception decides as a result, the simultaneously corresponding weight coefficient of real-time update.Self feed back regulating step, using semi-supervised side
Formula corrects abnormal patterns library and adjusts relevant parameter.
In order to fully show that the technical characterstic of the present invention, anomaly system of the present invention are at least needed to two fictitious assetss
The data that application platform generates carry out abnormality detection.It is now assumed that there are the fictitious assets application platforms of two isomeries in cyberspace
A and B, since the application foundation of the present invention is the remote identity identification function of eID, A and B should have eID authentication functions.
EID has uniqueness, each real user has and only there are one eID.User needs to answer difference when using fictitious assets
It is bound with its eID with the virtual account under platform, therefore the same eID can be associated with multiple virtual identities, and a void
Quasi- identity can only be associated with unique eID.Fictitious assets application platform all generates data, virtual money related to user all the time
Production data need to carry out eID certifications, and the only successful data of certification can be just saved, and other fictitious assets data can be automatic
It is recorded in the journal file of system.
It is illustrated with reference to specific embodiment.
(S1) data acquisition is realized by the data acquisition module in system;
Different application platforms, the occupation mode of fictitious assets and user to the mode of operation of fictitious assets and different,
Therefore the fictitious assets data format that A and B are recorded in local log file is also different.For the ease of the transmission of data with deposit
Storage, in the present embodiment selection using the data conversion mechanism based on XML format by the fictitious assets data conversion of different-format at
Unified format, as shown in table 1.
Table 1XML format virtual asset data examples
By there are two types of the modes of the fictitious assets data transmission of uniform format to fictitious assets database:It is passed one is real-time
Defeated mode, another kind are bulk transfer modes.The data of real-time Transmission may be used POST coding based on security protocol HTTPS into
Row transmission, and the data of bulk transfer may be used document form and are transmitted based on File Transfer Protocol.Since fictitious assets data relate to
And therefore no matter the sensitive information of user uses any data transfer mode, all should be guaranteed that the safety of data.
Detailed process is as follows:
(S11) the data category storage generated A and B is in the local database.According to the different characteristic of application platform,
Fictitious assets data are divided into data manipulation daily record, User operation log and system activity running log etc..Local data base
Storage system can be selected according to the data scale of generation, such as centralised storage system or distributed memory system.Local number
It is consistent according to library and fictitious assets database stored data;Local data base corresponds to application platform, should for storing
With the data of platform;And fictitious assets database is system creation, for store the data that multiple application platforms generate for
Abnormality detection comes from multiple local data bases.
(S12) the fictitious assets application platform moment all generates new data, and A and B updated data need to will only be passed recently
In the defeated database to fictitious assets, therefore can the newer position of Checkpointing flag data in the local database.
(S13) fictitious assets data to be sent in local data base are uniformly converted into XML format by A and B.
(S14) data transfer mode is selected according to the configuration requirement of anomaly system, if being carried out for online data different
Often detection then uses real-time Transmission mode, if being carried out abnormality detection for off-line data, uses bulk transfer mode.
(S15) fictitious assets database Γ needs to store the data of magnanimity, therefore use support increment writes and scalability
Strong distributed data base first can also optimize processing to Γ, such as establish Indexing Mechanism, carry such as Cassandra databases
High anomaly method inquires and reads the performance of data.
(S16) the virtual identity correlation technology based on eID builds network user virtual identity database Λ using Γ, by
It is mainly used for the inquiry of user's virtual identity in Λ, therefore relevant database MySql can be used, as shown in table 2.In Λ at least
Including account, application platform and No. eID, and account constitutes major key with application platform.Account in the same fictitious assets application platform
Number unique, the same eID user can possess multiple accounts, as user1, user2, user3 are associated with eid_1.It was using
Cheng Zhong positions its No. eid by account and application platform first, then finds out user in different application platforms by No. eid
Under different accounts.
2 network user's virtual identity database example of table
A and B persistently generates new fictitious assets data, and the data in database Γ and Λ are also continuously updated.
(S2) anomaly, the step are mainly realized by anomaly module;
Anomaly method can be divided into the method based on classification, the method based on arest neighbors, base by the technical principle of utilization
In the method for cluster, based on statistical method, the method based on information theory and based on the method for spectrum, typical algorithm has SVMs calculations
Method, Bayes net algorithm, kthNearest neighbor algorithm, FindCBLOF algorithms, Kernels, LSA algorithms, PCA algorithms etc..On
It states anomaly method to differ from one another, in actual use, the algorithm of advantage and disadvantage complementation is selected for concrete application field,
Assuming that the present invention has selected the anomaly method of 5 kinds of superior performances, i.e. N=5.It is existing for a variety of anomaly methods
Anomaly method can be divided into three classes:Measure of supervision, semi-supervised method, unsupervised approaches, measure of supervision can will be unsupervised
The fictitious assets data of method label pass through sample data learning model parameter or structure anomaly side as training sample
Abnormal patterns library in method.
The output of anomaly method generally can be divided into two kinds:Abnormal marking or abnormal score.It is now assumed that be detected virtual
The exception of asset data is scored at p, for abnormal marking, if labeled as abnormal, p=1;If labeled as normal, p=0.It is right
In abnormal score, then it is normalized.The output of the anomaly method used in the regulation present invention be value range for
Exception [0,1] score, and score value is higher illustrates that the possibility of fictitious assets data exception is bigger.
For ease of calculation, it is assumed that anomaly method XiWeight coefficient
(S21) assume that fictitious assets data include the virtual identity user1 and user3 in A.
(S22) search Λ, by (A, user1) associated eID eid_1, find out virtual identity (A, user2) and (B,
User1), by (A, user3) associated eID eid_2, virtual identity (B, user4) is found out, is shown in Table 2.
(S23) fictitious assets database Γ is searched, all relevant fictitious assets numbers of virtual identity in positioning step (S22)
According to.Using network user's virtual identity database, efficiently and accurately positions the fictitious assets data of user-association.
(S24) the abnormal score of fictitious assets data in step (S23) is calculated by anomaly method, as shown in table 3.
3 fictitious assets data exception score example of table
Wherein, the data per a line represent 5 kinds of anomaly methods and give a mark to the exception of fictitious assets data, data 1
Abnormal score p1=0.7, p2=0.9, p3=0.78, p4=0.8, p5=0.75.
(S25) the comprehensive abnormal Scoring Guidelines P that fictitious assets data are calculated by formula (1), can prove the value model of P
Enclose is [0,1].
For example, the abnormal index score of data 1
4 fictitious assets data exception of table decides result
(S26) assume that exception is decideed as in outlier threshold δ=0.75 if P >=δ, otherwise decide as normally, such as data 1
δ=0.75 abnormal index score P=0.786 >, so data 1 decide as exception, table 4 illustrates the abnormal ruling of other data
As a result.
(S3) adaptive learning processing step, the step are mainly realized by adaptive learning modules.
As a result, the practical abnormal conditions with data are compared, dynamic adjusts weight for ruling extremely in statistic procedure (S2)
Coefficient wi, 1≤i≤5.Can be physical time according to the time interval Δ t that actual conditions select to be adjusted weight coefficient
Δ t=24h can also be that the data exception accumulated in the anomaly stage decides number Δ t=100 times.
Assuming that time interval Δ herein t=100 times, that is, counts M=100 time and abnormal decide as a result, and preceding 4 exceptions
Decide result with table 4.
1) count initialized variable ci=0,1≤i≤5.
2) judge the abnormal ruling of fictitious assets data as a result, as shown in table 5.
5 fictitious assets data exception of table decides result and actual result
For data 1, actual result is abnormal, and ruling result is abnormal, then counting variable update status is shown in Table 6.
The counting variable of 6 data 1 of table updates
For data 2, actual result is normal, and ruling result is abnormal, then counting variable update status is shown in Table 7.
The counting variable of 7 data 2 of table updates
For data 3, actual result is normal, and ruling result is normal, then counting variable update status is shown in Table 8.
The counting variable of 8 data 3 of table updates
For data 4, actual result is abnormal, and ruling result is normal, then counting variable update status is shown in Table 9.
The counting variable of 9 data 4 of table updates
3) 100 abnormal ruling are counted as a result, counting variableValue update status it is as shown in table 10.
The value update status of 10 counting variable of table
4) weight coefficient of 5 kinds of anomaly methods is updated by formula (2)
It is as shown in table 11 by formula (2) newer weight coefficient.
11 weight coefficient update status of table
5) pass through formula (3) standardization weight coefficientIt is set to meet condition
Specific result of calculation is shown in Table 11.
(S4) self feed back adjusts processing procedure, which is mainly realized by self feed back adjustment module.
Under normal circumstances, the mode that interface alternation may be used supports expert to carry out semi-supervised feedback to anomaly system
It adjusts.The characteristics of for fictitious assets data, replaces performance more preferably anomaly method;For weight coefficient, according to exception
It was found that the superiority-inferiority of method carries out Initialize installation;For the actual needs of anomaly system, adjustment in real time updates weight system
Several time intervals;For the new user behavior abnormal patterns or data attribute abnormal patterns occurred in cyberspace, use
Manual method (in actual use, only needing System Programming to write an interface can be realized) is constantly corrected and improves anomaly
The abnormal patterns library of method.
In conclusion the present invention has fully considered fictitious assets data magnanimity and complicated, network user's virtual identity
A kind of the features such as not unique and single anomaly method is inefficient, it is proposed that fictitious assets anomaly system of adaptive self feed back
System and implementation method.By build network user's virtual identity database, based on eID correlation technologies realize to fictitious assets across
Platform anomaly.It, can be under online or offline environment to virtually providing by real-time or batch mode data transmission mechanism
It produces data and carries out anomaly.The adaptive learning Regulation mechanism of weight coefficient, it is possible to prevente effectively from single anomaly method
Limitation, improve anomaly precision.The self feed back regulation mechanism of semi-supervised pattern can configure in real time according to actual needs
Parameter improves abnormal patterns library, enhances the applicability of the present invention.The present invention is not only simply easily achieved but also can obtain higher
Precision, Social benefit and economic benefit is notable.
It is that illustrative description has been carried out to the present invention above, it is clear that realization of the invention is not limited by aforesaid way
System, if the various improvement of technical solution of the present invention progress are used, or it is not improved by the design of the present invention and technical solution
Other occasions are directly applied to, are within the scope of the invention.
Claims (4)
1. a kind of fictitious assets anomaly system of adaptive self feed back, it is characterised in that:Including data acquisition module, exception
Discovery module, adaptive learning modules, self feed back adjustment module;The data acquisition module connects anomaly module, described
Anomaly module is connect with adaptive learning modules and self feed back adjustment module respectively, the self feed back adjustment module with it is adaptive
Study module is answered to connect;Wherein, data acquisition module is responsible for collecting and storing the virtual money that application platform generates in cyberspace
Produce data;The data acquisition module is by fictitious assets data transfer to anomaly module;Anomaly module is responsible for structure
Abnormal patterns library and fictitious assets data are carried out abnormality detection, and abnormality detection result is transferred to adaptive learning mould
Block;Adaptive learning modules adjust the weight coefficient of anomaly method according to abnormality detection result dynamic, specially:Assuming that different
Normal discovery module has carried out M abnormal ruling, i-th kind of anomaly method X in total in time Δ tiAssociation one, which counts, to be become
Measure ci, piIndicate that abnormal score, P indicate that the synthesis abnormal index score of fictitious assets data, δ indicate pre-defined abnormal threshold
Value, 1≤i≤N;It carries out in accordance with the following steps,
(S31) count initialized variable ci=0,1≤i≤N;
(S32) judge the abnormal ruling of fictitious assets data as a result, being divided into following four situation:
If i. actual result is normal, exception is decideed as, is gone to step (S33);
If ii. actual result is normal, decide as normally, going to step (S34);
If iii. actual result is abnormal, exception is decideed as, is gone to step (S35);
If iv. actual result is abnormal, decide as normally, going to step (S36);
(S33) ifThen ci=ci+ 1, ifThen1≤i≤N, otherwise ci=ci+0;Turn step
Suddenly (S37);
(S34) if pi< P, then ci=ci+ 1, if P≤pi< δ, then1≤i≤N, otherwise ci=ci+0;It goes to step
(S37);
(S35) if pi>=P, then ci=ci+ 1, if δ≤pi< P, then1≤i≤N, otherwise ci=ci+0;It goes to step
(S37);
(S36) if pi>=δ, then ci=ci+ 1,1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S37) weight coefficient of N kind anomaly methods is updated by formula (2)
(S38) pass through formula (3) standardization weight coefficientIt is set to meet condition
Self feed back adjustment module is responsible in feedback modifiers abnormal patterns library and arrangement abnormalities discovery module and adaptive learning modules
Relevant parameter, specially:
For the parameter involved in anomaly module, adaptive learning modules processing procedure, interface is provided, expert is supported to carry out
Initialize installation, the parameter include weight coefficientOutlier threshold δ;It is different for the fictitious assets data in anomaly
Often ruling supports expert to carry out real-time verification as a result, providing interface;For fictitious assets data exception mould new in cyberspace
Formula provides interface and expert is supported to carry out feedback modifiers.
2. a kind of fictitious assets anomaly network system realization of adaptive self feed back, using it is as described in claim 1 from
Adapt to the fictitious assets anomaly system of self feed back, which is characterized in that include the following steps:
(S1) data acquire, and are collected by data acquisition module and store the fictitious assets number generated by fictitious assets application platform
According to, and build fictitious assets database and the virtual identity database of the network user;
(S2) anomaly carries out the fictitious assets data of uniform format in fictitious assets database by anomaly module
Abnormality detection calculates its abnormal score by a variety of anomaly methods, and decides whether data are abnormal;
(S3) adaptive learning processing procedure, actual conditions and step (S2) of the adaptive learning modules according to fictitious assets data
In ruling result it is whether consistent, dynamic adjusts the corresponding weight coefficient of N kind anomaly methodsDetailed process is, false
If anomaly module has carried out M abnormal ruling, i-th kind of anomaly method X in total in time Δ tiOne meter of association
Number variable ci, piIndicate that abnormal score, P indicate that the synthesis abnormal index score of fictitious assets data, δ indicate to pre-define different
Normal threshold value, 1≤i≤N;It carries out in accordance with the following steps,
(S31) count initialized variable ci=0,1≤i≤N;
(S32) judge the abnormal ruling of fictitious assets data as a result, being divided into following four situation:
If i. actual result is normal, exception is decideed as, is gone to step (S33);
If ii. actual result is normal, decide as normally, going to step (S34);
If iii. actual result is abnormal, exception is decideed as, is gone to step (S35);
If iv. actual result is abnormal, decide as normally, going to step (S36);
(S33) ifThen ci=ci+ 1, ifThen1≤i≤N, otherwise ci=ci+0;Turn step
Suddenly (S37);
(S34) if pi< P, then ci=ci+ 1, if P≤pi< δ, then1≤i≤N, otherwise ci=ci+0;It goes to step
(S37);
(S35) if pi>=P, then ci=ci+ 1, if δ≤pi< P, then1≤i≤N, otherwise ci=ci+0;It goes to step
(S37);
(S36) if pi>=δ, then ci=ci+ 1,1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S37) weight coefficient of N kind anomaly methods is updated by formula (2)
(S38) pass through formula (3) standardization weight coefficientIt is set to meet condition
(S4) self feed back adjusts processing procedure, and self feed back adjusts processing module using semi-supervised pattern to anomaly module and oneself
Adaptive learning module carries out feedback regulation, and detailed process is:
For the parameter involved in step (S2), step (S3), interface is provided, expert is supported to carry out Initialize installation, the parameter
Including weight coefficientOutlier threshold δ;It is connect for the fictitious assets data exception ruling in step (S2) as a result, providing
Mouth supports expert to carry out real-time verification;For fictitious assets data exception pattern new in cyberspace, interface is provided and is supported specially
Family carries out feedback modifiers.
3. a kind of fictitious assets anomaly network system realization of adaptive self feed back as claimed in claim 2, feature
It is, step (S1) detailed process is:
(S11) the fictitious assets data of generation are stored in local data base by fictitious assets application platform;
(S12) fictitious assets database request fictitious assets application platform sends fictitious assets data;
(S13) fictitious assets application platform carries out format conversion to the fictitious assets data that will be sent;
(S14) fictitious assets application platform sends the fictitious assets data of uniform format;
(S15) it fictitious assets database purchase fictitious assets data and optimizes;
(S16) the virtual identity correlation technology based on eID builds the virtual identity of the network user in conjunction with fictitious assets database
Database.
4. a kind of fictitious assets anomaly network system realization of adaptive self feed back as claimed in claim 2, feature
It is, step (S2) detailed process is:
Assuming that sharing N kind anomaly methods in anomaly moduleIts corresponding weight coefficient is respectively
And meet conditionIt follows the steps below,
(S21) to fictitious assets data to be detected, find out it includes virtual identity;
(S22) Network Search user virtual identity database passes through all virtual identities of eID association users;
(S23) fictitious assets database is searched, all relevant fictitious assets data of virtual identity in positioning step (S22);
(S24) pass through anomaly methodCalculate the abnormal score of fictitious assets data in step (S23)
(S25) the synthesis abnormal index score P of fictitious assets data is calculated by formula (1):
(S26) if P is more than pre-defined outlier threshold δ, exception is decideed as, is otherwise decideed as normal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510570032.XA CN105117477B (en) | 2015-09-09 | 2015-09-09 | A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510570032.XA CN105117477B (en) | 2015-09-09 | 2015-09-09 | A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105117477A CN105117477A (en) | 2015-12-02 |
CN105117477B true CN105117477B (en) | 2018-07-31 |
Family
ID=54665466
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510570032.XA Active CN105117477B (en) | 2015-09-09 | 2015-09-09 | A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105117477B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107330783A (en) * | 2017-06-26 | 2017-11-07 | 中国人民银行数字货币研究所 | A kind of method and system for handling digital cash |
CA3096405A1 (en) * | 2018-04-09 | 2019-10-17 | Veda Data Solutions, Inc. | Processing personal data using machine learning algorithms, and applications thereof |
CN109213656A (en) * | 2018-07-23 | 2019-01-15 | 武汉智领云科技有限公司 | A kind of interactive mode big data dysgnosis detection system and method |
CN110008979A (en) * | 2018-12-13 | 2019-07-12 | 阿里巴巴集团控股有限公司 | Abnormal data prediction technique, device, electronic equipment and computer storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6839850B1 (en) * | 1999-03-04 | 2005-01-04 | Prc, Inc. | Method and system for detecting intrusion into and misuse of a data processing system |
CN102456065A (en) * | 2011-07-01 | 2012-05-16 | 中国人民解放军国防科学技术大学 | Methods for storing and querying offline historical statistical data of data stream |
CN104090835A (en) * | 2014-06-27 | 2014-10-08 | 中国人民解放军国防科学技术大学 | eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method |
-
2015
- 2015-09-09 CN CN201510570032.XA patent/CN105117477B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6839850B1 (en) * | 1999-03-04 | 2005-01-04 | Prc, Inc. | Method and system for detecting intrusion into and misuse of a data processing system |
CN102456065A (en) * | 2011-07-01 | 2012-05-16 | 中国人民解放军国防科学技术大学 | Methods for storing and querying offline historical statistical data of data stream |
CN104090835A (en) * | 2014-06-27 | 2014-10-08 | 中国人民解放军国防科学技术大学 | eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method |
Also Published As
Publication number | Publication date |
---|---|
CN105117477A (en) | 2015-12-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | Electricity theft detection in power grids with deep learning and random forests | |
Chen et al. | Effective management for blockchain-based agri-food supply chains using deep reinforcement learning | |
Wang et al. | Heterogeneous network representation learning approach for ethereum identity identification | |
Kumari et al. | Secure data analytics for smart grid systems in a sustainable smart city: Challenges, solutions, and future directions | |
Faisal et al. | Data-stream-based intrusion detection system for advanced metering infrastructure in smart grid: A feasibility study | |
Sabry et al. | Cryptocurrencies and artificial intelligence: Challenges and opportunities | |
Qu et al. | An intrusion detection model based on deep belief network | |
Gupta et al. | Community trend outlier detection using soft temporal pattern mining | |
Xie et al. | A feature extraction method for credit card fraud detection | |
CN105117477B (en) | A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back | |
Qu et al. | FedTwin: Blockchain-enabled adaptive asynchronous federated learning for digital twin networks | |
CN101714273A (en) | Rule engine-based method and system for monitoring exceptional service of bank | |
Zhang et al. | A fraud detection method for low-frequency transaction | |
Sun et al. | Abnormal group-based joint medical fraud detection | |
CN109754258A (en) | It is a kind of based on individual behavior modeling towards online trading fraud detection method | |
Qiu et al. | Fuzzy time series forecasting model based on automatic clustering techniques and generalized fuzzy logical relationship | |
Yu et al. | Convergence of per capita carbon emissions in the Yangtze River Economic Belt, China | |
Ullah et al. | A Hybrid Deep Neural Network for Electricity Theft Detection Using Intelligent Antenna‐Based Smart Meters | |
Zhang | Financial data anomaly detection method based on decision tree and random forest algorithm | |
Li et al. | An advanced framework for net electricity consumption prediction: Incorporating novel machine learning models and optimization algorithms | |
Vijaya et al. | Improved churn prediction based on supervised and unsupervised hybrid data mining system | |
Bataev | Financial technology: Efficiency evaluation of challenger banks | |
Cao | A Novel Optimal Selection Algorithm for Agricultural Trade Export in Blockchain‐Enabled Internet of Things | |
Mustaffa et al. | LSSVM parameters tuning with enhanced artificial bee colony | |
Pal et al. | Towards dynamic demand response on efficient consumer grouping algorithmics |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |