CN105117477B - A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back - Google Patents

A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back Download PDF

Info

Publication number
CN105117477B
CN105117477B CN201510570032.XA CN201510570032A CN105117477B CN 105117477 B CN105117477 B CN 105117477B CN 201510570032 A CN201510570032 A CN 201510570032A CN 105117477 B CN105117477 B CN 105117477B
Authority
CN
China
Prior art keywords
anomaly
fictitious assets
data
module
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510570032.XA
Other languages
Chinese (zh)
Other versions
CN105117477A (en
Inventor
全拥
贾焰
韩伟红
周斌
杨树强
李爱平
黄九鸣
李树栋
刘斐
李虎
邓璐
傅翔
朱伟辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN201510570032.XA priority Critical patent/CN105117477B/en
Publication of CN105117477A publication Critical patent/CN105117477A/en
Application granted granted Critical
Publication of CN105117477B publication Critical patent/CN105117477B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/80Information retrieval; Database structures therefor; File system structures therefor of semi-structured data, e.g. markup language structured data such as SGML, XML or HTML
    • G06F16/83Querying

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to Networks and information security fields, and the invention discloses a kind of fictitious assets anomaly system of adaptive self feed back and implementation methods.Present system includes data acquisition module, anomaly module, adaptive learning modules, self feed back adjustment module;The data acquisition module connects anomaly module, and the anomaly module is connect with adaptive learning modules and self feed back adjustment module respectively, and the self feed back adjustment module is connect with adaptive learning modules.The method of the present invention includes mainly data acquisition, anomaly, adaptive learning processing, self feed back adjusting processing step, the present invention has fully considered fictitious assets data magnanimity and the features such as complicated, network user's virtual identity is not unique and single anomaly method is inefficient, data exception based on weight summation decides mechanism, effectively contain the detection error that single anomaly method is brought, improves anomaly precision.

Description

A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back
Technical field
The invention belongs to Networks and information security fields, and in particular to a kind of fictitious assets exception hair of adaptive self feed back Existing system and implementation method.
Background technology
Fictitious assets refers to having competitive, persistence present in cyberspace and can exchanging or buy and sell Article, including Web bank, network account, network game equipment weapon, ideal money etc..With social networks, e-commerce and net The fast development of the Internet, applications such as network game, routine work, life, the study of netizen are extended to from traditional physical space Cyberspace.By in December, 2014, China's netizen's scale is up to 6.49 hundred million, wherein online game, shopping at network, online payment etc. Netizen's utilization rate of application has respectively reached 56.4%, 55.7%, 46.9% (referring to document [1]).It can be seen that fictitious assets Use penetrated into the every aspect of cyberspace, and have become a kind of important market behavior and life style.It is moving Under the promotion of dynamic internet, following China netizen scale and the Internet, applications utilization rate will continue that growth trend is presented, virtual to provide The critical role produced in cyberspace also will be highlighted further.
Currently, being widely used for anomaly is general, including fraud detection, medical treatment, public safety and intrusion detection Deng.Anomaly is the process found out its behavior and be different from very much expected object, and this object is known as exception, it is different from noise number According to.Noise is to be observed the random error or variance of variable, and abnormal is to generate their mechanism to be different from generating other data Mechanism.In general, abnormal can be divided into three classes:Global abnormal, situation (or condition) are abnormal and document (is referred to extremely in collective [2]).Global abnormal refers in given data set, and a data object departs significantly from remaining object in data set;Feelings Border refer to extremely in given data set, a data object departed significantly under particular context in data set remaining is right As;Collective refers to giving a data set extremely, and a subset of data object departs significantly from entire data set as a whole. In short, data set may there are many exceptions of type, and an object may also belong to a plurality of types of exceptions.Global abnormal is sent out Now most simple, situation anomaly needs background knowledge to determine that situation attribute and situation, collective's anomaly need background to believe Breath carrys out the contact modeling between object, to find out abnormal group.
Although the use of fictitious assets provides powerful service function to people for internet and provides convenience, associated Network security problem also cause huge property damage to people, aggravated distrust degree of the people in network world, Serious strike is brought to internet economy.2014, there is 46.3% netizen to meet with network security in overall netizen and ask Topic, the safe condition that China's personal Internet uses allow of no optimist;Wherein, account number or password are stolen, consumption is cheated and information The exposure of the fictitious assetss associated safety events such as leakage seriously affects the network security perception of netizen.For example, occurring when net purchase Above-mentioned security incident while causing damages to shopper, has also upset shopping online order, influences the strong of shopping at network industry Kang Fazhan.When the fictitious assets of netizen occurs abnormal, complaint right-safeguarding generally is carried out by logging in the client service center of corresponding platform, The inefficiencies of artificial treatment and the limitation of single platform cause to be difficult to note abnormalities and adopt an effective measure in time.For structure Good fictitious assets use environment is built, relevant departments have put into effect a series of political affairs around themes such as digital certificate, shoppings at network Plan, regulations and standard criterion, but in face of complicated and magnanimity fictitious assets data, need the anomaly side using automation Method is protected and management fictitious assets.
However, in the cyberspace of virtualization, same user can possess multiple and different virtual identities, i.e. network account Number.User can obtain fictitious assets, transfer the possession of and merchandise etc. across flat in different application platforms using respective virtual identity The operation of platform, which increase the difficulty of fictitious assets anomaly.It is to carry that eID, which is based on cryptographic technique, with intelligent chip, Body, the network identity mark that citizen is signed and issued to by " Ministry of Public Security citizen network identity identifying system " can not reveal identity letter Online long-range identification identity, virtual identity correlation technology can effectively solve the above problems and (refer to document under the premise of breath [3]).User binds the multiple virtual identity in cyberspace with eID, since it has uniqueness, can quickly determine Position therefore can provide skill to the true identity of user under different application platforms for cross-platform fictitious assets anomaly method Art supports.
Have both at home and abroad largely about the research of anomaly, whether has field special according to the data sample for analysis It is that family provides, can be used for building the label of abnormal method model, anomaly method be divided into measure of supervision, semi-supervised method and Unsupervised approaches;According to the difference to normal subjects and exception object it is assumed that anomaly method can be divided into statistical method, base again Method in propinquity and the method based on cluster (referring to document [4] [5]).But existing method is both for specific field Or certain types of exception, in order to ensure that arithmetic accuracy and operational efficiency, practical application needs meet some requirements.For example, The sample set study that measure of supervision needs domain expert to provide can identify abnormal grader;Unsupervised approaches require normal number According to the sharpness of border between abnormal data;Statistical method assumes that the normal subjects in data set are generated by a random process; Method based on cluster assumes that normal data example belongs to a cluster, and abnormal data is not belonging to any one cluster.Document [4] [5] the detailed analysis advantage of above-mentioned anomaly method, some methods lay particular emphasis on improvement run time, some methods are laid particular emphasis on Precision is improved, also method lays particular emphasis on the granularity of refinement anomaly.
Fictitious assets data structure is various, and the fictitious assets of existing structure describes data, and has semi-structured daily record Data and non-structured operation data;Fictitious assets use environment is complicated and changeable, and existing user operates fictitious assets It is uncertain that there are the fictitious assets application platforms that structure differs again.Therefore, it is difficult to promptly and accurately using the method for unification It was found that different types of fictitious assets relevant abnormalities.In addition, the interactive mode of user constantly changes in cyberspace, simultaneously Also promote the evolution of fictitious assets data and its attribute.Therefore, it is necessary to real-time update and fictitious assets abnormal patterns library is improved, The present invention has fully considered factors above.
Bibliography:
[1] the 35th China Internet network state of development statistical report [EB/ of China Internet Network Information Center (CNNIC) OL].http://www.cnnic.cn/hlwfzyj/hlwxzbg/201502/P020150203551802054676.pdf
[2]Han J,Kamber M,Pei J.Data mining:concepts and techniques:concepts and techniques[M].Elsevier,2011.
[3]http://eid.cn/.
[4]Chandola V,Banerjee A,Kumar V.Anomaly detection:A survey[J].ACM computing surveys(CSUR),2009,41(3):15.
[5]Chandola V,Banerjee A,Kumar V.Anomaly detection for discrete sequences:A survey[J].Knowledge and Data Engineering,IEEE Transactions on, 2012,24(5):823-839.
Invention content
In order to solve the above technical problems, the present invention has fully considered that fictitious assets data magnanimity and complicated, network are used A kind of the features such as family virtual identity is not unique and single anomaly method is inefficient, it is proposed that virtual money of adaptive self feed back Produce anomaly system and implementation method.Specific technical solution is as follows:
A kind of fictitious assets anomaly system of adaptive self feed back, including data acquisition module, anomaly module, Adaptive learning modules, self feed back adjustment module;The data acquisition module connects anomaly module, the anomaly mould Block is connect with adaptive learning modules and self feed back adjustment module respectively, the self feed back adjustment module and adaptive learning modules Connection;Wherein, data acquisition module is responsible for collecting and storing the fictitious assets data that application platform generates in cyberspace;It is described Data acquisition module is by fictitious assets data transfer to anomaly module;Anomaly module be responsible for build abnormal patterns library with And fictitious assets data are carried out abnormality detection, and abnormality detection result is transferred to adaptive learning modules;Adaptive learning Module adjusts the weight coefficient of anomaly method according to abnormality detection result dynamic;Self feed back adjustment module is responsible for feedback modifiers Relevant parameter in abnormal patterns library and arrangement abnormalities discovery module and adaptive learning modules.
The fictitious assets data include data manipulation daily record, User operation log and system activity running log;Virtually Assets application platform provides two kinds of data-interfaces:One is data transformation interface, the data conversion for generating application platform At the fictitious assets data of uniform format;One is data transmission interface, the void of the uniform format for generating application platform Quasi- asset data is transmitted to fictitious assets database.
The present invention also provides a kind of fictitious assets anomaly network system realization of adaptive self feed back, use is above-mentioned Adaptive self feed back fictitious assets anomaly system, include the following steps:
(S1) data acquire, and are collected by data acquisition module and store the virtual money generated by fictitious assets application platform Data are produced, and build fictitious assets database and the virtual identity database of the network user;
(S2) anomaly, by anomaly module to the fictitious assets data of uniform format in fictitious assets database It carries out abnormality detection, its abnormal score is calculated by N kind anomaly methods, and decide whether data are abnormal;
(S3) adaptive learning processing procedure, actual conditions and step of the adaptive learning modules according to fictitious assets data (S2) whether the ruling result in is consistent, and dynamic adjusts the corresponding weight coefficient of N kind anomaly methodsI, N is Integer, i value ranges are 1≤i≤N;
(S4) self feed back adjusts processing procedure, and self feed back adjusts processing module using semi-supervised pattern to anomaly module Feedback regulation is carried out with adaptive learning modules.
Further, step (S1) the data acquisition detailed process is:
(S11) the fictitious assets data of generation are stored in local data base by fictitious assets application platform;
(S12) fictitious assets database request fictitious assets application platform sends the fictitious assets number in local data base According to;
(S13) fictitious assets application platform carries out format conversion to the fictitious assets data that will be sent;
(S14) fictitious assets application platform sends the fictitious assets data of uniform format;
(S15) it fictitious assets database purchase fictitious assets data and optimizes;The excellent of index is established in general, can be used Change method.
(S16) the virtual identity correlation technology based on eID builds the virtual of the network user in conjunction with fictitious assets database Identity database.
Further, step (S2) the anomaly detailed process is:
Assuming that sharing N kind anomaly methods in anomaly moduleIts corresponding weight coefficient is respectivelyAnd meet conditionN is natural number, is followed the steps below,
(S21) to fictitious assets data to be detected, find out it includes virtual identity;
(S22) Network Search user virtual identity database passes through all virtual identities of eID association users;
(S23) fictitious assets database is searched, all relevant fictitious assets numbers of virtual identity in positioning step (S22) According to;
(S24) pass through anomaly methodCalculate the abnormal score of fictitious assets data in step (S23)
(S25) the synthesis abnormal index score P of fictitious assets data is calculated by formula (1):
(S26) if P is more than pre-defined outlier threshold δ, exception is decideed as, is otherwise decideed as normal.
Further, step (S3) the adaptive learning processing procedure is specially:
Assuming that anomaly module has carried out M abnormal ruling, i-th kind of anomaly method X in total in time Δ ti It is associated with a counting variable ci, piIndicate that abnormal score, P indicate that the synthesis abnormal index score of fictitious assets data, δ indicate pre- The outlier threshold first defined, M are natural number, are carried out in accordance with the following steps;
(S31) count initialized variable ci=0,1≤i≤N;
(S32) judge the abnormal ruling of fictitious assets data as a result, being divided into following four situation:
If i. actual result is normal, exception is decideed as, is gone to step (S33);
If ii. actual result is normal, decide as normally, going to step (S34);
If iii. actual result is abnormal, exception is decideed as, is gone to step (S35);
If iv. actual result is abnormal, decide as normally, going to step (S36);
(S34) if pi< P, then ci=ci+ 1, if P≤pi< δ, thenOtherwise ci=ci+0; It goes to step (S37);
(S35) if pi>=P, then ci=ci+ 1, if δ≤pi< P, thenOtherwise ci=ci+0; It goes to step (S37);
(S36) if pi>=δ, then ci=ci+ 1,1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S37) weight coefficient of N kind anomaly methods is updated by formula (2)
(S38) pass through formula (3) standardization weight coefficientIt is set to meet condition
Further, step (S4) the self feed back adjusting processing procedure is:
For the parameter involved in step (S2), step (S3), interface is provided, expert is supported to carry out Initialize installation, including Weight coefficientOutlier threshold δ etc.;For the fictitious assets data exception ruling in step (S2) as a result, providing interface Expert is supported to carry out real-time verification;For fictitious assets data exception pattern new in cyberspace, interface is provided and supports expert Carry out feedback modifiers.
Using the advantageous effect that obtains of the present invention, the present invention fully considered fictitious assets data magnanimity and it is complicated, The features such as network user's virtual identity is not unique and single anomaly method is inefficient, it is proposed that a kind of adaptive self feed back Fictitious assets anomaly system and implementation method, to a set of to be provided to the abnormity early warning of fictitious assets in cyberspace Total solution.Data exception based on weight summation decides mechanism, effectively contains the inspection that single anomaly method is brought Error is surveyed, anomaly precision is improved.By adaptive learning and weight is adjusted, continues to optimize abnormal ruling mechanism;Pass through by It is dynamic to obtain newest fictitious assets data exception pattern and semi-supervised feedback modifiers abnormal patterns library, constantly improve anomaly system System.
Description of the drawings
Fig. 1 is inventive network structural schematic diagram;
Fig. 2 is the method for the present invention flow diagram.
Specific implementation mode
Further technical scheme of the present invention is illustrated below by the drawings and specific embodiments.
As shown in Figure 1, the schematic network structure of the present invention, a kind of fictitious assets anomaly system of adaptive self feed back System, including data acquisition module, anomaly module, adaptive learning modules, self feed back adjustment module;The data acquisition module Block connects anomaly module, and the anomaly module is connect with adaptive learning modules and self feed back adjustment module respectively, The self feed back adjustment module is connect with adaptive learning modules;Wherein, data acquisition module is responsible for collecting and storing network sky Between the fictitious assets data that generate of middle application platform;The data acquisition module is by fictitious assets data transfer to anomaly mould Block;Anomaly module, which is responsible for building, abnormal patterns library and to be carried out abnormality detection fictitious assets data, and by abnormality detection As a result adaptive learning modules are transferred to;Adaptive learning modules are according to abnormality detection result dynamic adjustment anomaly method Weight coefficient;Self feed back adjustment module is responsible for feedback modifiers abnormal patterns library and arrangement abnormalities discovery module and adaptive learning mould Relevant parameter in the block.
As shown in Fig. 2, being the method for the present invention flow diagram;It specifically includes following steps:Data collection steps, The data conversion that fictitious assets application platform is generated is at the fictitious assets data transmission of uniform format to fictitious assets database And structure network user's virtual identity database.Anomaly step calculates fictitious assets by a variety of anomaly methods The abnormal score of data, and data are decided extremely based on weight summation mechanism.Adaptive learning step is counted and is verified Fictitious assets data exception decides as a result, the simultaneously corresponding weight coefficient of real-time update.Self feed back regulating step, using semi-supervised side Formula corrects abnormal patterns library and adjusts relevant parameter.
In order to fully show that the technical characterstic of the present invention, anomaly system of the present invention are at least needed to two fictitious assetss The data that application platform generates carry out abnormality detection.It is now assumed that there are the fictitious assets application platforms of two isomeries in cyberspace A and B, since the application foundation of the present invention is the remote identity identification function of eID, A and B should have eID authentication functions. EID has uniqueness, each real user has and only there are one eID.User needs to answer difference when using fictitious assets It is bound with its eID with the virtual account under platform, therefore the same eID can be associated with multiple virtual identities, and a void Quasi- identity can only be associated with unique eID.Fictitious assets application platform all generates data, virtual money related to user all the time Production data need to carry out eID certifications, and the only successful data of certification can be just saved, and other fictitious assets data can be automatic It is recorded in the journal file of system.
It is illustrated with reference to specific embodiment.
(S1) data acquisition is realized by the data acquisition module in system;
Different application platforms, the occupation mode of fictitious assets and user to the mode of operation of fictitious assets and different, Therefore the fictitious assets data format that A and B are recorded in local log file is also different.For the ease of the transmission of data with deposit Storage, in the present embodiment selection using the data conversion mechanism based on XML format by the fictitious assets data conversion of different-format at Unified format, as shown in table 1.
Table 1XML format virtual asset data examples
By there are two types of the modes of the fictitious assets data transmission of uniform format to fictitious assets database:It is passed one is real-time Defeated mode, another kind are bulk transfer modes.The data of real-time Transmission may be used POST coding based on security protocol HTTPS into Row transmission, and the data of bulk transfer may be used document form and are transmitted based on File Transfer Protocol.Since fictitious assets data relate to And therefore no matter the sensitive information of user uses any data transfer mode, all should be guaranteed that the safety of data.
Detailed process is as follows:
(S11) the data category storage generated A and B is in the local database.According to the different characteristic of application platform, Fictitious assets data are divided into data manipulation daily record, User operation log and system activity running log etc..Local data base Storage system can be selected according to the data scale of generation, such as centralised storage system or distributed memory system.Local number It is consistent according to library and fictitious assets database stored data;Local data base corresponds to application platform, should for storing With the data of platform;And fictitious assets database is system creation, for store the data that multiple application platforms generate for Abnormality detection comes from multiple local data bases.
(S12) the fictitious assets application platform moment all generates new data, and A and B updated data need to will only be passed recently In the defeated database to fictitious assets, therefore can the newer position of Checkpointing flag data in the local database.
(S13) fictitious assets data to be sent in local data base are uniformly converted into XML format by A and B.
(S14) data transfer mode is selected according to the configuration requirement of anomaly system, if being carried out for online data different Often detection then uses real-time Transmission mode, if being carried out abnormality detection for off-line data, uses bulk transfer mode.
(S15) fictitious assets database Γ needs to store the data of magnanimity, therefore use support increment writes and scalability Strong distributed data base first can also optimize processing to Γ, such as establish Indexing Mechanism, carry such as Cassandra databases High anomaly method inquires and reads the performance of data.
(S16) the virtual identity correlation technology based on eID builds network user virtual identity database Λ using Γ, by It is mainly used for the inquiry of user's virtual identity in Λ, therefore relevant database MySql can be used, as shown in table 2.In Λ at least Including account, application platform and No. eID, and account constitutes major key with application platform.Account in the same fictitious assets application platform Number unique, the same eID user can possess multiple accounts, as user1, user2, user3 are associated with eid_1.It was using Cheng Zhong positions its No. eid by account and application platform first, then finds out user in different application platforms by No. eid Under different accounts.
2 network user's virtual identity database example of table
A and B persistently generates new fictitious assets data, and the data in database Γ and Λ are also continuously updated.
(S2) anomaly, the step are mainly realized by anomaly module;
Anomaly method can be divided into the method based on classification, the method based on arest neighbors, base by the technical principle of utilization In the method for cluster, based on statistical method, the method based on information theory and based on the method for spectrum, typical algorithm has SVMs calculations Method, Bayes net algorithm, kthNearest neighbor algorithm, FindCBLOF algorithms, Kernels, LSA algorithms, PCA algorithms etc..On It states anomaly method to differ from one another, in actual use, the algorithm of advantage and disadvantage complementation is selected for concrete application field, Assuming that the present invention has selected the anomaly method of 5 kinds of superior performances, i.e. N=5.It is existing for a variety of anomaly methods Anomaly method can be divided into three classes:Measure of supervision, semi-supervised method, unsupervised approaches, measure of supervision can will be unsupervised The fictitious assets data of method label pass through sample data learning model parameter or structure anomaly side as training sample Abnormal patterns library in method.
The output of anomaly method generally can be divided into two kinds:Abnormal marking or abnormal score.It is now assumed that be detected virtual The exception of asset data is scored at p, for abnormal marking, if labeled as abnormal, p=1;If labeled as normal, p=0.It is right In abnormal score, then it is normalized.The output of the anomaly method used in the regulation present invention be value range for Exception [0,1] score, and score value is higher illustrates that the possibility of fictitious assets data exception is bigger.
For ease of calculation, it is assumed that anomaly method XiWeight coefficient
(S21) assume that fictitious assets data include the virtual identity user1 and user3 in A.
(S22) search Λ, by (A, user1) associated eID eid_1, find out virtual identity (A, user2) and (B, User1), by (A, user3) associated eID eid_2, virtual identity (B, user4) is found out, is shown in Table 2.
(S23) fictitious assets database Γ is searched, all relevant fictitious assets numbers of virtual identity in positioning step (S22) According to.Using network user's virtual identity database, efficiently and accurately positions the fictitious assets data of user-association.
(S24) the abnormal score of fictitious assets data in step (S23) is calculated by anomaly method, as shown in table 3.
3 fictitious assets data exception score example of table
Wherein, the data per a line represent 5 kinds of anomaly methods and give a mark to the exception of fictitious assets data, data 1 Abnormal score p1=0.7, p2=0.9, p3=0.78, p4=0.8, p5=0.75.
(S25) the comprehensive abnormal Scoring Guidelines P that fictitious assets data are calculated by formula (1), can prove the value model of P Enclose is [0,1].
For example, the abnormal index score of data 1
4 fictitious assets data exception of table decides result
(S26) assume that exception is decideed as in outlier threshold δ=0.75 if P >=δ, otherwise decide as normally, such as data 1 δ=0.75 abnormal index score P=0.786 >, so data 1 decide as exception, table 4 illustrates the abnormal ruling of other data As a result.
(S3) adaptive learning processing step, the step are mainly realized by adaptive learning modules.
As a result, the practical abnormal conditions with data are compared, dynamic adjusts weight for ruling extremely in statistic procedure (S2) Coefficient wi, 1≤i≤5.Can be physical time according to the time interval Δ t that actual conditions select to be adjusted weight coefficient Δ t=24h can also be that the data exception accumulated in the anomaly stage decides number Δ t=100 times.
Assuming that time interval Δ herein t=100 times, that is, counts M=100 time and abnormal decide as a result, and preceding 4 exceptions Decide result with table 4.
1) count initialized variable ci=0,1≤i≤5.
2) judge the abnormal ruling of fictitious assets data as a result, as shown in table 5.
5 fictitious assets data exception of table decides result and actual result
For data 1, actual result is abnormal, and ruling result is abnormal, then counting variable update status is shown in Table 6.
The counting variable of 6 data 1 of table updates
For data 2, actual result is normal, and ruling result is abnormal, then counting variable update status is shown in Table 7.
The counting variable of 7 data 2 of table updates
For data 3, actual result is normal, and ruling result is normal, then counting variable update status is shown in Table 8.
The counting variable of 8 data 3 of table updates
For data 4, actual result is abnormal, and ruling result is normal, then counting variable update status is shown in Table 9.
The counting variable of 9 data 4 of table updates
3) 100 abnormal ruling are counted as a result, counting variableValue update status it is as shown in table 10.
The value update status of 10 counting variable of table
4) weight coefficient of 5 kinds of anomaly methods is updated by formula (2)
It is as shown in table 11 by formula (2) newer weight coefficient.
11 weight coefficient update status of table
5) pass through formula (3) standardization weight coefficientIt is set to meet condition
Specific result of calculation is shown in Table 11.
(S4) self feed back adjusts processing procedure, which is mainly realized by self feed back adjustment module.
Under normal circumstances, the mode that interface alternation may be used supports expert to carry out semi-supervised feedback to anomaly system It adjusts.The characteristics of for fictitious assets data, replaces performance more preferably anomaly method;For weight coefficient, according to exception It was found that the superiority-inferiority of method carries out Initialize installation;For the actual needs of anomaly system, adjustment in real time updates weight system Several time intervals;For the new user behavior abnormal patterns or data attribute abnormal patterns occurred in cyberspace, use Manual method (in actual use, only needing System Programming to write an interface can be realized) is constantly corrected and improves anomaly The abnormal patterns library of method.
In conclusion the present invention has fully considered fictitious assets data magnanimity and complicated, network user's virtual identity A kind of the features such as not unique and single anomaly method is inefficient, it is proposed that fictitious assets anomaly system of adaptive self feed back System and implementation method.By build network user's virtual identity database, based on eID correlation technologies realize to fictitious assets across Platform anomaly.It, can be under online or offline environment to virtually providing by real-time or batch mode data transmission mechanism It produces data and carries out anomaly.The adaptive learning Regulation mechanism of weight coefficient, it is possible to prevente effectively from single anomaly method Limitation, improve anomaly precision.The self feed back regulation mechanism of semi-supervised pattern can configure in real time according to actual needs Parameter improves abnormal patterns library, enhances the applicability of the present invention.The present invention is not only simply easily achieved but also can obtain higher Precision, Social benefit and economic benefit is notable.
It is that illustrative description has been carried out to the present invention above, it is clear that realization of the invention is not limited by aforesaid way System, if the various improvement of technical solution of the present invention progress are used, or it is not improved by the design of the present invention and technical solution Other occasions are directly applied to, are within the scope of the invention.

Claims (4)

1. a kind of fictitious assets anomaly system of adaptive self feed back, it is characterised in that:Including data acquisition module, exception Discovery module, adaptive learning modules, self feed back adjustment module;The data acquisition module connects anomaly module, described Anomaly module is connect with adaptive learning modules and self feed back adjustment module respectively, the self feed back adjustment module with it is adaptive Study module is answered to connect;Wherein, data acquisition module is responsible for collecting and storing the virtual money that application platform generates in cyberspace Produce data;The data acquisition module is by fictitious assets data transfer to anomaly module;Anomaly module is responsible for structure Abnormal patterns library and fictitious assets data are carried out abnormality detection, and abnormality detection result is transferred to adaptive learning mould Block;Adaptive learning modules adjust the weight coefficient of anomaly method according to abnormality detection result dynamic, specially:Assuming that different Normal discovery module has carried out M abnormal ruling, i-th kind of anomaly method X in total in time Δ tiAssociation one, which counts, to be become Measure ci, piIndicate that abnormal score, P indicate that the synthesis abnormal index score of fictitious assets data, δ indicate pre-defined abnormal threshold Value, 1≤i≤N;It carries out in accordance with the following steps,
(S31) count initialized variable ci=0,1≤i≤N;
(S32) judge the abnormal ruling of fictitious assets data as a result, being divided into following four situation:
If i. actual result is normal, exception is decideed as, is gone to step (S33);
If ii. actual result is normal, decide as normally, going to step (S34);
If iii. actual result is abnormal, exception is decideed as, is gone to step (S35);
If iv. actual result is abnormal, decide as normally, going to step (S36);
(S33) ifThen ci=ci+ 1, ifThen1≤i≤N, otherwise ci=ci+0;Turn step Suddenly (S37);
(S34) if pi< P, then ci=ci+ 1, if P≤pi< δ, then1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S35) if pi>=P, then ci=ci+ 1, if δ≤pi< P, then1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S36) if pi>=δ, then ci=ci+ 1,1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S37) weight coefficient of N kind anomaly methods is updated by formula (2)
(S38) pass through formula (3) standardization weight coefficientIt is set to meet condition
Self feed back adjustment module is responsible in feedback modifiers abnormal patterns library and arrangement abnormalities discovery module and adaptive learning modules Relevant parameter, specially:
For the parameter involved in anomaly module, adaptive learning modules processing procedure, interface is provided, expert is supported to carry out Initialize installation, the parameter include weight coefficientOutlier threshold δ;It is different for the fictitious assets data in anomaly Often ruling supports expert to carry out real-time verification as a result, providing interface;For fictitious assets data exception mould new in cyberspace Formula provides interface and expert is supported to carry out feedback modifiers.
2. a kind of fictitious assets anomaly network system realization of adaptive self feed back, using it is as described in claim 1 from Adapt to the fictitious assets anomaly system of self feed back, which is characterized in that include the following steps:
(S1) data acquire, and are collected by data acquisition module and store the fictitious assets number generated by fictitious assets application platform According to, and build fictitious assets database and the virtual identity database of the network user;
(S2) anomaly carries out the fictitious assets data of uniform format in fictitious assets database by anomaly module Abnormality detection calculates its abnormal score by a variety of anomaly methods, and decides whether data are abnormal;
(S3) adaptive learning processing procedure, actual conditions and step (S2) of the adaptive learning modules according to fictitious assets data In ruling result it is whether consistent, dynamic adjusts the corresponding weight coefficient of N kind anomaly methodsDetailed process is, false If anomaly module has carried out M abnormal ruling, i-th kind of anomaly method X in total in time Δ tiOne meter of association Number variable ci, piIndicate that abnormal score, P indicate that the synthesis abnormal index score of fictitious assets data, δ indicate to pre-define different Normal threshold value, 1≤i≤N;It carries out in accordance with the following steps,
(S31) count initialized variable ci=0,1≤i≤N;
(S32) judge the abnormal ruling of fictitious assets data as a result, being divided into following four situation:
If i. actual result is normal, exception is decideed as, is gone to step (S33);
If ii. actual result is normal, decide as normally, going to step (S34);
If iii. actual result is abnormal, exception is decideed as, is gone to step (S35);
If iv. actual result is abnormal, decide as normally, going to step (S36);
(S33) ifThen ci=ci+ 1, ifThen1≤i≤N, otherwise ci=ci+0;Turn step Suddenly (S37);
(S34) if pi< P, then ci=ci+ 1, if P≤pi< δ, then1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S35) if pi>=P, then ci=ci+ 1, if δ≤pi< P, then1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S36) if pi>=δ, then ci=ci+ 1,1≤i≤N, otherwise ci=ci+0;It goes to step (S37);
(S37) weight coefficient of N kind anomaly methods is updated by formula (2)
(S38) pass through formula (3) standardization weight coefficientIt is set to meet condition
(S4) self feed back adjusts processing procedure, and self feed back adjusts processing module using semi-supervised pattern to anomaly module and oneself Adaptive learning module carries out feedback regulation, and detailed process is:
For the parameter involved in step (S2), step (S3), interface is provided, expert is supported to carry out Initialize installation, the parameter Including weight coefficientOutlier threshold δ;It is connect for the fictitious assets data exception ruling in step (S2) as a result, providing Mouth supports expert to carry out real-time verification;For fictitious assets data exception pattern new in cyberspace, interface is provided and is supported specially Family carries out feedback modifiers.
3. a kind of fictitious assets anomaly network system realization of adaptive self feed back as claimed in claim 2, feature It is, step (S1) detailed process is:
(S11) the fictitious assets data of generation are stored in local data base by fictitious assets application platform;
(S12) fictitious assets database request fictitious assets application platform sends fictitious assets data;
(S13) fictitious assets application platform carries out format conversion to the fictitious assets data that will be sent;
(S14) fictitious assets application platform sends the fictitious assets data of uniform format;
(S15) it fictitious assets database purchase fictitious assets data and optimizes;
(S16) the virtual identity correlation technology based on eID builds the virtual identity of the network user in conjunction with fictitious assets database Database.
4. a kind of fictitious assets anomaly network system realization of adaptive self feed back as claimed in claim 2, feature It is, step (S2) detailed process is:
Assuming that sharing N kind anomaly methods in anomaly moduleIts corresponding weight coefficient is respectively And meet conditionIt follows the steps below,
(S21) to fictitious assets data to be detected, find out it includes virtual identity;
(S22) Network Search user virtual identity database passes through all virtual identities of eID association users;
(S23) fictitious assets database is searched, all relevant fictitious assets data of virtual identity in positioning step (S22);
(S24) pass through anomaly methodCalculate the abnormal score of fictitious assets data in step (S23)
(S25) the synthesis abnormal index score P of fictitious assets data is calculated by formula (1):
(S26) if P is more than pre-defined outlier threshold δ, exception is decideed as, is otherwise decideed as normal.
CN201510570032.XA 2015-09-09 2015-09-09 A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back Active CN105117477B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510570032.XA CN105117477B (en) 2015-09-09 2015-09-09 A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510570032.XA CN105117477B (en) 2015-09-09 2015-09-09 A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back

Publications (2)

Publication Number Publication Date
CN105117477A CN105117477A (en) 2015-12-02
CN105117477B true CN105117477B (en) 2018-07-31

Family

ID=54665466

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510570032.XA Active CN105117477B (en) 2015-09-09 2015-09-09 A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back

Country Status (1)

Country Link
CN (1) CN105117477B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107330783A (en) * 2017-06-26 2017-11-07 中国人民银行数字货币研究所 A kind of method and system for handling digital cash
CA3096405A1 (en) * 2018-04-09 2019-10-17 Veda Data Solutions, Inc. Processing personal data using machine learning algorithms, and applications thereof
CN109213656A (en) * 2018-07-23 2019-01-15 武汉智领云科技有限公司 A kind of interactive mode big data dysgnosis detection system and method
CN110008979A (en) * 2018-12-13 2019-07-12 阿里巴巴集团控股有限公司 Abnormal data prediction technique, device, electronic equipment and computer storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6839850B1 (en) * 1999-03-04 2005-01-04 Prc, Inc. Method and system for detecting intrusion into and misuse of a data processing system
CN102456065A (en) * 2011-07-01 2012-05-16 中国人民解放军国防科学技术大学 Methods for storing and querying offline historical statistical data of data stream
CN104090835A (en) * 2014-06-27 2014-10-08 中国人民解放军国防科学技术大学 eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6839850B1 (en) * 1999-03-04 2005-01-04 Prc, Inc. Method and system for detecting intrusion into and misuse of a data processing system
CN102456065A (en) * 2011-07-01 2012-05-16 中国人民解放军国防科学技术大学 Methods for storing and querying offline historical statistical data of data stream
CN104090835A (en) * 2014-06-27 2014-10-08 中国人民解放军国防科学技术大学 eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method

Also Published As

Publication number Publication date
CN105117477A (en) 2015-12-02

Similar Documents

Publication Publication Date Title
Li et al. Electricity theft detection in power grids with deep learning and random forests
Chen et al. Effective management for blockchain-based agri-food supply chains using deep reinforcement learning
Wang et al. Heterogeneous network representation learning approach for ethereum identity identification
Kumari et al. Secure data analytics for smart grid systems in a sustainable smart city: Challenges, solutions, and future directions
Faisal et al. Data-stream-based intrusion detection system for advanced metering infrastructure in smart grid: A feasibility study
Sabry et al. Cryptocurrencies and artificial intelligence: Challenges and opportunities
Qu et al. An intrusion detection model based on deep belief network
Gupta et al. Community trend outlier detection using soft temporal pattern mining
Xie et al. A feature extraction method for credit card fraud detection
CN105117477B (en) A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back
Qu et al. FedTwin: Blockchain-enabled adaptive asynchronous federated learning for digital twin networks
CN101714273A (en) Rule engine-based method and system for monitoring exceptional service of bank
Zhang et al. A fraud detection method for low-frequency transaction
Sun et al. Abnormal group-based joint medical fraud detection
CN109754258A (en) It is a kind of based on individual behavior modeling towards online trading fraud detection method
Qiu et al. Fuzzy time series forecasting model based on automatic clustering techniques and generalized fuzzy logical relationship
Yu et al. Convergence of per capita carbon emissions in the Yangtze River Economic Belt, China
Ullah et al. A Hybrid Deep Neural Network for Electricity Theft Detection Using Intelligent Antenna‐Based Smart Meters
Zhang Financial data anomaly detection method based on decision tree and random forest algorithm
Li et al. An advanced framework for net electricity consumption prediction: Incorporating novel machine learning models and optimization algorithms
Vijaya et al. Improved churn prediction based on supervised and unsupervised hybrid data mining system
Bataev Financial technology: Efficiency evaluation of challenger banks
Cao A Novel Optimal Selection Algorithm for Agricultural Trade Export in Blockchain‐Enabled Internet of Things
Mustaffa et al. LSSVM parameters tuning with enhanced artificial bee colony
Pal et al. Towards dynamic demand response on efficient consumer grouping algorithmics

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant