CN105471846B - The detection method and device of event - Google Patents

The detection method and device of event Download PDF

Info

Publication number
CN105471846B
CN105471846B CN201510786321.3A CN201510786321A CN105471846B CN 105471846 B CN105471846 B CN 105471846B CN 201510786321 A CN201510786321 A CN 201510786321A CN 105471846 B CN105471846 B CN 105471846B
Authority
CN
China
Prior art keywords
event
time period
time
period
support
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510786321.3A
Other languages
Chinese (zh)
Other versions
CN105471846A (en
Inventor
徐建辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Secworld Information Technology Beijing Co Ltd
Original Assignee
Netshen Information Technology (beijing) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Netshen Information Technology (beijing) Co Ltd filed Critical Netshen Information Technology (beijing) Co Ltd
Priority to CN201510786321.3A priority Critical patent/CN105471846B/en
Publication of CN105471846A publication Critical patent/CN105471846A/en
Application granted granted Critical
Publication of CN105471846B publication Critical patent/CN105471846B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2216/00Indexing scheme relating to additional aspects of information retrieval not explicitly covered by G06F16/00 and subgroups
    • G06F2216/03Data mining

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a kind of detection method and device of event.Wherein, this method comprises: obtaining data to be tested, wherein the data to be tested include at least the time of origin of event and event;According to the period divided in advance, the time of origin according to the event determines first time period belonging to the event, and obtains the first time period set of the event, wherein includes the first time period in the first time period set;According to the first time period set, the support of the first time period is calculated, wherein the support is for indicating that the frequent degree of the event occurs in the first time period;If the support is greater than preset threshold, determine that the first time period is the frequent time of origin section of the event.The present invention is solved since the prior art is only to carry out simple count analysis to the log data of user to cause the technical issues of can not providing event pests occurrence rule.

Description

The detection method and device of event
Technical field
The present invention relates to internet areas, in particular to a kind of detection method and device of event.
Background technique
With computer, intelligent terminal it is universal, network is developed rapidly, and network environment is caused to become more and more multiple It is miscellaneous.It is also increasingly severeer that current enterprise and group is woven in the situation that IT information security field is faced.Various networks in network Equipment, safety equipment, host, application and operation system will also generate more and more security incidents and log at work. A large amount of daily record data under cover enriches useful information behind, therefore carries out mining analysis to daily record data, and discovery is lain in The useful knowledge of a large amount of daily record data behinds seems and is highly desirable.
Currently, traditional log Related product biases toward audit to most of the processing of daily record data, the analysis to log It often focuses on one-dimensional list attribute value, to can't find the information that daily record data contains on the more attributes of multidimensional, toward in the past Will data are implied with more useful knowledge on the more attribute values of multidimensional, hidden on the more attribute values of multidimensional to excavate daily record data The knowledge contained needs to use the method for data mining for example, analyzing whether a certain event frequently occurs.
In the prior art, usually the log data of user is analyzed, this audit based on simple count Class log product is difficult to provide the rule for providing a user event generation, this makes data mining be difficult to make progress.
For above-mentioned problem, currently no effective solution has been proposed.
Summary of the invention
The embodiment of the invention provides a kind of detection method and device of event, at least to solve to be only due to the prior art Simple count analysis is carried out to the log data of user and causes the technical issues of event pests occurrence rule can not be provided.
According to an aspect of an embodiment of the present invention, a kind of detection method of event is provided, comprising: obtain number to be detected According to, wherein the data to be tested include at least the time of origin of event and event;According to the period divided in advance, foundation The time of origin of the event determines first time period belonging to the event, and obtains the first time period collection of the event It closes, wherein include the first time period in the first time period set;According to the first time period set, institute is calculated State the support of first time period, wherein the support is for indicating that the frequency of the event occurs in the first time period Numerous degree;If the support is greater than preset threshold, determine that the first time period is the frequent time of origin section of the event.
Further, the data to be tested that obtain include: the log data for extracting user;By the original log Data are normalized, and obtain multiple objects, wherein the multiple object includes the field for indicating event type;According to The multiple object is divided into the different types of data to be tested by the field.
Further, it is determined belonging to the event according to the period divided in advance according to the time of origin described First time period before, the method also includes: according to the length of scheduled time cycle and the length of the period, Each time cycle is divided into multiple periods.
Further, described according to the first time period set, the support for calculating the first time period includes: system Count the quantity of the first time period set in each time cycle, and in statistics each time cycle when Between section set sum;The ratio for calculating the quantity of the first time period set and the sum of period set, obtains The support of the first time period.
Further, described after the determination first time period is the frequent time of origin section of the event Method further include: update statistical result table, wherein include the event and the thing in the updated statistical result table The corresponding first time period of part;It, will be updated in the case where receiving the mining analysis request of request unit transmission The statistical result table returns to the request unit.
According to another aspect of an embodiment of the present invention, a kind of detection device of event is additionally provided, comprising: acquiring unit, For obtaining data to be tested, wherein the data to be tested include at least the time of origin of event and event;Determination unit, For according to the period divided in advance, the time of origin according to the event to determine first time period belonging to the event, And obtain the first time period set of the event, wherein include the first time period in the first time period set;Meter Unit is calculated, for calculating the support of the first time period, wherein the support according to the first time period set For indicating that the frequent degree of the event occurs in the first time period;Detection unit, if being greater than for the support Preset threshold determines that the first time period is the frequent time of origin section of the event.
Further, the acquiring unit includes: extraction module, for extracting the log data of user;Normalization Module obtains multiple objects for the log data to be normalized, wherein the multiple object includes to be used for Indicate the field of event type;Categorization module, for the multiple object being divided into different types of described according to the field Data to be tested.
Further, described device further include: division unit, for according to the length of scheduled time cycle and described Each time cycle is divided into multiple periods by the length of period.
Further, the computing unit includes: statistical module, for counting described in each time cycle The sum of period set in the quantity of one period set, and statistics each time cycle;Computing module is used for The ratio for calculating the quantity of the first time period set and the sum of period set, obtains the first time period The support.
Further, described device further include: updating unit, for updating statistical result table, wherein updated described It include the event and the corresponding first time period of the event in statistical result table;Information exchange unit is used for In the case where the mining analysis request for receiving request unit transmission, the updated statistical result table is returned into described ask Seek device.
In embodiments of the present invention, using acquisition data to be tested, wherein data to be tested include at least event and event Time of origin;According to the period divided in advance, the time of origin according to event determines first time period belonging to event, and Obtain the first time period set of event, wherein include first time period in first time period set;According to first time period collection It closes, calculates the support of first time period, wherein support is used to indicate that the frequent degree of event to occur in first time period; If support is greater than preset threshold, determine that first time period is the mode of the frequent time of origin section of event, by according to preparatory The period of division analyzes the frequent degree of event generation, has reached based on the past period interior data to be tested, has obtained Period to various events frequently occurring within each period gathers, to help user to find the pests occurrence rule of event Purpose to realize the technical effect for the pests occurrence rule for helping user to find various types event, and then is solved due to existing Technology is only to carry out simple count analysis to the log data of user to cause that the technology of event pests occurrence rule can not be provided Problem.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is that a kind of process of the detection method of optional event according to an embodiment of the present invention shows schematic diagram;
Fig. 2 is the flow diagram of the detection method of another optional event according to an embodiment of the present invention;
Fig. 3 is a kind of structural schematic diagram of the detection device of optional event according to an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram of optional acquiring unit according to an embodiment of the present invention;
Fig. 5 is the structural schematic diagram of the detection device of another optional event according to an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of optional computing unit according to an embodiment of the present invention;
Fig. 7 is the structural schematic diagram of the detection device of another optional event according to an embodiment of the present invention.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work It encloses.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product Or other step or units that equipment is intrinsic.
Embodiment 1
According to embodiments of the present invention, a kind of embodiment of the method for the detection method of event is provided, it should be noted that In The step of process of attached drawing illustrates can execute in a computer system such as a set of computer executable instructions, also, It, in some cases, can be to be different from shown in sequence execution herein although logical order is shown in flow charts The step of out or describing.
Fig. 1 is the detection method of event according to an embodiment of the present invention, as shown in Figure 1, this method comprises the following steps:
Step S102 obtains data to be tested, wherein data to be tested include at least the time of origin of event and event.
Optionally, obtaining data to be tested may include: the log data for extracting user;By log data into Row normalization, obtains multiple objects, wherein multiple objects include the field for indicating event type;It, will be multiple according to field Object is divided into different types of data to be tested.
Wherein, after log data being normalized, unified pojo (Plain Ordinary Java is obtained Object, simple Java object) object.Each pojo object includes one for indicating the field of event type, root According to this field, pojo object is classified, is divided into various types of data to be tested.Specifically, data to be tested Type may include wooden horse, network worm, network sweep and Denial of Service attack etc..
Step S104, according to the period divided in advance, when the time of origin according to event determines first belonging to event Between section, and obtain the first time period set of event, wherein include first time period in first time period set.
Optionally, according to the period divided in advance, according to time of origin determine first time period belonging to event it Before, method further include:
Each time cycle is divided by step S10 according to the length of scheduled time cycle and the length of period Multiple periods.
Wherein, occur to count which period of every a kind of time within each time cycle.It can be according to user The length of scheduled time cycle and the length of period will be divided into multiple periods the time cycle, for every a kind of thing Part counts distribution situation of such event within each time cycle according to the time of origin of event, i.e. event is all when each Between which in the period period occur.After the completion of all events are all counted, each type event can be obtained when each Between distribution time section set (first time period set as escribed above) in the period.
For example, as it is known that there is Denial of Service attack in certain day morning 9:15,14:45.It is assumed that the length of scheduled time cycle Degree is one day, and the length of period is one hour, then 24 periods are divided within one day, respectively 0:00-1:00,1: 00-2:00 ..., 23:00-0:00.Because the Time To Event of the Denial of Service attack respectively falls in 9:00-10 in the day: 00 with the two periods of 14:00-15:00 in, so the first time period collection of the event of the refusal service be combined into 9:00-10: 00,14:00-15:00 }.
Step S106 calculates the support of first time period according to first time period set, wherein support is used for table Show and the frequent degree of event occurs in first time period.
Optionally, according to first time period set, the support for calculating first time period includes: statistics each time cycle The sum of period set in the quantity of interior first time period set, and statistics each time cycle;When calculating first Between section set quantity and the period set sum ratio, obtain the support of first time period.
To gather for example, it is assumed that there are three the periods, be respectively as follows: { A, B, C }, { B, C, D }, { A, D }, wherein A, B, C, D points Not Biao Shi a period, the set of each period set expression being made of the period, for example, the period set { ABC } The set being made of period A, B, C indicated.
As can be seen that period A appears in first period set and third from above three period set Period set in, and occur number be twice, in other words comprising period A period set there are two, period A's Support is equal to the sum gathered divided by the period of quantity gathered comprising its period, i.e., and 2/3.It can similarly calculate, when Between section B, period C support be also 2/3.
Step S108 determines that first time period is the frequent time of origin section of event if support is greater than preset threshold.
After calculating the support of first time period, if support is greater than preset threshold, it is determined that first time period is The frequent time of origin section of event.Further, preset threshold and the most period collection of period number can also be will be greater than Conjunction returns to user, and the present embodiment is not construed as limiting this.
The detection method of the event of the present embodiment is user based on the log data of user in the past period Frequent time of origin section of the various events within the time cycle in its system is provided, to help user to find various types event Pests occurrence rule.Meanwhile using the data prediction mode for dividing day, shorten the time that user waits testing result.
Through the above steps, the frequent degree for analyzing event generation according to the period divided in advance may be implemented, reach It has arrived based on the past period interior data to be tested, has obtained the time that frequently occurs of the various events within each period Duan Jihe helps user to find various types event to help the purpose of the pests occurrence rule of user's searching event to realize Pests occurrence rule technical effect, and then solve since the prior art is simply counted to the log data of user Number analysis causes the technical issues of can not providing event pests occurrence rule.
Optionally, after determining the frequent time of origin section that first time period is event, method further include:
Step S20 updates statistical result table, wherein corresponding comprising event and event in updated statistical result table First time period.
Step S22, in the case where receiving the mining analysis request of request unit transmission, by updated statistical result Table returns to request unit.
Wherein, after each period distribution situation, knot can be counted within each time cycle in all kinds of events of statistics Fruit is stored in database, i.e., event and the corresponding first time period of event is updated in statistical result table.It is requested when receiving When the mining analysis request that device is sent, updated statistical result table can be returned into request unit.
You need to add is that can only store the period for being confirmed as frequent time of origin section in the statistical result table (only storing the interested analysis result of user), each period can also be all updated in statistical result table, and to frequency Numerous time of origin section is marked, should all be within the scope of protection of this application.
In the following, as shown in Fig. 2, being carried out to the process of the frequent time of origin section for how determining event of the application exemplary Description:
Step A, the period set that the event that obtains occurs.
Wherein, how the period that acquisition time occurs gathers, and has been described in detail in above-described embodiment, herein no longer It repeats.
Step B scans each period set, finds out the period set L that support is greater than preset threshold1
Wherein, the period for being less than preset threshold for support gathers, and directly neglects;Support is greater than default The period of threshold value gathers, and picks out the Candidate Set of composition next step, i.e. period set L1
Step C, K=2.
Wherein, K indicates the variable of a counting, is worth for natural number, initial value 2.
Step D, LK-1It whether is empty.
Wherein, LKIndicate the set being combined by the collection that element number is K, that is, LKIt is a set, element is also One set (the set element number is K).
Step E, by LK-1In element combination of two, generate set TK
Wherein, TKIndicate the set being combined by the collection that element number is K, that is, TKIt is a set, element is also One set (the set element number is K).
Optionally, LK-1In element combination of two refer to for element number be n set, combination of two is exactly from this Appoint in set and takes two element combinations, a total of n (n-1)/2 kind combination.
Step F, by set TKIn include not in LK-1In element reject, generate set CK
Wherein, CKIndicate the set being combined by the collection that element number is K, that is, CKIt is a set, element is also One set (the set element number is K).
Step G, from CKIn select support greater than preset threshold period gather, generate LK
Wherein, if the L generatedKIt is not sky, then returns the result LK
Step H, K++.
Wherein, return step D after execution step H.
Step I, returns the result LK
Step J terminates.
In embodiments of the present invention, it by analyzing the frequent degree of event generation according to the period divided in advance, reaches It has arrived based on the past period interior data to be tested, has obtained the time that frequently occurs of the various events within each period Duan Jihe helps user to find various types event to help the purpose of the pests occurrence rule of user's searching event to realize Pests occurrence rule technical effect, and then solve since the prior art is simply counted to the log data of user Number analysis causes the technical issues of can not providing event pests occurrence rule.
Embodiment 2
According to embodiments of the present invention, a kind of detection device of event is additionally provided, as shown in figure 3, the detection of the event fills Set includes: acquiring unit 302, determination unit 304, computing unit 306 and detection unit 308.
Wherein, acquiring unit 302, for obtaining data to be tested, wherein the data to be tested include at least event and The time of origin of event;Determination unit 304, for according to the period divided in advance, the time of origin according to the event to be true First time period belonging to the fixed event, and obtain the first time period set of the event, wherein the first time period It include the first time period in set;Computing unit 306, for calculating described first according to the first time period set The support of period, wherein the support is for indicating that the frequent degree of the event occurs in the first time period; Detection unit 308 determines that the first time period is the frequent hair of the event if being greater than preset threshold for the support The raw period.
Optionally, as shown in figure 4, the acquiring unit 302 includes: extraction module 402, normalization module 404 and divides Generic module 406.
Wherein, extraction module 402, for extracting the log data of user;Module 404 is normalized, being used for will be described Log data is normalized, and obtains multiple objects, wherein the multiple object includes the word for indicating event type Section;Categorization module 406, for according to the field, the multiple object to be divided into the different types of data to be tested.
Optionally, as shown in figure 5, described device further include: division unit 502.
It wherein, division unit 502 will for the length and the length of the period according to the scheduled time cycle Each time cycle is divided into multiple periods.
Optionally, as shown in fig. 6, the computing unit 306 includes: statistical module 602 and computing module 604.
Wherein, statistical module 602, for counting the number of the first time period set in each time cycle The sum of period set in amount, and statistics each time cycle;Computing module 604, for calculating described first The ratio of the sum of the quantity and period set of period set, obtains the support of the first time period.
Optionally, as shown in fig. 7, described device further include: updating unit 702 and information exchange unit 704.
Wherein, updating unit 702, for updating statistical result table, wherein include in the updated statistical result table The event and the corresponding first time period of the event;Information exchange unit 704, for receiving request unit In the case where the mining analysis request of transmission, the updated statistical result table is returned into the request unit.
It should be added that the operation of the detection device of the application event can be as shown in table 1:
Table 1
Project Index
CPU >2Ghz
Memory >4G
Operating system Windows,Linux
Hard disk >100G
Database Mysql (Relational DBMS)
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, Ke Yiwei A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple On unit.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the present invention whole or Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code Medium.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (6)

1. a kind of detection method of event characterized by comprising
Obtain data to be tested, wherein the data to be tested include at least the time of origin of event and event;
According to the period divided in advance, the time of origin according to the event determines first time period belonging to the event, And obtain the first time period set of the event, wherein include the first time period in the first time period set;
According to the first time period set, the support of the first time period is calculated, wherein the support is for indicating The frequent degree of the event occurs in the first time period;
If the support is greater than preset threshold, determine that the first time period is the frequent time of origin section of the event;
Described according to the period divided in advance, according to the time of origin determine first time period belonging to the event it Before, the method also includes:
According to the length of scheduled time cycle and the length of the period, each time cycle is divided into multiple The period;
It is described according to the first time period set, the support for calculating the first time period includes:
Count the quantity of the first time period set in each time cycle, and statistics each time cycle The sum of interior period set;
The ratio for calculating the quantity of the first time period set and the sum of period set, obtains the first time The support of section.
2. the method according to claim 1, wherein the acquisition data to be tested include:
Extract the log data of user;
The log data is normalized, multiple objects are obtained, wherein the multiple object includes for indicating thing The field of part type;
According to the field, the multiple object is divided into the different types of data to be tested.
3. the method according to claim 1, wherein being the event in the determination first time period After frequent time of origin section, the method also includes:
Update statistical result table, wherein corresponding comprising the event and the event in the updated statistical result table The first time period;
In the case where receiving the mining analysis request of request unit transmission, the updated statistical result table is returned to The request unit.
4. a kind of detection device of event characterized by comprising
Acquiring unit, for obtaining data to be tested, wherein when the data to be tested include at least the generation of event and event Between;
Determination unit, for according to the period divided in advance, the time of origin according to the event to be determined belonging to the event First time period, and obtain the first time period set of the event, wherein comprising described in the first time period set First time period;
Computing unit, for calculating the support of the first time period, wherein described according to the first time period set Support is for indicating that the frequent degree of the event occurs in the first time period;
Detection unit determines that the first time period is the frequent of the event if being greater than preset threshold for the support Time of origin section;
Described device further include:
Division unit, for the length and the length of the period according to the scheduled time cycle, by each time Period is divided into multiple periods;
The computing unit includes:
Statistical module, for counting the quantity of the first time period set in each time cycle, and statistics is each The sum of period set in a time cycle;
Computing module is obtained for calculating the ratio of the quantity of the first time period set and the sum of period set To the support of the first time period.
5. device according to claim 4, which is characterized in that the acquiring unit includes:
Extraction module, for extracting the log data of user;
It normalizes module and obtains multiple objects for the log data to be normalized, wherein is the multiple right As comprising for indicating the field of event type;
Categorization module, for according to the field, the multiple object to be divided into the different types of data to be tested.
6. device according to claim 4, which is characterized in that described device further include:
Updating unit, for updating statistical result table, wherein in the updated statistical result table comprising the event and The corresponding first time period of the event;
Information exchange unit, in the case where for being requested in the mining analysis for receiving request unit transmission, by updated institute It states statistical result table and returns to the request unit.
CN201510786321.3A 2015-11-16 2015-11-16 The detection method and device of event Active CN105471846B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510786321.3A CN105471846B (en) 2015-11-16 2015-11-16 The detection method and device of event

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510786321.3A CN105471846B (en) 2015-11-16 2015-11-16 The detection method and device of event

Publications (2)

Publication Number Publication Date
CN105471846A CN105471846A (en) 2016-04-06
CN105471846B true CN105471846B (en) 2019-11-22

Family

ID=55609117

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510786321.3A Active CN105471846B (en) 2015-11-16 2015-11-16 The detection method and device of event

Country Status (1)

Country Link
CN (1) CN105471846B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111126785B (en) * 2019-11-29 2022-08-02 广东电网有限责任公司 Electricity stealing behavior identification method and device

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100373865C (en) * 2004-11-01 2008-03-05 中兴通讯股份有限公司 Intimidation estimating method for computer attack
CN101399658B (en) * 2007-09-24 2011-05-11 北京启明星辰信息技术股份有限公司 Safe log analyzing method and system
CN101510152B (en) * 2009-04-01 2011-07-20 南京邮电大学 Context perception middleware method orienting sign status identification in general environment
CN101520689B (en) * 2009-04-17 2012-10-03 成都市华为赛门铁克科技有限公司 Computer memory device control method, computer memory device controller and memory device
CN102075356B (en) * 2010-12-31 2013-11-06 深圳市永达电子股份有限公司 Network risk assessment method and system
CN103514506B (en) * 2012-06-29 2017-03-29 国际商业机器公司 For the method and system of automatic event analysis
CN104156551B (en) * 2013-05-14 2017-12-15 腾讯科技(深圳)有限公司 Method and apparatus based on time interval dynamic adjustment target data hit

Also Published As

Publication number Publication date
CN105471846A (en) 2016-04-06

Similar Documents

Publication Publication Date Title
US10484413B2 (en) System and a method for detecting anomalous activities in a blockchain network
CN109784636A (en) Fraudulent user recognition methods, device, computer equipment and storage medium
WO2019184557A1 (en) Method and device for locating root cause alarm, and computer-readable storage medium
CN109118296A (en) Movable method for pushing, device and electronic equipment
Dormann et al. Package ‘bipartite’
EP1881427A1 (en) Database analysis program, database analysis apparatus, and database analysis method
CN105512210A (en) Correlated event type detection method and device
CN105574544A (en) Data processing method and device
CN107292751B (en) Method and device for mining node importance in time sequence network
CN109359126B (en) Method and system for constructing intelligent learning query model based on business user habits
CN110136008A (en) Utilize product data method for pushing, device, equipment and the storage medium of big data
CN106202280A (en) A kind of information processing method and server
CN112463859B (en) User data processing method and server based on big data and business analysis
CN105376223A (en) Network identity relationship reliability calculation method
CN104331523A (en) Conceptual object model-based question searching method
CN112784025A (en) Method and device for determining target event
US20240177077A1 (en) Attribution analysis method, electronic device, and storage medium
CN104794234B (en) Data processing method and device for fellow peers' evaluation
CN110968802A (en) User characteristic analysis method, analysis device and readable storage medium
CN106708880B (en) Topic associated word acquisition method and device
CN105471846B (en) The detection method and device of event
CN108076032A (en) A kind of abnormal behaviour user identification method and device
CN104484357B (en) Data processing method and device and visitation frequency information processing method and device
US20210226996A1 (en) Network Data Clustering
CN113282683A (en) Method and apparatus for determining device portrait, storage medium, and electronic apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 2nd Floor, Building 1, Yard 26, Xizhimenwai South Road, Xicheng District, Beijing, 100032

Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: 100085, Beijing, Haidian District, on the ground floor of the information industry base Road 7

Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.