CN105471846B - The detection method and device of event - Google Patents
The detection method and device of event Download PDFInfo
- Publication number
- CN105471846B CN105471846B CN201510786321.3A CN201510786321A CN105471846B CN 105471846 B CN105471846 B CN 105471846B CN 201510786321 A CN201510786321 A CN 201510786321A CN 105471846 B CN105471846 B CN 105471846B
- Authority
- CN
- China
- Prior art keywords
- event
- time period
- time
- period
- support
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2216/00—Indexing scheme relating to additional aspects of information retrieval not explicitly covered by G06F16/00 and subgroups
- G06F2216/03—Data mining
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of detection method and device of event.Wherein, this method comprises: obtaining data to be tested, wherein the data to be tested include at least the time of origin of event and event;According to the period divided in advance, the time of origin according to the event determines first time period belonging to the event, and obtains the first time period set of the event, wherein includes the first time period in the first time period set;According to the first time period set, the support of the first time period is calculated, wherein the support is for indicating that the frequent degree of the event occurs in the first time period;If the support is greater than preset threshold, determine that the first time period is the frequent time of origin section of the event.The present invention is solved since the prior art is only to carry out simple count analysis to the log data of user to cause the technical issues of can not providing event pests occurrence rule.
Description
Technical field
The present invention relates to internet areas, in particular to a kind of detection method and device of event.
Background technique
With computer, intelligent terminal it is universal, network is developed rapidly, and network environment is caused to become more and more multiple
It is miscellaneous.It is also increasingly severeer that current enterprise and group is woven in the situation that IT information security field is faced.Various networks in network
Equipment, safety equipment, host, application and operation system will also generate more and more security incidents and log at work.
A large amount of daily record data under cover enriches useful information behind, therefore carries out mining analysis to daily record data, and discovery is lain in
The useful knowledge of a large amount of daily record data behinds seems and is highly desirable.
Currently, traditional log Related product biases toward audit to most of the processing of daily record data, the analysis to log
It often focuses on one-dimensional list attribute value, to can't find the information that daily record data contains on the more attributes of multidimensional, toward in the past
Will data are implied with more useful knowledge on the more attribute values of multidimensional, hidden on the more attribute values of multidimensional to excavate daily record data
The knowledge contained needs to use the method for data mining for example, analyzing whether a certain event frequently occurs.
In the prior art, usually the log data of user is analyzed, this audit based on simple count
Class log product is difficult to provide the rule for providing a user event generation, this makes data mining be difficult to make progress.
For above-mentioned problem, currently no effective solution has been proposed.
Summary of the invention
The embodiment of the invention provides a kind of detection method and device of event, at least to solve to be only due to the prior art
Simple count analysis is carried out to the log data of user and causes the technical issues of event pests occurrence rule can not be provided.
According to an aspect of an embodiment of the present invention, a kind of detection method of event is provided, comprising: obtain number to be detected
According to, wherein the data to be tested include at least the time of origin of event and event;According to the period divided in advance, foundation
The time of origin of the event determines first time period belonging to the event, and obtains the first time period collection of the event
It closes, wherein include the first time period in the first time period set;According to the first time period set, institute is calculated
State the support of first time period, wherein the support is for indicating that the frequency of the event occurs in the first time period
Numerous degree;If the support is greater than preset threshold, determine that the first time period is the frequent time of origin section of the event.
Further, the data to be tested that obtain include: the log data for extracting user;By the original log
Data are normalized, and obtain multiple objects, wherein the multiple object includes the field for indicating event type;According to
The multiple object is divided into the different types of data to be tested by the field.
Further, it is determined belonging to the event according to the period divided in advance according to the time of origin described
First time period before, the method also includes: according to the length of scheduled time cycle and the length of the period,
Each time cycle is divided into multiple periods.
Further, described according to the first time period set, the support for calculating the first time period includes: system
Count the quantity of the first time period set in each time cycle, and in statistics each time cycle when
Between section set sum;The ratio for calculating the quantity of the first time period set and the sum of period set, obtains
The support of the first time period.
Further, described after the determination first time period is the frequent time of origin section of the event
Method further include: update statistical result table, wherein include the event and the thing in the updated statistical result table
The corresponding first time period of part;It, will be updated in the case where receiving the mining analysis request of request unit transmission
The statistical result table returns to the request unit.
According to another aspect of an embodiment of the present invention, a kind of detection device of event is additionally provided, comprising: acquiring unit,
For obtaining data to be tested, wherein the data to be tested include at least the time of origin of event and event;Determination unit,
For according to the period divided in advance, the time of origin according to the event to determine first time period belonging to the event,
And obtain the first time period set of the event, wherein include the first time period in the first time period set;Meter
Unit is calculated, for calculating the support of the first time period, wherein the support according to the first time period set
For indicating that the frequent degree of the event occurs in the first time period;Detection unit, if being greater than for the support
Preset threshold determines that the first time period is the frequent time of origin section of the event.
Further, the acquiring unit includes: extraction module, for extracting the log data of user;Normalization
Module obtains multiple objects for the log data to be normalized, wherein the multiple object includes to be used for
Indicate the field of event type;Categorization module, for the multiple object being divided into different types of described according to the field
Data to be tested.
Further, described device further include: division unit, for according to the length of scheduled time cycle and described
Each time cycle is divided into multiple periods by the length of period.
Further, the computing unit includes: statistical module, for counting described in each time cycle
The sum of period set in the quantity of one period set, and statistics each time cycle;Computing module is used for
The ratio for calculating the quantity of the first time period set and the sum of period set, obtains the first time period
The support.
Further, described device further include: updating unit, for updating statistical result table, wherein updated described
It include the event and the corresponding first time period of the event in statistical result table;Information exchange unit is used for
In the case where the mining analysis request for receiving request unit transmission, the updated statistical result table is returned into described ask
Seek device.
In embodiments of the present invention, using acquisition data to be tested, wherein data to be tested include at least event and event
Time of origin;According to the period divided in advance, the time of origin according to event determines first time period belonging to event, and
Obtain the first time period set of event, wherein include first time period in first time period set;According to first time period collection
It closes, calculates the support of first time period, wherein support is used to indicate that the frequent degree of event to occur in first time period;
If support is greater than preset threshold, determine that first time period is the mode of the frequent time of origin section of event, by according to preparatory
The period of division analyzes the frequent degree of event generation, has reached based on the past period interior data to be tested, has obtained
Period to various events frequently occurring within each period gathers, to help user to find the pests occurrence rule of event
Purpose to realize the technical effect for the pests occurrence rule for helping user to find various types event, and then is solved due to existing
Technology is only to carry out simple count analysis to the log data of user to cause that the technology of event pests occurrence rule can not be provided
Problem.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is that a kind of process of the detection method of optional event according to an embodiment of the present invention shows schematic diagram;
Fig. 2 is the flow diagram of the detection method of another optional event according to an embodiment of the present invention;
Fig. 3 is a kind of structural schematic diagram of the detection device of optional event according to an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram of optional acquiring unit according to an embodiment of the present invention;
Fig. 5 is the structural schematic diagram of the detection device of another optional event according to an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of optional computing unit according to an embodiment of the present invention;
Fig. 7 is the structural schematic diagram of the detection device of another optional event according to an embodiment of the present invention.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention
Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work
It encloses.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to
Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product
Or other step or units that equipment is intrinsic.
Embodiment 1
According to embodiments of the present invention, a kind of embodiment of the method for the detection method of event is provided, it should be noted that In
The step of process of attached drawing illustrates can execute in a computer system such as a set of computer executable instructions, also,
It, in some cases, can be to be different from shown in sequence execution herein although logical order is shown in flow charts
The step of out or describing.
Fig. 1 is the detection method of event according to an embodiment of the present invention, as shown in Figure 1, this method comprises the following steps:
Step S102 obtains data to be tested, wherein data to be tested include at least the time of origin of event and event.
Optionally, obtaining data to be tested may include: the log data for extracting user;By log data into
Row normalization, obtains multiple objects, wherein multiple objects include the field for indicating event type;It, will be multiple according to field
Object is divided into different types of data to be tested.
Wherein, after log data being normalized, unified pojo (Plain Ordinary Java is obtained
Object, simple Java object) object.Each pojo object includes one for indicating the field of event type, root
According to this field, pojo object is classified, is divided into various types of data to be tested.Specifically, data to be tested
Type may include wooden horse, network worm, network sweep and Denial of Service attack etc..
Step S104, according to the period divided in advance, when the time of origin according to event determines first belonging to event
Between section, and obtain the first time period set of event, wherein include first time period in first time period set.
Optionally, according to the period divided in advance, according to time of origin determine first time period belonging to event it
Before, method further include:
Each time cycle is divided by step S10 according to the length of scheduled time cycle and the length of period
Multiple periods.
Wherein, occur to count which period of every a kind of time within each time cycle.It can be according to user
The length of scheduled time cycle and the length of period will be divided into multiple periods the time cycle, for every a kind of thing
Part counts distribution situation of such event within each time cycle according to the time of origin of event, i.e. event is all when each
Between which in the period period occur.After the completion of all events are all counted, each type event can be obtained when each
Between distribution time section set (first time period set as escribed above) in the period.
For example, as it is known that there is Denial of Service attack in certain day morning 9:15,14:45.It is assumed that the length of scheduled time cycle
Degree is one day, and the length of period is one hour, then 24 periods are divided within one day, respectively 0:00-1:00,1:
00-2:00 ..., 23:00-0:00.Because the Time To Event of the Denial of Service attack respectively falls in 9:00-10 in the day:
00 with the two periods of 14:00-15:00 in, so the first time period collection of the event of the refusal service be combined into 9:00-10:
00,14:00-15:00 }.
Step S106 calculates the support of first time period according to first time period set, wherein support is used for table
Show and the frequent degree of event occurs in first time period.
Optionally, according to first time period set, the support for calculating first time period includes: statistics each time cycle
The sum of period set in the quantity of interior first time period set, and statistics each time cycle;When calculating first
Between section set quantity and the period set sum ratio, obtain the support of first time period.
To gather for example, it is assumed that there are three the periods, be respectively as follows: { A, B, C }, { B, C, D }, { A, D }, wherein A, B, C, D points
Not Biao Shi a period, the set of each period set expression being made of the period, for example, the period set { ABC }
The set being made of period A, B, C indicated.
As can be seen that period A appears in first period set and third from above three period set
Period set in, and occur number be twice, in other words comprising period A period set there are two, period A's
Support is equal to the sum gathered divided by the period of quantity gathered comprising its period, i.e., and 2/3.It can similarly calculate, when
Between section B, period C support be also 2/3.
Step S108 determines that first time period is the frequent time of origin section of event if support is greater than preset threshold.
After calculating the support of first time period, if support is greater than preset threshold, it is determined that first time period is
The frequent time of origin section of event.Further, preset threshold and the most period collection of period number can also be will be greater than
Conjunction returns to user, and the present embodiment is not construed as limiting this.
The detection method of the event of the present embodiment is user based on the log data of user in the past period
Frequent time of origin section of the various events within the time cycle in its system is provided, to help user to find various types event
Pests occurrence rule.Meanwhile using the data prediction mode for dividing day, shorten the time that user waits testing result.
Through the above steps, the frequent degree for analyzing event generation according to the period divided in advance may be implemented, reach
It has arrived based on the past period interior data to be tested, has obtained the time that frequently occurs of the various events within each period
Duan Jihe helps user to find various types event to help the purpose of the pests occurrence rule of user's searching event to realize
Pests occurrence rule technical effect, and then solve since the prior art is simply counted to the log data of user
Number analysis causes the technical issues of can not providing event pests occurrence rule.
Optionally, after determining the frequent time of origin section that first time period is event, method further include:
Step S20 updates statistical result table, wherein corresponding comprising event and event in updated statistical result table
First time period.
Step S22, in the case where receiving the mining analysis request of request unit transmission, by updated statistical result
Table returns to request unit.
Wherein, after each period distribution situation, knot can be counted within each time cycle in all kinds of events of statistics
Fruit is stored in database, i.e., event and the corresponding first time period of event is updated in statistical result table.It is requested when receiving
When the mining analysis request that device is sent, updated statistical result table can be returned into request unit.
You need to add is that can only store the period for being confirmed as frequent time of origin section in the statistical result table
(only storing the interested analysis result of user), each period can also be all updated in statistical result table, and to frequency
Numerous time of origin section is marked, should all be within the scope of protection of this application.
In the following, as shown in Fig. 2, being carried out to the process of the frequent time of origin section for how determining event of the application exemplary
Description:
Step A, the period set that the event that obtains occurs.
Wherein, how the period that acquisition time occurs gathers, and has been described in detail in above-described embodiment, herein no longer
It repeats.
Step B scans each period set, finds out the period set L that support is greater than preset threshold1。
Wherein, the period for being less than preset threshold for support gathers, and directly neglects;Support is greater than default
The period of threshold value gathers, and picks out the Candidate Set of composition next step, i.e. period set L1。
Step C, K=2.
Wherein, K indicates the variable of a counting, is worth for natural number, initial value 2.
Step D, LK-1It whether is empty.
Wherein, LKIndicate the set being combined by the collection that element number is K, that is, LKIt is a set, element is also
One set (the set element number is K).
Step E, by LK-1In element combination of two, generate set TK。
Wherein, TKIndicate the set being combined by the collection that element number is K, that is, TKIt is a set, element is also
One set (the set element number is K).
Optionally, LK-1In element combination of two refer to for element number be n set, combination of two is exactly from this
Appoint in set and takes two element combinations, a total of n (n-1)/2 kind combination.
Step F, by set TKIn include not in LK-1In element reject, generate set CK。
Wherein, CKIndicate the set being combined by the collection that element number is K, that is, CKIt is a set, element is also
One set (the set element number is K).
Step G, from CKIn select support greater than preset threshold period gather, generate LK。
Wherein, if the L generatedKIt is not sky, then returns the result LK。
Step H, K++.
Wherein, return step D after execution step H.
Step I, returns the result LK。
Step J terminates.
In embodiments of the present invention, it by analyzing the frequent degree of event generation according to the period divided in advance, reaches
It has arrived based on the past period interior data to be tested, has obtained the time that frequently occurs of the various events within each period
Duan Jihe helps user to find various types event to help the purpose of the pests occurrence rule of user's searching event to realize
Pests occurrence rule technical effect, and then solve since the prior art is simply counted to the log data of user
Number analysis causes the technical issues of can not providing event pests occurrence rule.
Embodiment 2
According to embodiments of the present invention, a kind of detection device of event is additionally provided, as shown in figure 3, the detection of the event fills
Set includes: acquiring unit 302, determination unit 304, computing unit 306 and detection unit 308.
Wherein, acquiring unit 302, for obtaining data to be tested, wherein the data to be tested include at least event and
The time of origin of event;Determination unit 304, for according to the period divided in advance, the time of origin according to the event to be true
First time period belonging to the fixed event, and obtain the first time period set of the event, wherein the first time period
It include the first time period in set;Computing unit 306, for calculating described first according to the first time period set
The support of period, wherein the support is for indicating that the frequent degree of the event occurs in the first time period;
Detection unit 308 determines that the first time period is the frequent hair of the event if being greater than preset threshold for the support
The raw period.
Optionally, as shown in figure 4, the acquiring unit 302 includes: extraction module 402, normalization module 404 and divides
Generic module 406.
Wherein, extraction module 402, for extracting the log data of user;Module 404 is normalized, being used for will be described
Log data is normalized, and obtains multiple objects, wherein the multiple object includes the word for indicating event type
Section;Categorization module 406, for according to the field, the multiple object to be divided into the different types of data to be tested.
Optionally, as shown in figure 5, described device further include: division unit 502.
It wherein, division unit 502 will for the length and the length of the period according to the scheduled time cycle
Each time cycle is divided into multiple periods.
Optionally, as shown in fig. 6, the computing unit 306 includes: statistical module 602 and computing module 604.
Wherein, statistical module 602, for counting the number of the first time period set in each time cycle
The sum of period set in amount, and statistics each time cycle;Computing module 604, for calculating described first
The ratio of the sum of the quantity and period set of period set, obtains the support of the first time period.
Optionally, as shown in fig. 7, described device further include: updating unit 702 and information exchange unit 704.
Wherein, updating unit 702, for updating statistical result table, wherein include in the updated statistical result table
The event and the corresponding first time period of the event;Information exchange unit 704, for receiving request unit
In the case where the mining analysis request of transmission, the updated statistical result table is returned into the request unit.
It should be added that the operation of the detection device of the application event can be as shown in table 1:
Table 1
Project | Index |
CPU | >2Ghz |
Memory | >4G |
Operating system | Windows,Linux |
Hard disk | >100G |
Database | Mysql (Relational DBMS) |
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment
The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others
Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, Ke Yiwei
A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module
It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
On unit.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the present invention whole or
Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code
Medium.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered
It is considered as protection scope of the present invention.
Claims (6)
1. a kind of detection method of event characterized by comprising
Obtain data to be tested, wherein the data to be tested include at least the time of origin of event and event;
According to the period divided in advance, the time of origin according to the event determines first time period belonging to the event,
And obtain the first time period set of the event, wherein include the first time period in the first time period set;
According to the first time period set, the support of the first time period is calculated, wherein the support is for indicating
The frequent degree of the event occurs in the first time period;
If the support is greater than preset threshold, determine that the first time period is the frequent time of origin section of the event;
Described according to the period divided in advance, according to the time of origin determine first time period belonging to the event it
Before, the method also includes:
According to the length of scheduled time cycle and the length of the period, each time cycle is divided into multiple
The period;
It is described according to the first time period set, the support for calculating the first time period includes:
Count the quantity of the first time period set in each time cycle, and statistics each time cycle
The sum of interior period set;
The ratio for calculating the quantity of the first time period set and the sum of period set, obtains the first time
The support of section.
2. the method according to claim 1, wherein the acquisition data to be tested include:
Extract the log data of user;
The log data is normalized, multiple objects are obtained, wherein the multiple object includes for indicating thing
The field of part type;
According to the field, the multiple object is divided into the different types of data to be tested.
3. the method according to claim 1, wherein being the event in the determination first time period
After frequent time of origin section, the method also includes:
Update statistical result table, wherein corresponding comprising the event and the event in the updated statistical result table
The first time period;
In the case where receiving the mining analysis request of request unit transmission, the updated statistical result table is returned to
The request unit.
4. a kind of detection device of event characterized by comprising
Acquiring unit, for obtaining data to be tested, wherein when the data to be tested include at least the generation of event and event
Between;
Determination unit, for according to the period divided in advance, the time of origin according to the event to be determined belonging to the event
First time period, and obtain the first time period set of the event, wherein comprising described in the first time period set
First time period;
Computing unit, for calculating the support of the first time period, wherein described according to the first time period set
Support is for indicating that the frequent degree of the event occurs in the first time period;
Detection unit determines that the first time period is the frequent of the event if being greater than preset threshold for the support
Time of origin section;
Described device further include:
Division unit, for the length and the length of the period according to the scheduled time cycle, by each time
Period is divided into multiple periods;
The computing unit includes:
Statistical module, for counting the quantity of the first time period set in each time cycle, and statistics is each
The sum of period set in a time cycle;
Computing module is obtained for calculating the ratio of the quantity of the first time period set and the sum of period set
To the support of the first time period.
5. device according to claim 4, which is characterized in that the acquiring unit includes:
Extraction module, for extracting the log data of user;
It normalizes module and obtains multiple objects for the log data to be normalized, wherein is the multiple right
As comprising for indicating the field of event type;
Categorization module, for according to the field, the multiple object to be divided into the different types of data to be tested.
6. device according to claim 4, which is characterized in that described device further include:
Updating unit, for updating statistical result table, wherein in the updated statistical result table comprising the event and
The corresponding first time period of the event;
Information exchange unit, in the case where for being requested in the mining analysis for receiving request unit transmission, by updated institute
It states statistical result table and returns to the request unit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510786321.3A CN105471846B (en) | 2015-11-16 | 2015-11-16 | The detection method and device of event |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510786321.3A CN105471846B (en) | 2015-11-16 | 2015-11-16 | The detection method and device of event |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105471846A CN105471846A (en) | 2016-04-06 |
CN105471846B true CN105471846B (en) | 2019-11-22 |
Family
ID=55609117
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510786321.3A Active CN105471846B (en) | 2015-11-16 | 2015-11-16 | The detection method and device of event |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105471846B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111126785B (en) * | 2019-11-29 | 2022-08-02 | 广东电网有限责任公司 | Electricity stealing behavior identification method and device |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100373865C (en) * | 2004-11-01 | 2008-03-05 | 中兴通讯股份有限公司 | Intimidation estimating method for computer attack |
CN101399658B (en) * | 2007-09-24 | 2011-05-11 | 北京启明星辰信息技术股份有限公司 | Safe log analyzing method and system |
CN101510152B (en) * | 2009-04-01 | 2011-07-20 | 南京邮电大学 | Context perception middleware method orienting sign status identification in general environment |
CN101520689B (en) * | 2009-04-17 | 2012-10-03 | 成都市华为赛门铁克科技有限公司 | Computer memory device control method, computer memory device controller and memory device |
CN102075356B (en) * | 2010-12-31 | 2013-11-06 | 深圳市永达电子股份有限公司 | Network risk assessment method and system |
CN103514506B (en) * | 2012-06-29 | 2017-03-29 | 国际商业机器公司 | For the method and system of automatic event analysis |
CN104156551B (en) * | 2013-05-14 | 2017-12-15 | 腾讯科技(深圳)有限公司 | Method and apparatus based on time interval dynamic adjustment target data hit |
-
2015
- 2015-11-16 CN CN201510786321.3A patent/CN105471846B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN105471846A (en) | 2016-04-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10484413B2 (en) | System and a method for detecting anomalous activities in a blockchain network | |
CN109784636A (en) | Fraudulent user recognition methods, device, computer equipment and storage medium | |
WO2019184557A1 (en) | Method and device for locating root cause alarm, and computer-readable storage medium | |
CN109118296A (en) | Movable method for pushing, device and electronic equipment | |
Dormann et al. | Package ‘bipartite’ | |
EP1881427A1 (en) | Database analysis program, database analysis apparatus, and database analysis method | |
CN105512210A (en) | Correlated event type detection method and device | |
CN105574544A (en) | Data processing method and device | |
CN107292751B (en) | Method and device for mining node importance in time sequence network | |
CN109359126B (en) | Method and system for constructing intelligent learning query model based on business user habits | |
CN110136008A (en) | Utilize product data method for pushing, device, equipment and the storage medium of big data | |
CN106202280A (en) | A kind of information processing method and server | |
CN112463859B (en) | User data processing method and server based on big data and business analysis | |
CN105376223A (en) | Network identity relationship reliability calculation method | |
CN104331523A (en) | Conceptual object model-based question searching method | |
CN112784025A (en) | Method and device for determining target event | |
US20240177077A1 (en) | Attribution analysis method, electronic device, and storage medium | |
CN104794234B (en) | Data processing method and device for fellow peers' evaluation | |
CN110968802A (en) | User characteristic analysis method, analysis device and readable storage medium | |
CN106708880B (en) | Topic associated word acquisition method and device | |
CN105471846B (en) | The detection method and device of event | |
CN108076032A (en) | A kind of abnormal behaviour user identification method and device | |
CN104484357B (en) | Data processing method and device and visitation frequency information processing method and device | |
US20210226996A1 (en) | Network Data Clustering | |
CN113282683A (en) | Method and apparatus for determining device portrait, storage medium, and electronic apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address | ||
CP03 | Change of name, title or address |
Address after: 2nd Floor, Building 1, Yard 26, Xizhimenwai South Road, Xicheng District, Beijing, 100032 Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: 100085, Beijing, Haidian District, on the ground floor of the information industry base Road 7 Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |