CN106156026A - A kind of method based on the data online anomaly of stream fictitious assets - Google Patents
A kind of method based on the data online anomaly of stream fictitious assets Download PDFInfo
- Publication number
- CN106156026A CN106156026A CN201510130123.1A CN201510130123A CN106156026A CN 106156026 A CN106156026 A CN 106156026A CN 201510130123 A CN201510130123 A CN 201510130123A CN 106156026 A CN106156026 A CN 106156026A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- pattern
- stream
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention discloses a kind of method based on the data online anomaly of stream fictitious assets, mainly includes data process, off-line analysis, on-line analysis.User operation user behaviors log data stream flows into data window and carries out pretreatment extraction outline data, data in data base are periodically by pattern generation algorithm digging user normal behaviour pattern and Deviant Behavior pattern, data in sliding window are analyzed by system in real time, extract current behavioral pattern and the normal behaviour pattern in library and Deviant Behavior pattern match.The technology of data stream is applied to the anomaly of fictitious assets by the present invention, devises the online anomaly technological frame of fictitious assets based on data stream so that system more rapid being effectively realized can detect exception in real time, thus preferably prevents the loss of user.
Description
Technical field
The invention belongs to Internet technical field, be specifically related to one and the most extremely send out based on data stream fictitious assets
Existing method.
Background technology
The fast development of the Internet has expedited the emergence of the prosperity of ecommerce, and wherein the growth of fictitious assets transaction is particularly
Rapidly, fictitious assets refer to that there is present in network world competitiveness, persistency and can exchange or
The article of person's dealing, including Web bank, network account, network game equipment weapon, ideal money etc..
At present, China has carried out net domain space fictitious assets based on eID management and has saved technical research from damage,
To realize the unified and standard management to fictitious assets.Fictitious assets safety system is comprehensive and accurate be have recorded void
Intend the various operations of assets, but how in the middle of these record data, to excavate abnormal trading activity still face
Face lot of challenges.Huge for network virtual transaction in assets information scale, that growth rate is the fastest feature,
Automatically find and predicted anomaly behavior from the fictitious assets Transaction Information of magnanimity, thus to having occurred and that
And contingent criminal behavior effectively detects and seems the most urgent.
The main purpose of anomaly is to train and set up an abnormality detection mould according to known abnormal data
Type.Anomaly method mainly includes based on statistics, based on theory of information, based on spectrum, based on machine learning
Anomaly technology, wherein anomaly technology based on machine learning mainly include based on cluster, base
In classification, anomaly technology based on sequence pattern.Based on cluster anomaly technology be only used for from
Line analysis, after all data are clustered, those individual amounts are considered less than the group of a certain threshold value
Being abnormal, the advantage of clustering algorithm is that it need not historical data with label.Anomaly is inherently
Say and can be regarded as a classification problem, it is simply that data are classified, is divided into normal or abnormal.Anomaly
Technology mainly uses the historical data of tape label to be trained, and obtains grader, then uses this to classify
New data are classified by device.The behaviour of the most logical multi-user of anomaly technology based on sequence pattern
Some normal behaviour patterns and the Deviant Behavior pattern of user, number new to user afterwards is gone out as timing driving
According to extracting behavioral pattern, mate with the normal behaviour pattern in data base and Deviant Behavior pattern, see and work as
Whether front operation belongs to abnormal.
Entirely gather around et al. [1] and propose the abnormality detection side of a kind of e-commerce transaction daily record based on co-occurrence matrix
Method, this algorithm utilizes co-occurrence matrix to model the trading activity of user, sets up co-occurrence matrix by PCA method
Space, thus obtain user's arm's length dealing pattern.At detection-phase, the co-occurrence matrix producing pending data enters
Go and revised and obtained the trade mode of user, calculated customer transaction pattern by matrix 2-Norms and it is normal
With this, distance between pattern also judges that the trading activity of user is the most abnormal.
Ji Ping Shuai et al. [2] proposes the user behavior method for detecting abnormality of another ecommerce, first according to
The feature of family user behaviors log data is divided into static attribute collection and sequence of operation collection, then utilizes based on axle
The data set of both types is carried out by the Apriori algorithm of attribute and GSP Sequential Pattern Mining Algorithm respectively
Mode excavation, sets up the normal behaviour pattern of user on this basis, finally uses mould based on sequencing
Behavioral pattern current for user is mated by formula comparative approach with its history normal behaviour pattern, sentences with this
The trading activity of this user disconnected is the most abnormal.
Zhao Xueliang [3] proposes a kind of data based on sliding window model and wanders about as a refugee group point detecting method, the method
Use simple sliding window that the new legacy data of data stream is alternated effectively to manage, and algorithm employing
Data structure significantly reduces amount of calculation when neighbour collects statistics so that algorithm performance is more excellent.
But, the method for detecting abnormality in above-mentioned first two [1,2] fictitious assets is all that off-line is analyzed, off-line
Analysis is to be analyzed for historical data, if it find that abnormal data, then again abnormal data is chased after
Trace back, find abnormal source, therefore, ageing the lowest.
The outlier that the third [3] anomaly method above-mentioned is found refers to the abnormity point in current sliding window mouth,
Rather than the abnormity point of the overall situation, and do not provide the framework of Outlier detection technology based on data stream.
[1] entirely gather around, Japanese plum, Jia Yan, etc. e-commerce transaction daily record abnormality detection based on co-occurrence matrix
[J]. China Electronics's market conditions: Communications Market, 2013 (4): 39-45.
[2] Ji Ping Shuai, Li Hu, Han Weihong, etc. user's unusual checking research [J] of Electronic Commerce.
Information network security, 2014 (9): 80-85.
[3] Zhao Xueliang. data stream outlier detection research [D] based on sliding window model. University Of Chongqing,
2012。
Summary of the invention
For problem above, the present invention provides a kind of method based on the data online anomaly of stream fictitious assets,
Can detect abnormal in real time, it is adaptable to the Deviant Behavior in the operation of detection fictitious assets in real time.
Technical scheme is as follows:
A kind of method based on the data online anomaly of stream fictitious assets, comprises the following steps:
(1) data process: user operation user behaviors log data stream flows in data window, by data window
In Kou, outline data is extracted in the pretreatment of data, and the most processed data stream flows directly out data window,
It is stored in permanent memory;
(2) off-line analysis: the data in data base periodically calculate once, excavate use with pattern generation algorithm
The normal behaviour pattern at family and Deviant Behavior pattern;
(3) on-line analysis: the data in sliding window are analyzed by system in real time, extracts current row
For pattern, mate with the normal behaviour pattern in library and Deviant Behavior pattern, see and whether belong to different
Often, if being judged to exception, carry out alert process.
Wherein, described step (2) comprises the following steps:
1, the storage of data: be defaulted as normal row when the data stream that data window flows out flows to permanent memory
For label, detect that certain user operation, for time abnormal, adjusts corresponding number in data base when analyzing module in real time
According to label.Meanwhile, adjust the label of corresponding data in data base and also include the adjustment of manual feedback, as
By manual confirmation as being false alarm after system judges certain user behavior exception and sends alarm, need letter
Breath feeds back to the label going to adjust corresponding data in data base.Reply fictitious assets user operation behavior magnanimity number
According to the general database purchase using nosql of storage, such as Cassandra.
2, the generation of pattern: to the data in off-line analysis module database, system at regular intervals schema creation
Algorithm periodically calculates once, obtains normal behaviour library and the Deviant Behavior library of each user.Pattern
Generating algorithm uses many algorithms, such as correlation rule, sequence pattern, spectral theory, excavates based on Time-space serial
Deng;
3, the renewal of pattern: when data in data base carry out calculating generation patterns, only use user last
Secondary publish before all operations behavioral data be analyzed.
Wherein, described step (3) comprises the following steps:
1) outline data is extracted: the data only signed in user between publishing process, and only record login
Operation time, save memory headroom and ensure not lose important information, and data be conducive to after
Continuous calculating;
2) active user's behavioral pattern is extracted: when user has new operation behavior data to enter each time, the most right
Outline data corresponding to this user carries out active user's behavioral pattern extraction;
3) behavioral pattern coupling: the behavioral pattern extracted and the normal behaviour mould of generation in off-line analysis module
Formula storehouse and Deviant Behavior pattern are mated.
Further, described step 1) in further comprising the steps of:
Step 1: first create a new HashMap, named dataProfile, for deposit data summary;
Step 2: read a record of relief area, verifies in this record, whether ID field is empty, if
For sky, leap to step 5;Otherwise, next step is entered;
Step 3: whether there is, in checking current data summary dataProfile, the note that key is active user ID
Record, if not existing, then in dataProfile, one key of interpolation is the record of active user ID, this feelings
Condition action type is register certainly, needs to record login time;Otherwise, next step is entered;
Step 4: check that what type is current operation type be, if publishing operation, then by key in dataProfile
Record for active user ID is deleted;If other operations, then in dataProfile, key is active user
The sequence of operation in the value of the record of ID adds current operation type and corresponding commodity ID;
Step 5: read next record of relief area, enters circulation.
Further, described step 3) in further comprising the steps of:
Step a: with Deviant Behavior pattern match in Deviant Behavior library;
Step b: if the match is successful, then be judged as known exception;
Step c: if the match is successful, the most again with normal behaviour pattern match, if the match is successful, is then sentenced
Break as normally, if the match is successful, be then judged as the exception of the unknown;
Step d: after confirming as extremely, carry out following four operation: 1. Real-time Feedback is to front end, send different
Often report to the police, 2. in outline data, the record of this user is deleted, 3. this user is joined an abnormal use
In the queue of family, no longer it is carried out abnormality detection, until this user sends publishes behavior, by it from different
Often Subscriber Queue is deleted, 4. feed back to data base abnormal, adjust respective labels.
The invention has the beneficial effects as follows: use the data flowed out from data window to be defaulted as when flowing to permanent memory
Normal behaviour label, when analysis module detects certain user operation for exception in real time, then goes to adjust data
The label of corresponding data in storehouse, can make the data in data window need not wait for detecting operation and complete and sentence
Disconnected good it belong to which label and just can flow directly out, memory headroom can be saved, prevent data to be blocked in number
According in window.
Owing to user can be judged out for abnormal operation before publishing operation, and analyze module detection in real time
Now can immediately feed back to off-line analysis module after exception and remove to adjust the label of corresponding data in data base, because of
This, it can be ensured that all data before user publishes for the last time are all updated label.
Compared with prior art, the technology of data stream is applied in the anomaly of fictitious assets by the present invention, if
Count the online anomaly technological frame of fictitious assets based on data stream so that system energy is more rapid effectively
Realize detecting exception in real time, thus preferably prevent the loss of user.
Accompanying drawing explanation
Fig. 1 be the present invention based on data stream fictitious assets online anomaly frame diagram.
Fig. 2 is the extraction outline data generating algorithm flow chart of the present invention.
Fig. 3 is that environment map disposed by the hardware of the present invention.
Detailed description of the invention
For the ease of understanding the present invention, below in conjunction with Figure of description and embodiment, the present invention is made furtherly
Bright.
The present invention provides a kind of method based on the data online anomaly of stream fictitious assets, its frame diagram such as figure
Shown in 1, it is included in line analysis module and off-line analysis module.First, user operation user behaviors log data stream
Flow in data window, by outline data is extracted in the pretreatment of data in data window, the most treated
The data stream crossed flows directly out data window, is stored in permanent memory.In off-line analysis module, data
Data in storehouse will periodically be calculated once, with pattern generation algorithm excavate user normal behaviour pattern and
Deviant Behavior pattern.In on-line analysis module, the data in sliding window can be carried out point by system in real time
Analysis, extracts current behavioral pattern, the most again with the normal behaviour pattern in library and Deviant Behavior pattern
Mate, see and whether belong to abnormal.If being judged to exception, then carry out alert process.
On-line analysis module: on-line analysis module mainly has three work, i.e. extracts outline data, extracts and work as
Front user behavior pattern, behavioral pattern mate.Table 1 is the user operation user behaviors log stream of certain time period
Simple examples, this data stream packets includes 12 records, time span mostly be 50 seconds, have three users to participate in.This
Example only shows user, IP address, time, operation behavior type, five fields of dependent merchandise ID, existing
Can be complicated many in real data.The purpose extracting outline data is empty in order to save the internal memory of preciousness as much as possible
Between and ensure again not lose important information, and accomplish data structure used need beneficially after meter
Calculate.So, the present invention extracts outline data pattern and mainly adheres to following two requirements:
A. the data only signed in user between publishing process;
The most only record the time of register.
The simple examples of table 1 user operation user behaviors log stream
Table 2 is the user operation behavioral data summary simple examples produced according to data instance in table 1, data
Summary mainly includes ID, IP address, login time, four fields of the sequence of operation.Outline data with
Each user is stored in the middle of List for unit, and this field of the sequence of operation therein is also a List, works as user
After having new operation behavior data to enter data window, extract its action type and dependent merchandise ID adds
In this List of the sequence of operation.
Table 2 user operation behavioral data summary simple examples
Extract outline data specific algorithm as in figure 2 it is shown, mainly comprise the following steps:
Step 1: first create a new HashMap, named dataProfile, general for deposit data
Want.
Step 2: read a record of relief area, verifies in this record, whether ID field is empty, if
For sky, leap to step 5;Otherwise, next step is entered.
Step 3: whether there is, in checking current data summary dataProfile, the note that key is active user ID
Record, if not existing, in dataProfile, one key of interpolation is the record of active user ID the most again, this feelings
Condition action type is register certainly, needs to record login time;Otherwise, next step is entered.
Step 4: check that what type is current operation type be, if publishing operation, then by dataProfile
Key is that the record of active user ID is deleted;If other operations, then in dataProfile, key is current using
The sequence of operation in the value of the record of family ID adds current operation type and corresponding commodity ID.
Step 5: read next record of relief area, enters circulation.
When user has new operation behavior data to enter each time, all the outline data that this user is corresponding is carried out
Current behavior schema extraction, the behavioral pattern extracted and the normal behaviour pattern of generation in off-line analysis module
Storehouse and Deviant Behavior pattern are mated.Matching process is particularly as follows: the first abnormal row with Deviant Behavior library
For pattern match, if the match is successful, then it is judged as known exception;If the match is successful, the most again with
Normal behaviour pattern match, if the match is successful, is then judged as normal, if the match is successful, then by it
It is judged as the exception of the unknown.After confirming as extremely, need to do four operations: 1. Real-time Feedback is to front end, send out
Go out abnormal alarm;2. in outline data, the record of this user is deleted;3. this user join one different
Often in Subscriber Queue, no longer it is carried out abnormality detection, until this user sends publishes behavior, by it
Delete from abnormal user queue;4. feed back to data base abnormal, adjust respective labels.
Table 3 is the simple behavior mould extracted user user1 therein according to the outline data in table 2
Formula example, it represents that user user1 was at about 19: 1 IP address 220.79.15.21 logs in
Within clock, the price of dependent merchandise is that 0-100 unit is interval, and the sequence of operation is for logging in---browse and purchased with addition
The commodity that commodity similarity is 0.84 of thing car---having browsed the commodity adding shopping cart---add shopping cart.
The simple behavioral pattern example that table 3 user user1 extracts
Table 4 is the example of the part normal behaviour pattern of user user1 in behavioral pattern storehouse, including two IP
Address and the correlation rule of time;Paying close attention to the percentage ratio that commodity price is interval, in example, user user1 pays close attention to
Commodity 80% be 0-100 unit, 19% be 100-200 unit, 1% be 200-500 unit;Article three, operation
The frequent mode of sequence.
The example of table 4 user's user1 part normal behaviour pattern
In the pattern match stage, the step of employing is: first by the static state in user's current operation behavioral pattern
Attribute (IP address and time, commodity price) compares with all correlation rules in normal behaviour library
Relatively, if all the match is successful, then this time behavior is judged as normally;The most otherwise, by current user operation row
Compare with all operations sequence in normal behaviour library for the sequence of operation in pattern, work as similarity
It is judged as this behavior when exceeding set threshold value normally, being otherwise judged as exception.In the example given,
Finding during the coupling of static attribute that " IP address and time " unmatches, normal behaviour pattern in IP address is
220.79.15.21 login time is typically at about 11, and occurs in specifically at about 19, enters operation
The coupling of sequence;The similarity calculating the sequence of operation has a lot of method to use at present, and this point is not this
In place of bright primary study, this example use Deep-Simi algorithm be calculated the operation in current behavior pattern
Sequence is 0.7 with the Article 1 sequence of operation similarity in the example given normal behaviour pattern, and threshold value is general
It is located between 0.4-0.6, so this behavior is judged as normally.
Off-line analysis module: mainly include the storage of data and the generation of pattern.Reply fictitious assets user
The general database purchase using nosql of storage of operation behavior mass data, such as Cassandra.It is worth
It is noted that be defaulted as normal behaviour label when the data that data window flows out flow to permanent memory, when
Analyze module in real time and detect when certain user operation is abnormal, then remove to adjust the mark of corresponding data in data base
Sign.One benefit of do so be exactly the data in data window need not wait for detect operation complete and judge
Good it belong to which label and just can flow directly out, save the most very much memory headroom, not so will have several
According to being all blocked in data window.Meanwhile, the label adjusted in data base also should include manual feedback
Adjust, such as judge certain user behavior exception when system and after the alarm that sends by manual confirmation for being that mistake is warned
Report, then we need this information to feed back in data base, removes to adjust the label of corresponding data.
To the data in off-line analysis module database, system can periodically periodically calculate with pattern generation algorithm
Once, normal behaviour library and the Deviant Behavior library of each user are obtained.Pattern generation algorithm is permissible
Use many algorithms, such as correlation rule, sequence pattern, spectral theory, based on Time-space serial excavation etc..
When in data base, data carry out calculating generation patterns, before we only use user to publish for the last time
All operations behavioral data is analyzed all right.Because the up-to-date data of some in data base are not have
Adjusting label, label is all to be defaulted as normally, and before we can ensure that user publishes for the last time
All data be all updated label, if this is because user is can publish certainly for abnormal operation
Will be judged out before operation, analyze in real time can immediately feed back to after module detection notes abnormalities from
Line analysis module removes to adjust the label of corresponding data in data base.
Environment map disposed by the hardware of the present invention as it is shown on figure 3, hardware extensibility of the present invention is strong, works as increase in demand
Time, only need to increase clustered node.
Embodiment 1
A kind of method based on the data online anomaly of stream fictitious assets, its virtual property management system hard
Part specifying information is as follows:
Fictitious assets Data Stream Processing cluster: 2 nodes, node be configured to 4 core CPU, 32G internal memories,
Centos6.564 position system;
Behavioral pattern computing cluster: 5 nodes, node is configured to 4 core CPU, 16G internal memories, Centos6.5
64 systems;
Fictitious assets Operation Log data base: 1 node, node is configured to 2 core CPU, 8G internal memories, 2TB
Hard disk, Centos6.564 bit manipulation system;
Behavioral pattern storehouse: 1 node, node is configured to 2 core CPU, 8G internal memories, 2TB hard disk, Centos6.5
64 bit manipulation systems.
Hardware configuration environment described above copes with the concurrent operations of 1W class subscribers.Fictitious assets data stream
Process the data extraction outline data that cluster the most constantly flows into, outline data is stored in internal memory, place
The data managed flow directly out sliding window and are stored in fictitious assets Operation Log data base.Behavioral pattern calculates
Cluster the most constantly goes to access the data in fictitious assets Operation Log data base, calculates user behavior pattern,
Regeneration behavior library is gone after obtaining new behavioral pattern.Meanwhile, fictitious assets Data Stream Processing cluster
According to the current behavior pattern of the information retrieval user in outline data, then go being somebody's turn to do in access behavior library
The normal behaviour pattern of user and Deviant Behavior pattern, mate respectively, and whether checking current operation belongs to
Abnormal.If being judged as exception, need exception tag feedback to fictitious assets Operation Log data base.
Compared with prior art, the technology of data stream is applied in the anomaly of fictitious assets by the present invention, if
Count the online anomaly technological frame of fictitious assets based on data stream so that system energy is more rapid effectively
Realize detecting exception in real time, thus preferably prevent the loss of user.
It is above the present invention has been carried out exemplary description, it is clear that the realization of the present invention is not by aforesaid way
Restriction, as long as have employed the various improvement that technical solution of the present invention is carried out or the most improved by the present invention's
Design and technical scheme directly apply to other occasion, the most within the scope of the present invention.
Claims (8)
1. a method based on the data online anomaly of stream fictitious assets, it is characterised in that include following
Step:
Step one: data process: user operation user behaviors log data stream flows in data window, to data window
In Kou, data carry out pretreatment and extract outline data, and processed data stream flows directly out data window,
It is stored in permanent memory;
Step 2: off-line analysis: the data in data base periodically calculate, uses pattern generation algorithm digging user
Normal behaviour pattern and Deviant Behavior pattern;
Step 3: on-line analysis: the data in sliding window are analyzed by system in real time, extracts current
Behavioral pattern, mates with the normal behaviour pattern in library and Deviant Behavior pattern, it may be judged whether belong to
In exception, if being judged to exception, carry out alert process.
A kind of method based on the data online anomaly of stream fictitious assets the most according to claim 1,
It is characterized in that, described step 2 comprises the following steps:
Step A: the storage of data: be defaulted as when the data stream that data window flows out flows into permanent memory
Normal behaviour label, when analysis module detects that user operation is abnormal in real time, adjusts in data base corresponding
The label of data;
Step B: the generation of pattern: to the data in off-line analysis module database, system schema creation
Algorithm periodically calculates, and obtains normal behaviour library and the Deviant Behavior library of each user;
Step C: the renewal of pattern: when data in data base carry out calculating generation patterns, only use user
All operations behavioral data before publishing for the last time is analyzed.
A kind of method based on the data online anomaly of stream fictitious assets the most according to claim 1,
It is characterized in that, described step 3 comprises the following steps:
Step a: extract outline data: the data only signed in user between publishing process, a record
The time of register;
Step b: extract active user's behavioral pattern: when user has new operation behavior data to enter every time,
All the outline data that this user is corresponding is carried out active user's behavioral pattern extraction;
Step c: behavioral pattern mates: the behavioral pattern extracted and the normal row of generation in off-line analysis module
Mate for library and Deviant Behavior pattern.
A kind of method based on the data online anomaly of stream fictitious assets the most according to claim 2,
It is characterized in that, described step A adjusts the label of corresponding data in data base and also includes manual feedback
Adjustment.
A kind of method based on the data online anomaly of stream fictitious assets the most according to claim 2,
It is characterized in that, the described pattern generation algorithm in step B includes that correlation rule, sequence pattern, spectrum are managed
Discuss, excavate based on Time-space serial.
A kind of method based on the data online anomaly of stream fictitious assets the most according to claim 3,
It is characterized in that, further comprising the steps of in described step a:
Step 1: create new HashMap, named dataProfile, to store outline data;
Step 2: read the record of relief area, verifies in this record, whether ID field is empty, if it is empty,
It is directly entered step 5;Otherwise, next step is entered;
Step 3: whether there is, in checking current data summary dataProfile, the note that key is active user ID
Record, if not existing, then adds the record that key is active user ID, when record logs in dataProfile
Between;Otherwise, next step is entered;
Step 4: check that what type is current operation type be, if publishing operation, then by key in dataProfile
Record for active user ID is deleted;If other operations, then in dataProfile, key is active user
The sequence of operation in the value of the record of ID adds current operation type and corresponding commodity ID;
Step 5: read next record of relief area, enters circulation.
A kind of method based on the data online anomaly of stream fictitious assets the most according to claim 3,
It is characterized in that, further comprising the steps of in described step c:
Step (1): with Deviant Behavior pattern match in Deviant Behavior library;
Step (2): the match is successful, is judged as known exception;
Step (3): the match is successful, then with normal behaviour pattern match, if the match is successful, then sentenced
Break as normally, if the match is successful, be then judged as the exception of the unknown;
Step (4): confirm as exception.
A kind of method based on the data online anomaly of stream fictitious assets the most according to claim 7,
It is characterized in that, further comprising the steps of in described step (4):
Step 1): Real-time Feedback, to front end, sends abnormal alarm;
Step 2): in outline data, the record of this user is deleted;
Step 3): this user is joined in abnormal user queue, no longer it is carried out abnormality detection, until
This user sends and publishes behavior, it is deleted from abnormal user queue;
Step 4): feed back to data base abnormal, and adjust respective labels.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510130123.1A CN106156026B (en) | 2015-03-24 | 2015-03-24 | Method for discovering online abnormity of virtual assets based on data flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510130123.1A CN106156026B (en) | 2015-03-24 | 2015-03-24 | Method for discovering online abnormity of virtual assets based on data flow |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106156026A true CN106156026A (en) | 2016-11-23 |
CN106156026B CN106156026B (en) | 2020-02-18 |
Family
ID=58064356
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510130123.1A Active CN106156026B (en) | 2015-03-24 | 2015-03-24 | Method for discovering online abnormity of virtual assets based on data flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106156026B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107335220A (en) * | 2017-06-06 | 2017-11-10 | 广州华多网络科技有限公司 | A kind of recognition methods of passive user, device and server |
CN107402957A (en) * | 2017-06-09 | 2017-11-28 | 全球能源互联网研究院 | The structure and user behavior method for detecting abnormality, system in user behavior pattern storehouse |
CN108055281A (en) * | 2017-12-27 | 2018-05-18 | 百度在线网络技术(北京)有限公司 | Account method for detecting abnormality, device, server and storage medium |
CN108075906A (en) * | 2016-11-08 | 2018-05-25 | 上海有云信息技术有限公司 | A kind of management method and system for cloud computation data center |
CN109308615A (en) * | 2018-08-02 | 2019-02-05 | 同济大学 | Real-time fraudulent trading detection method, system, storage medium and electric terminal based on statistical series feature |
CN110363381A (en) * | 2019-05-31 | 2019-10-22 | 阿里巴巴集团控股有限公司 | A kind of information processing method and device |
CN111143415A (en) * | 2019-12-26 | 2020-05-12 | 政采云有限公司 | Data processing method and device and computer readable storage medium |
CN112000863A (en) * | 2020-08-14 | 2020-11-27 | 北京百度网讯科技有限公司 | User behavior data analysis method, device, equipment and medium |
CN113806523A (en) * | 2020-06-11 | 2021-12-17 | 中国科学院计算机网络信息中心 | Classification-based anomaly detection method and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101364104A (en) * | 2008-09-23 | 2009-02-11 | 西部矿业股份有限公司 | Multi entity monitoring decision support system and method for downhole entironment |
CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
CN104090835A (en) * | 2014-06-27 | 2014-10-08 | 中国人民解放军国防科学技术大学 | eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method |
-
2015
- 2015-03-24 CN CN201510130123.1A patent/CN106156026B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101364104A (en) * | 2008-09-23 | 2009-02-11 | 西部矿业股份有限公司 | Multi entity monitoring decision support system and method for downhole entironment |
CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
CN104090835A (en) * | 2014-06-27 | 2014-10-08 | 中国人民解放军国防科学技术大学 | eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method |
Non-Patent Citations (1)
Title |
---|
毛伊敏: "数据流频繁模式挖掘关键算法及其应用研究", 《中国博士学位论文全文数据库 信息科技辑》 * |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108075906A (en) * | 2016-11-08 | 2018-05-25 | 上海有云信息技术有限公司 | A kind of management method and system for cloud computation data center |
CN107335220B (en) * | 2017-06-06 | 2021-01-26 | 广州华多网络科技有限公司 | Negative user identification method and device and server |
CN107335220A (en) * | 2017-06-06 | 2017-11-10 | 广州华多网络科技有限公司 | A kind of recognition methods of passive user, device and server |
CN107402957A (en) * | 2017-06-09 | 2017-11-28 | 全球能源互联网研究院 | The structure and user behavior method for detecting abnormality, system in user behavior pattern storehouse |
CN107402957B (en) * | 2017-06-09 | 2023-02-07 | 全球能源互联网研究院 | Method and system for constructing user behavior pattern library and detecting user behavior abnormity |
CN108055281A (en) * | 2017-12-27 | 2018-05-18 | 百度在线网络技术(北京)有限公司 | Account method for detecting abnormality, device, server and storage medium |
CN108055281B (en) * | 2017-12-27 | 2021-05-18 | 百度在线网络技术(北京)有限公司 | Account abnormity detection method, device, server and storage medium |
CN109308615A (en) * | 2018-08-02 | 2019-02-05 | 同济大学 | Real-time fraudulent trading detection method, system, storage medium and electric terminal based on statistical series feature |
CN109308615B (en) * | 2018-08-02 | 2020-12-29 | 同济大学 | Real-time fraud transaction detection method, system, storage medium and electronic terminal based on statistical sequence characteristics |
CN110363381A (en) * | 2019-05-31 | 2019-10-22 | 阿里巴巴集团控股有限公司 | A kind of information processing method and device |
CN110363381B (en) * | 2019-05-31 | 2023-12-22 | 创新先进技术有限公司 | Information processing method and device |
CN111143415A (en) * | 2019-12-26 | 2020-05-12 | 政采云有限公司 | Data processing method and device and computer readable storage medium |
CN111143415B (en) * | 2019-12-26 | 2023-12-29 | 政采云有限公司 | Data processing method, device and computer readable storage medium |
CN113806523A (en) * | 2020-06-11 | 2021-12-17 | 中国科学院计算机网络信息中心 | Classification-based anomaly detection method and system |
CN113806523B (en) * | 2020-06-11 | 2023-07-21 | 中国科学院计算机网络信息中心 | Abnormality detection method and system based on classification |
CN112000863A (en) * | 2020-08-14 | 2020-11-27 | 北京百度网讯科技有限公司 | User behavior data analysis method, device, equipment and medium |
CN112000863B (en) * | 2020-08-14 | 2024-04-09 | 北京百度网讯科技有限公司 | Analysis method, device, equipment and medium of user behavior data |
Also Published As
Publication number | Publication date |
---|---|
CN106156026B (en) | 2020-02-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106156026A (en) | A kind of method based on the data online anomaly of stream fictitious assets | |
Huang et al. | Dgraph: A large-scale financial dataset for graph anomaly detection | |
Cao et al. | Mining impact-targeted activity patterns in imbalanced data | |
CN102480385B (en) | database security protection method and device | |
CN101841435A (en) | Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow | |
Dumitrescu et al. | Anomaly detection in graphs of bank transactions for anti money laundering applications | |
CN111709765A (en) | User portrait scoring method and device and storage medium | |
CN112116464B (en) | Abnormal transaction behavior analysis method and system based on event sequence frequent item set | |
Al-Ghuwairi et al. | Intrusion detection in cloud computing based on time series anomalies utilizing machine learning | |
CN113343228B (en) | Event credibility analysis method and device, electronic equipment and readable storage medium | |
Li et al. | A lightweight intrusion detection model based on feature selection and maximum entropy model | |
CN112631889B (en) | Portrayal method, device, equipment and readable storage medium for application system | |
CN117829994A (en) | Money laundering risk analysis method based on graph calculation | |
Adosoglou et al. | Lazy Network: A Word Embedding‐Based Temporal Financial Network to Avoid Economic Shocks in Asset Pricing Models | |
Dong et al. | Microblog burst keywords detection based on social trust and dynamics model | |
CN104487942A (en) | Event correlation | |
Jia et al. | Robust and transferable log-based anomaly detection | |
WO2021178649A1 (en) | An algorithmic learning engine for dynamically generating predictive analytics from high volume, high velocity streaming data | |
CN107918740A (en) | A kind of sensitive data decision-making decision method and system | |
CN110399261B (en) | System alarm clustering analysis method based on co-occurrence graph | |
CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network | |
Yu | Hard disk drive failure prediction challenges in machine learning for multi-variate time series | |
Li et al. | Glad: Content-aware dynamic graphs for log anomaly detection | |
Lin et al. | Tracking phishing on Ethereum: Transaction network embedding approach for accounts representation learning | |
CN115495587A (en) | Alarm analysis method and device based on knowledge graph |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |