CN106156026B - Method for discovering online abnormity of virtual assets based on data flow - Google Patents
Method for discovering online abnormity of virtual assets based on data flow Download PDFInfo
- Publication number
- CN106156026B CN106156026B CN201510130123.1A CN201510130123A CN106156026B CN 106156026 B CN106156026 B CN 106156026B CN 201510130123 A CN201510130123 A CN 201510130123A CN 106156026 B CN106156026 B CN 106156026B
- Authority
- CN
- China
- Prior art keywords
- data
- user
- abnormal
- behavior pattern
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method for discovering virtual asset online abnormity based on data flow, which mainly comprises data processing, offline analysis and online analysis. The user operation behavior log data stream flows into a data window and is preprocessed to extract data summary, data in a database periodically uses a pattern generation algorithm to mine a normal behavior pattern and an abnormal behavior pattern of the user, a system analyzes the data in the sliding window in real time, and extracts the current behavior pattern to be matched with the normal behavior pattern and the abnormal behavior pattern in a pattern library. The invention applies the data flow technology to the abnormal discovery of the virtual assets and designs the virtual asset online abnormal discovery technical framework based on the data flow, so that the system can quickly and effectively realize the real-time detection of the abnormality, thereby better preventing the loss of users.
Description
Technical Field
The invention belongs to the technical field of internet, and particularly relates to a method for discovering online abnormity of virtual assets based on data flow.
Background
The rapid development of the internet has led to the prosperity of electronic commerce, wherein the transaction of virtual assets is particularly rapidly increased, and the virtual assets refer to items which exist in the internet world, have competitiveness, durability and can be exchanged or bought and sold, and comprise internet banking, network account numbers, internet game equipment weapons, virtual currency and the like.
At present, the research on the management and the preservation technology of network domain space virtual assets based on eID is developed in China so as to realize the standard and unified management of the virtual assets. The virtual asset security system records various operations on the virtual assets comprehensively and accurately, but the challenges are still faced in how to mine abnormal transaction behaviors from the recorded data. Aiming at the characteristics of huge scale and very fast growth speed of network virtual asset transaction information, abnormal behaviors are automatically found and predicted from massive virtual asset transaction information, so that the method is very urgent to effectively detect the occurred and possible criminal behaviors.
The main purpose of anomaly detection is to train and build an anomaly detection model based on known anomaly data. The anomaly discovery method mainly comprises anomaly discovery technologies based on statistics, information theory, spectrum and machine learning, wherein the anomaly discovery technologies based on machine learning mainly comprise clustering, classification and sequence pattern. The clustering-based anomaly finding technology can only be used for off-line analysis, and after all data are clustered, the clusters with the individual number smaller than a certain threshold value are regarded as anomalies, and the clustering algorithm has the advantage that the historical data are not required to be provided with labels. The anomaly detection can be essentially regarded as a classification problem, namely classifying data into normal or abnormal data. The abnormal finding technology is mainly characterized in that historical data with labels are used for training to obtain a classifier, and then the classifier is used for classifying new data. The anomaly discovery technology based on the sequence patterns mainly comprises the steps of excavating some normal behavior patterns and abnormal behavior patterns of a user through operation time sequence data of the user, then extracting the behavior patterns from new data of the user, matching the behavior patterns with the normal behavior patterns and the abnormal behavior patterns in a database, and judging whether the current operation belongs to anomalies or not.
The all-embracing et al [1] provides an anomaly detection method of an e-commerce transaction log based on a co-occurrence matrix, the algorithm utilizes the co-occurrence matrix to model the transaction behavior of a user, and a PCA method is used for establishing a co-occurrence matrix space, so that the normal transaction mode of the user is obtained. In the detection stage, the symbiotic matrix generated by the data to be processed is corrected, the transaction mode of the user is obtained, the distance between the transaction mode of the user and the normal mode of the user is calculated through the matrix 2-norm, and whether the transaction behavior of the user is abnormal or not is judged.
Jishuaishuai et al [2] proposed another method for detecting user behavior abnormality in electronic commerce, which includes dividing user behavior log data into a static attribute set and an operation sequence set according to characteristics of the user behavior log data, then respectively performing pattern mining on the two types of data sets by using an Apriori algorithm and a GSP sequence pattern mining algorithm based on axis attributes, establishing a normal behavior pattern of a user on the basis, and finally matching the current behavior pattern of the user with the historical normal behavior pattern of the user by using a pattern comparison method based on precedence order to judge whether the transaction behavior of the user is abnormal.
Zhao Zhiliang [3] proposes a data stream outlier detection method based on a sliding window model, which uses a simple sliding window to effectively manage the new and old data alternation of the data stream, and the data structure adopted by the algorithm effectively reduces the calculation amount when the neighbor set is unified, so that the algorithm performance is better.
However, the above two methods for detecting the abnormality in the [1,2] virtual asset are both performed offline for analysis, the offline analysis is performed on historical data, and if abnormal data is found, the abnormal data is traced back to find an abnormal source, so that the timeliness is very low.
The outliers searched by the third anomaly finding method [3] are outliers in the current sliding window, not global outliers, and no framework for data stream-based outlier finding technology is provided.
[1] E-commerce transaction log abnormity detection based on symbiotic matrix [ J ] China E-commerce conditions, communication market, 2013(4) 39-45.
[2] Jishuai, Lihu, Hanwei hong, etc. user abnormal behavior detection research oriented to electronic commerce [ J ] information network security 2014(9) 80-85.
[3] Zhao Leng-data flow off-group Point detection research based on sliding-window model [ D ]. Chongqing university, 2012.
Disclosure of Invention
Aiming at the problems, the invention provides a method for discovering the online abnormity of the virtual assets based on the data flow, which can detect the abnormity in real time and is suitable for detecting the abnormal behaviors in the operation of the virtual assets in real time.
The technical scheme of the invention is as follows:
a method for discovering online anomaly of virtual assets based on data flow comprises the following steps:
(1) data processing: the user operation behavior log data stream flows into a data window, data summary is extracted through preprocessing of data in the data window, and the processed data stream directly flows out of the data window and is stored in a permanent memory;
(2) and (3) off-line analysis: calculating data in a database once at regular intervals, and mining a normal behavior mode and an abnormal behavior mode of a user by using a mode generation algorithm;
(3) and (3) online analysis: the system analyzes the data in the sliding window in real time, extracts the current behavior pattern, matches the current behavior pattern with the normal behavior pattern and the abnormal behavior pattern in the pattern library to see whether the current behavior pattern belongs to the abnormality or not, and carries out alarm processing if the current behavior pattern is judged to be the abnormality.
Wherein, the step (2) comprises the following steps:
1. and (3) storage of data: and when the real-time analysis module detects that certain user operation is abnormal, the label of corresponding data in the database is adjusted. Meanwhile, the adjustment of the labels of the corresponding data in the database also comprises manual feedback adjustment, for example, when the system judges that a certain user has abnormal behavior and sends an alarm, the system is manually confirmed to be an error alarm, and information needs to be fed back to the database to adjust the labels of the corresponding data. The mass data of the operation behaviors of the virtual asset users are stored by adopting a nosql database, such as Cassandra.
2. And (3) generating a mode: and (3) calculating the data in the off-line analysis module database by the system periodically once by using a pattern generation algorithm to obtain a normal behavior pattern library and an abnormal behavior pattern library of each user. The pattern generation algorithm adopts various algorithms, such as association rules, sequence patterns, spectrum theory, mining based on space-time sequences and the like;
3. updating the mode: when the data in the database is subjected to a calculation updating mode, all operation behavior data before the user logs out for the last time are only used for analysis.
Wherein, the step (3) comprises the following steps:
1) and (3) extracting data summary: only processing the data of the user between login and logout, only recording the time of login operation, saving the memory space and ensuring that important information is not lost, and the used data structure is beneficial to subsequent calculation;
2) extracting a current user behavior pattern: each time a user enters new operation behavior data, extracting a current user behavior mode of a data summary corresponding to the user;
3) and (3) matching the behavior pattern: the extracted behavior pattern is matched with a normal behavior pattern library and an abnormal behavior pattern generated in the offline analysis module.
Further, the step 1) further comprises the following steps:
step 1: firstly, creating a new HashMap named dataProfile for storing data summary;
step 2: reading a record of the buffer area, verifying whether the user ID field in the record is empty, and directly jumping to the step 5 if the user ID field in the record is empty; otherwise, entering the next step;
and step 3: verifying whether a record with the key as the current user ID exists in the current data summary dataProfile, if not, adding a record with the key as the current user ID in the dataProfile, wherein the operation type is definitely login operation and login time needs to be recorded; otherwise, entering the next step;
and 4, step 4: checking what the current operation type is, if the current operation type is the logout operation, deleting the record of the key in the dataProfile as the current user ID; if the operation is other operation, adding the current operation type and the corresponding commodity ID into the operation sequence in the value of the record with the key being the current user ID in the dataProfile;
and 5: and reading the next record in the buffer area and entering a loop.
Further, the step 3) further comprises the following steps:
step a: matching with the abnormal behavior patterns in the abnormal behavior pattern library;
step b: if the matching is successful, judging the matching as the known abnormality;
step c: if the matching is not successful, matching with the normal behavior pattern, if the matching is successful, judging the behavior pattern to be normal, and if the matching is not successful, judging the behavior pattern to be unknown abnormal;
and d, after the abnormality is confirmed, ① is fed back to the front end in real time to send an abnormality alarm, ② deletes the record of the user in the data summary, ③ adds the user into an abnormal user queue without performing abnormality detection until the user sends a logout behavior and deletes the logout behavior from the abnormal user queue, and ④ feeds back the abnormality to the database to adjust a corresponding label.
The invention has the beneficial effects that: the data flowing out from the data window is defaulted to be a normal behavior label when flowing into the permanent storage, when the real-time analysis module detects that certain user operation is abnormal, the label corresponding to the data in the database is adjusted, so that the data in the data window can directly flow out without waiting for the detection operation to be completed and judging which label the data belongs to, the memory space can be saved, and the data is prevented from being blocked in the data window.
Because the user can be judged before the log-out operation when the user is abnormal, and the real-time analysis module can immediately feed back to the offline analysis module to adjust the label of the corresponding data in the database after detecting and finding the abnormality, all data before the user logs out for the last time can be ensured to be the updated label.
Compared with the prior art, the method applies the data flow technology to the abnormal discovery of the virtual assets, and designs the virtual asset online abnormal discovery technology framework based on the data flow, so that the system can detect the abnormality more quickly, effectively and in real time, and the loss of users is prevented better.
Drawings
FIG. 1 is a diagram of a data flow-based virtual asset online anomaly discovery framework of the present invention.
FIG. 2 is a flow chart of an extracted data summary generation algorithm of the present invention.
FIG. 3 is a diagram of a hardware deployment environment of the present invention.
Detailed Description
In order to facilitate understanding of the invention, the invention is further described below with reference to the drawings and examples.
The invention provides a method for discovering virtual asset online abnormity based on data flow, a frame diagram of which is shown in figure 1 and comprises an online analysis module and an offline analysis module. Firstly, a user operation behavior log data stream flows into a data window, data summary is extracted through preprocessing of data in the data window, and the processed data stream directly flows out of the data window and is stored in a permanent memory. In the off-line analysis module, the data in the database is calculated once periodically, and the normal behavior pattern and the abnormal behavior pattern of the user are mined by using a pattern generation algorithm. In the online analysis module, the system can analyze the data in the sliding window in real time, extract the current behavior pattern, and then match the current behavior pattern with the normal behavior pattern and the abnormal behavior pattern in the pattern library to see whether the current behavior pattern is abnormal or not. If the abnormal condition is judged, alarm processing is carried out.
An online analysis module: the online analysis module mainly has three tasks, namely data summary extraction, current user behavior pattern extraction and behavior pattern matching. Table 1 is a simple example of a log stream of user actions for a certain time period, the data stream comprising 12 records, the time span being at most 50 seconds, with three users participating. This example shows only five fields of user, IP address, time, operation behavior type, and related goods ID, which can be much more complicated in real-world data. The purpose of extracting the data summary is to save as much as possible valuable memory space while ensuring that no important information is lost, and to achieve the data structure used needs to facilitate later calculations. Therefore, the summary mode of the extracted data of the invention mainly adheres to the following two requirements:
A. only processing data between login and logout of the user;
B. only the time of the login operation is recorded.
TABLE 1 simple example of a user action log stream
Table 2 is a simple example of a summary of user operation behavior data generated according to the data example in table 1, and the summary of data mainly includes four fields of user ID, IP address, login time, and operation sequence. The data summary is stored in a List by taking each user as a unit, wherein the field of the operation sequence is also a List, and when the user has new operation behavior data to enter a data window, the operation type and the related commodity ID of the user are extracted and added into the List of the operation sequence.
Table 2 simple example of user operation behavior data summary
The specific algorithm for data extraction summary is shown in fig. 2, and comprises the following main steps:
step 1: a new HashMap, named dataProfile, is first created to store the data summary.
Step 2: reading a record of the buffer area, verifying whether the user ID field in the record is empty, and directly jumping to the step 5 if the user ID field in the record is empty; otherwise, the next step is entered.
And step 3: verifying whether a key is a record of the current user ID in the current data summary dataProfile, if not, adding a key to the dataProfile as the record of the current user ID, wherein the operation type is the login operation and the login time needs to be recorded; otherwise, the next step is entered.
And 4, step 4: checking what the current operation type is, if the current operation type is the logout operation, deleting the record of the key in the dataProfile as the current user ID; and if the operation is other operation, adding the current operation type and the corresponding commodity ID into the operation sequence in the value of the record with the key being the current user ID in the dataProfile.
And 5: and reading the next record in the buffer area and entering a loop.
The method comprises the steps of extracting a current behavior pattern of a data summary corresponding to a user every time new operation behavior data enter the user, and matching the extracted behavior pattern with a normal behavior pattern library and an abnormal behavior pattern generated in an offline analysis module, wherein the matching process specifically comprises the steps of matching the abnormal behavior pattern in the abnormal behavior pattern library, judging the abnormal behavior pattern to be known abnormal if the matching is successful, matching the normal behavior pattern if the matching is not successful, judging the abnormal behavior pattern to be normal if the matching is successful, judging the unknown abnormal behavior if the matching is not successful, performing four operations after the abnormal behavior is confirmed, ① feeding back the four operations to a front end in real time to send an abnormal alarm, ② deleting records of the user in the data summary, ③ adding the user to an abnormal user queue without performing abnormal detection until the user sends a logout behavior and deletes the logout behavior from the abnormal user queue, and ④ feeding back the abnormal behavior to the database to adjust corresponding labels.
Table 3 is an example of a simple behavior pattern extracted from the data summary in table 2 for the user1, which indicates that the user1 logs in at IP address 220.79.15.21 for 30 minutes or so at about 19 points, the price of the related goods is in the interval of 0-100 yuan, and the operation sequence is login, browse the goods with similarity of 0.84 to the goods added into the shopping cart, browse the goods added into the shopping cart and join the shopping cart.
Table 3 simple behavior pattern example extracted by user1
Table 4 is an example of a part of normal behavior patterns of the user1 in the behavior pattern library, including two association rules of IP address and time; focusing on the percentage of the commodity price interval, in the example, 80% of commodities focused on by the user1 are 0-100 yuan, 19% are 100-200 yuan, and 1% are 200-500 yuan; frequent pattern of three operational sequences.
TABLE 4 example of partial Normal behavior patterns for user1
①, comparing the static attribute (IP address and time, commodity price) in the current operation behavior pattern with all the association rules in the normal behavior pattern library, if all the matching is successful, judging the behavior to be normal, ②, otherwise, comparing the operation sequence in the current operation behavior pattern with all the operation sequences in the normal behavior pattern library, judging the behavior to be normal when the similarity exceeds the set threshold, otherwise, judging the behavior to be abnormal, in the given example, the matching of the static attribute finds that the 'IP address and time' cannot be matched, the login time of the normal behavior pattern with the IP address of 220.79.15.21 is about 11 points generally, and the current time appears about 19 points, and the matching of the operation sequence is entered, many methods can be used at present for calculating the similarity of the operation sequence, the point is not the focus research of the invention, in the example, the similarity of the operation sequence in the current behavior pattern calculated by using Deep-Simi algorithm is 0.7.6, and the threshold of the normal behavior is set to be 0.6-0.6.
An offline analysis module: mainly including storage of data and generation of patterns. The mass data of the operation behaviors of the virtual asset users are stored by adopting a nosql database, such as Cassandra. It should be noted that the data flowing out of the data window is defaulted to be a normal behavior tag when flowing into the persistent memory, and when the real-time analysis module detects that a certain user operation is abnormal, the tag of the corresponding data in the database is adjusted. One benefit of this is that the data in the data window can be streamed out without waiting for the detection operation to complete and determine which tag it belongs to, thus saving memory space that would otherwise have much data blocked in the data window. Meanwhile, the adjustment of the labels in the database should also include manual feedback adjustment, for example, when the system judges that a certain user is abnormal in behavior and sends an alarm, the alarm is manually determined to be an error alarm, and then the information needs to be fed back to the database to adjust the labels of the corresponding data.
For the data in the off-line analysis module database, the system can periodically calculate once by using a pattern generation algorithm, and a normal behavior pattern library and an abnormal behavior pattern library of each user are obtained. The pattern generation algorithm may employ a variety of algorithms such as association rules, sequence patterns, spectral theory, spatio-temporal sequence mining based, and the like. When the data in the database is subjected to a calculation updating mode, all operation behavior data before the user logs out for the last time are only used for analysis. Because some latest data in the database are not labeled by adjustment, the labels are all normal by default, and all data before the user logs out last time can be ensured to be labeled by update, because if the user is abnormal, the user can be judged before the user logs out, and the real-time analysis module can immediately feed back to the offline analysis module to adjust the labels of the corresponding data in the database after detecting the abnormality.
The hardware deployment environment diagram of the invention is shown in fig. 3, the hardware of the invention has strong expandability, and when the demand is increased, only cluster nodes need to be added.
Example 1
A method for discovering online abnormal virtual assets based on data flow comprises the following hardware specific information of a virtual asset management system:
virtual asset data stream processing cluster: 2 nodes which are configured to be 4-core CPUs, 32G memories and a Centos6.564 bit system;
behavioral pattern computation clusters: the system comprises 5 nodes, wherein the nodes are configured to be 4-core CPUs, 16G memories and Centos6.564 systems;
virtual asset operation log database: 1 node, wherein the node is configured to be a 2-core CPU, an 8G memory, a 2TB hard disk and a Centos6.564 bit operating system;
a behavior pattern library: the system comprises 1 node, wherein the node is configured to be a 2-core CPU, an 8G memory, a 2TB hard disk and a Centos6.564 bit operating system.
The hardware configuration environment as described above can cope with concurrent operations of 1W level users. And the virtual asset data stream processing cluster extracts data outlines from continuously flowing data in real time, stores the data outlines in a memory, and directly flows out of a sliding window and stores the processed data in a virtual asset operation log database. And the behavior pattern calculation cluster periodically and continuously accesses data in the virtual asset operation log database, calculates the user behavior pattern, and updates the behavior pattern database after obtaining a new behavior pattern. Meanwhile, the virtual asset data stream processing cluster extracts the current behavior mode of the user according to the information in the data summary, accesses the normal behavior mode and the abnormal behavior mode of the user in the behavior mode library, respectively matches the normal behavior mode and the abnormal behavior mode, and verifies whether the current operation belongs to abnormality. If the abnormal label is judged to be abnormal, the abnormal label needs to be fed back to the virtual asset operation log database.
Compared with the prior art, the method applies the data flow technology to the abnormal discovery of the virtual assets, and designs the virtual asset online abnormal discovery technology framework based on the data flow, so that the system can detect the abnormality more quickly, effectively and in real time, and the loss of users is prevented better.
The invention has been described in an illustrative manner, and it is to be understood that the invention is not limited to the above-described embodiments, and that various modifications may be made without departing from the spirit and scope of the invention.
Claims (6)
1. A method for discovering online anomaly of virtual assets based on data flow is characterized by comprising the following steps:
the method comprises the following steps: data processing: the user operation behavior log data stream flows into a data window, data in the data window is preprocessed to extract data summary, and the processed data stream directly flows out of the data window and is stored in a permanent memory;
step two: and (3) off-line analysis: the data in the database are calculated regularly, and the normal behavior pattern and the abnormal behavior pattern of the user are mined by using a pattern generation algorithm, and the method comprises the following steps:
step A: and (3) storage of data: defaulting to be a normal behavior label when data flow flowing out of the data window flows into the permanent memory, and adjusting the label of corresponding data in the database when the real-time analysis module detects that the user operation is abnormal;
and B: and (3) generating a mode: for data in an off-line analysis module database, the system periodically calculates by using a pattern generation algorithm to obtain a normal behavior pattern library and an abnormal behavior pattern library of each user;
and C: updating the mode: when a calculation updating mode is carried out on data in a database, all operation behavior data before the user logs out for the last time are only used for analysis;
step three: and (3) online analysis: the system analyzes data in the sliding window in real time, extracts a current behavior pattern, matches the current behavior pattern with a normal behavior pattern and an abnormal behavior pattern in a pattern library, judges whether the current behavior pattern is abnormal, and carries out alarm processing if the current behavior pattern is judged to be abnormal, and the method comprises the following steps:
step D: and (3) extracting data summary: only processing data of a user between login and logout, and only recording the time of login operation;
step E: extracting a current user behavior pattern: extracting a current user behavior mode of a data summary corresponding to a user every time the user has new operation behavior data;
step F: and (3) matching the behavior pattern: and matching the extracted behavior pattern with a normal behavior pattern library and an abnormal behavior pattern library of the user, which are generated in the offline analysis module.
2. The method for online anomaly discovery of virtual assets based on data flow as claimed in claim 1, wherein said step a of adjusting labels of corresponding data in the database further comprises manual feedback adjustment.
3. The method for online anomaly discovery of data-flow-based virtual assets according to claim 1, wherein said pattern generation algorithm in step B comprises association rules, sequence patterns, spectrum theory, and mining based on spatio-temporal sequences.
4. The method for online anomaly discovery of virtual assets based on data flow according to claim 1, wherein said step D further comprises the steps of:
step (1): creating a new HashMap named dataProfile to store the data summary;
step (2): reading a record in the buffer area, verifying whether the user ID field in the record is empty, and directly entering the step 5 if the user ID field in the record is empty; otherwise, entering the next step;
and (3): verifying whether the key is the record of the current user ID in the current data profile, if not, adding the key to the data profile to record the login time; otherwise, entering the next step;
and (4): checking what the current operation type is, if the current operation type is the logout operation, deleting the record of the key in the dataProfile as the current user ID; if the operation is other operation, adding the current operation type and the corresponding commodity ID into the operation sequence in the value of the record with the key being the current user ID in the dataProfile;
and (5): and reading the next record in the buffer area and entering a loop.
5. The method for online anomaly discovery of virtual assets based on data flow according to claim 1, wherein said step F further comprises the steps of:
step (1): matching with the abnormal behavior patterns in the abnormal behavior pattern library;
step (2): if the matching is successful, judging the matching as the known abnormality;
and (3): if the matching is successful, the method judges the behavior pattern to be normal, and if the matching is not successful, the behavior pattern is judged to be unknown abnormal;
and (4): an abnormality is confirmed.
6. The method for online anomaly discovery of virtual assets based on data flow as claimed in claim 5, wherein said step (4) further comprises the steps of:
step (1): feeding back to the front end in real time to send out an abnormal alarm;
step (2): deleting the user's record in the data summary;
and (3): adding the user into an abnormal user queue, and not performing abnormal detection on the user until the user sends a logout behavior, and deleting the user from the abnormal user queue;
and (4): and feeding the abnormity back to the database, and adjusting the corresponding label.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510130123.1A CN106156026B (en) | 2015-03-24 | 2015-03-24 | Method for discovering online abnormity of virtual assets based on data flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510130123.1A CN106156026B (en) | 2015-03-24 | 2015-03-24 | Method for discovering online abnormity of virtual assets based on data flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106156026A CN106156026A (en) | 2016-11-23 |
| CN106156026B true CN106156026B (en) | 2020-02-18 |
Family
ID=58064356
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510130123.1A Active CN106156026B (en) | 2015-03-24 | 2015-03-24 | Method for discovering online abnormity of virtual assets based on data flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106156026B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108075906A (en) * | 2016-11-08 | 2018-05-25 | 上海有云信息技术有限公司 | A kind of management method and system for cloud computation data center |
| CN107335220B (en) * | 2017-06-06 | 2021-01-26 | 广州华多网络科技有限公司 | Negative user identification method and device and server |
| CN107402957B (en) * | 2017-06-09 | 2023-02-07 | 全球能源互联网研究院 | Method and system for constructing user behavior pattern library and detecting user behavior abnormity |
| CN108055281B (en) * | 2017-12-27 | 2021-05-18 | 百度在线网络技术(北京)有限公司 | Account abnormity detection method, device, server and storage medium |
| CN109308615B (en) * | 2018-08-02 | 2020-12-29 | 同济大学 | Real-time fraud transaction detection method, system, storage medium and electronic terminal based on statistical sequence characteristics |
| CN110363381B (en) * | 2019-05-31 | 2023-12-22 | 创新先进技术有限公司 | Information processing method and device |
| CN111143415B (en) * | 2019-12-26 | 2023-12-29 | 政采云有限公司 | Data processing method, device and computer readable storage medium |
| CN113806523B (en) * | 2020-06-11 | 2023-07-21 | 中国科学院计算机网络信息中心 | Abnormality detection method and system based on classification |
| CN112000863B (en) * | 2020-08-14 | 2024-04-09 | 北京百度网讯科技有限公司 | Analysis method, device, equipment and medium of user behavior data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364104A (en) * | 2008-09-23 | 2009-02-11 | 西部矿业股份有限公司 | Multi entity monitoring decision support system and method for downhole entironment |
| CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
| CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
| CN104090835A (en) * | 2014-06-27 | 2014-10-08 | 中国人民解放军国防科学技术大学 | eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method |
-
2015
- 2015-03-24 CN CN201510130123.1A patent/CN106156026B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364104A (en) * | 2008-09-23 | 2009-02-11 | 西部矿业股份有限公司 | Multi entity monitoring decision support system and method for downhole entironment |
| CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
| CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
| CN104090835A (en) * | 2014-06-27 | 2014-10-08 | 中国人民解放军国防科学技术大学 | eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method |
Non-Patent Citations (1)
| Title |
|---|
| 数据流频繁模式挖掘关键算法及其应用研究;毛伊敏;《中国博士学位论文全文数据库 信息科技辑》;20121215(第12期);论文第1.2.4、1.2.5、5.3-5.4节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106156026A (en) | 2016-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106156026B (en) | Method for discovering online abnormity of virtual assets based on data flow | |
| US10762444B2 (en) | Real-time drift detection in machine learning systems and applications | |
| US11483213B2 (en) | Enterprise process discovery through network traffic patterns | |
| US20120173465A1 (en) | Automatic Variable Creation For Adaptive Analytical Models | |
| Hemalatha et al. | Minimal infrequent pattern based approach for mining outliers in data streams | |
| US20160371489A1 (en) | Event anomaly analysis and prediction | |
| US20090210368A1 (en) | System and method for real time pattern identification | |
| US20170154280A1 (en) | Incremental Generation of Models with Dynamic Clustering | |
| US20060064438A1 (en) | Methods and apparartus for monitoring abnormalities in data stream | |
| Xia et al. | LogGAN: A sequence-based generative adversarial network for anomaly detection based on system logs | |
| Dong et al. | Multistream classification with relative density ratio estimation | |
| Yoon et al. | Adaptive model pooling for online deep anomaly detection from a complex evolving data stream | |
| CN110493176B (en) | User suspicious behavior analysis method and system based on unsupervised machine learning | |
| Li et al. | Credit card fraud detection via kernel-based supervised hashing | |
| Tian et al. | Sad: Semi-supervised anomaly detection on dynamic graphs | |
| Huang et al. | Improving log-based anomaly detection by pre-training hierarchical transformers | |
| CN107038593B (en) | Abnormal data processing method and system based on anti-counterfeiting traceability system | |
| Wang et al. | Exploring high-order correlations for industry anomaly detection | |
| US20060004754A1 (en) | Methods and apparatus for dynamic classification of data in evolving data stream | |
| US20210279633A1 (en) | Algorithmic learning engine for dynamically generating predictive analytics from high volume, high velocity streaming data | |
| Smrithy et al. | A statistical technique for online anomaly detection for big data streams in cloud collaborative environment | |
| Song et al. | Adaptive ranking-based sample selection for weakly supervised class-imbalanced text classification | |
| Wang et al. | Purchase Pattern Based Anti-Fraud Framework in Online E-Commerce Platform Using Graph Neural Network | |
| Anand et al. | Anomaly Detection in Disaster Recovery: A Review, Current Trends and New Perspectives | |
| CN117312350B (en) | Steel industry carbon emission data management method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |