CN107196953B - Abnormal behavior detection method based on user behavior analysis - Google Patents
Abnormal behavior detection method based on user behavior analysis Download PDFInfo
- Publication number
- CN107196953B CN107196953B CN201710448328.3A CN201710448328A CN107196953B CN 107196953 B CN107196953 B CN 107196953B CN 201710448328 A CN201710448328 A CN 201710448328A CN 107196953 B CN107196953 B CN 107196953B
- Authority
- CN
- China
- Prior art keywords
- user behavior
- analysis
- behavior
- sample library
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
A method for detecting abnormal behaviors based on user behavior analysis collects user behavior data in real time through a sliding time window which can be fed back and adjusted, analyzes the behavior data of a user through constructing a multi-angle behavior library and a multi-angle behavior analysis model, analyzes and compares an analysis result data set with a set acceptable confidence value, and feeds back and adjusts parameters of the time window for data collection and updates the behavior library according to an analysis comparison result, so that all-around analysis and accurate judgment are obtained, and an analysis result of the user behavior can be obtained through calculation complexity as small as possible on the premise of improving detection accuracy.
Description
Technical Field
The invention relates to the technical field of information, in particular to a method for detecting abnormal behaviors based on behavior analysis of a user.
Background
With the increase in the number and the diversity of types of internet users, it is becoming increasingly difficult to analyze user behaviors to track potential problems or detect malicious users, malicious behaviors, and the like, and especially, a high requirement is provided for the efficiency of user analysis processing by mass user data, so that the conventional user data storage and analysis method cannot be sufficient. With the advent of the big data age, big data analysis also arose. Big data analysis refers to the analysis of data on a huge scale. Big data analysis can visually display data based on data visualization, and people can go deep into the data to mine value based on data mining.
The malicious behavior of the user is continuously evolving and varying, and as the network traffic is larger and larger, the malicious behavior of the network hidden in a large amount of normal network traffic is more and more difficult to discover. The machine learning technology is considered as an important method for automatically analyzing mass malicious behaviors, but the degradation problem of the existing machine learning model is serious. Meanwhile, with the increase of data volume, the calculation complexity of statistical analysis is higher and higher, and the efficiency problem of the malicious behavior detection method based on the credibility is more and more prominent. Therefore, a method capable of processing mass data, absorbing newly discovered knowledge in real time, and analyzing and detecting malicious behaviors in real time at high speed according to a detection analysis model is needed.
In practical scenarios, users want the system to detect that users are illegally using their hosts in a short time and respond accordingly, such as activating a camera to take a picture of an illegal user and save the picture, protecting privacy files, and the like. Meanwhile, the model should have higher accuracy, and the over-high false alarm rate can reduce the user experience and the reliability of the system.
The invention aims to solve the problems of serious degradation of the existing machine learning model and low accuracy of the existing detection method, and provides a method for setting a feedback-adjustable dynamic sliding window, carrying out real-time statistical analysis on the behavior of a user, dynamically tracking the behavior habit of the user, and detecting malicious behaviors from multiple angles through an analysis module based on known behaviors and the acceptable maximum error probability given by the user.
Disclosure of Invention
In order to solve the problems, the invention provides an abnormal behavior detection method and device based on user behavior analysis. The user behavior data is collected in real time through a proper time sliding window, the user behavior data is input into a data analysis model, and the conclusion whether the user behavior is normal or not is given through the analysis and judgment of the model so as to enable a user to make subsequent judgment.
More specifically, the invention provides an abnormal behavior detection method based on user behavior analysis. Wherein, the method comprises the following steps;
firstly, setting initial time sliding window parameters for user behavior data acquisition, acquiring the user behavior data in real time based on the set time sliding window parameters, and representing the user behavior data through a multidimensional array;
secondly, constructing a standard user behavior sample library which comprises a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library; the system comprises a standard malicious user behavior sample library, a standard normal user behavior sample library, a suspicious user behavior sample library and a user behavior analysis module, wherein the standard malicious user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to malicious behaviors, the standard normal user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to normal behaviors, and the suspicious user behavior sample library stores a plurality of pieces of user behavior data for representing that user behaviors belong to suspicious behaviors;
thirdly, constructing a multi-angle behavior analysis model by using a standard user behavior sample library;
fourthly, inputting the collected user behavior data into the constructed multi-angle behavior analysis model to obtain an analysis conclusion value array;
and fifthly, calculating to obtain an analysis credibility value based on the analysis conclusion value array, comparing the analysis credibility value with an acceptable credibility value preset by a user, and selecting to execute feedback adjustment and retest according to a comparison result.
Preferably, the time sliding window parameter includes a length of the time sliding window and an interval of the basic time element for data acquisition, and at least one of the length of the time sliding window and the interval of the basic time element for data acquisition can be adjusted when the time sliding window parameter is feedback-adjusted;
preferably, the analysis conclusion value array includes an abnormal probability value, a normal probability value and a suspicious probability value, wherein the abnormal probability value represents a similarity degree between the user behavior data collected in real time currently and the samples in the standard malicious user behavior sample library, the normal probability value represents a similarity degree between the user behavior data collected in real time currently and the samples in the standard normal user behavior sample library, and the suspicious probability value represents a similarity degree between the user behavior data collected in real time currently and the samples in the suspicious user behavior sample library;
preferably, the multi-angle behavior analysis model comprises a mahalanobis distance-based multi-angle behavior analysis model and an isolated forest-based multi-angle behavior analysis model.
Preferably, in the multi-angle behavior analysis model based on mahalanobis distance, mahalanobis distances between the user behavior data currently acquired in real time and samples in a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library are respectively calculated to obtain an analysis conclusion value array including the abnormal probability value, the normal probability value and the suspicious probability value;
preferably, the multi-angle behavior analysis model based on mahalanobis distance selects the minimum value of the abnormal probability value, the normal probability value and the suspicious probability value, calculates the ratio of the minimum value to the other two values respectively, and uses the two ratios as the analysis reliability value, only when the two ratios are both smaller than the acceptable reliability value preset by the user, the analysis result is determined to be reliable, and the analysis result is output, otherwise, the analysis result is determined to be unreliable, and the steps of feedback adjustment and retesting are executed.
Preferably, in the multi-angle behavior analysis model based on the isolated forest, a malicious behavior forest, a normal behavior forest and a suspicious behavior forest are respectively constructed through a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library, the average path distances from root nodes of user behavior data currently acquired in real time in the malicious behavior forest, the normal behavior forest and the suspicious behavior forest to leaf nodes where the user behavior data are located are respectively calculated, and the analysis conclusion value array including the abnormal probability value, the normal probability value and the suspicious probability value is obtained based on the average path distances.
Preferably, the maximum value of the abnormal probability value, the normal probability value and the suspicious probability value is selected from the multi-angle behavior analysis model based on the isolated forest, the ratio of the maximum value to the other two values is respectively calculated, the two ratios are used as analysis reliability values, only when the two ratios are both larger than an acceptable reliability value preset by a user, the analysis result is determined to be reliable, the analysis result is output, otherwise, the analysis result is determined to be unreliable, and the steps of feedback adjustment and retesting are executed.
In addition, the present invention further provides an abnormal behavior detection apparatus based on user behavior analysis, wherein the apparatus includes:
the parameter setting module is used for setting initial time sliding window parameters for user behavior data acquisition;
the data acquisition module is used for acquiring the user behavior data in real time based on the time sliding window parameter set by the parameter setting module and expressing the user behavior data through a multidimensional array;
the behavior sample library construction module is used for constructing a standard user behavior sample library, and comprises a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library; the system comprises a standard malicious user behavior sample library, a standard normal user behavior sample library, a suspicious user behavior sample library and a user behavior analysis module, wherein the standard malicious user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to malicious behaviors, the standard normal user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to normal behaviors, and the suspicious user behavior sample library stores a plurality of pieces of user behavior data for representing that user behaviors belong to suspicious behaviors;
the model construction module is used for constructing a multi-angle behavior analysis model by using a standard user behavior sample library;
the analysis module is used for inputting the collected user behavior data into the constructed multi-angle behavior analysis model to obtain an analysis conclusion value array;
and the result feedback module is used for calculating to obtain an analysis credibility value based on the analysis conclusion value array, comparing the analysis credibility value with an acceptable credibility value preset by a user, and selecting to execute feedback adjustment and retest according to the comparison result.
Preferably, the time sliding window parameter set by the parameter setting module includes a length of the time sliding window and an interval of the basic time element for data acquisition, and at least one of the length of the time sliding window and the interval of the basic time element for data acquisition can be adjusted when the time sliding window parameter is feedback-adjusted;
preferably, the analysis conclusion value array obtained by the analysis module through analysis includes an abnormal probability value, a normal probability value and a suspicious probability value, wherein the abnormal probability value represents the similarity between the user behavior data acquired in real time currently and the samples in the standard malicious user behavior sample library, the normal probability value represents the similarity between the user behavior data acquired in real time currently and the samples in the standard normal user behavior sample library, and the suspicious probability value represents the similarity between the user behavior data acquired in real time currently and the samples in the suspicious user behavior sample library;
preferably, the multi-angle behavior analysis model constructed by the model construction module comprises a multi-angle behavior analysis model based on mahalanobis distance and a multi-angle behavior analysis module based on isolated forests.
Preferably, in the multi-angle behavior analysis model based on mahalanobis distance, mahalanobis distances between the user behavior data currently acquired in real time and samples in the standard malicious user behavior sample library, the standard normal user behavior sample library and the suspicious user behavior sample library are respectively calculated to obtain the analysis conclusion value array including the abnormal probability value, the normal probability value and the suspicious probability value.
Preferably, the multi-angle behavior analysis model based on mahalanobis distance selects the minimum value of the abnormal probability value, the normal probability value and the suspicious probability value, calculates the ratio of the minimum value to the other two values respectively, and uses the two ratios as the analysis reliability value, only when the two ratios are both smaller than the acceptable reliability value preset by the user, the analysis result is determined to be reliable, and the analysis result is output, otherwise, the analysis result is determined to be unreliable, and the steps of feedback adjustment and retesting are executed.
Preferably, a malicious behavior forest, a normal behavior forest and a suspicious behavior forest are respectively constructed in the multi-angle behavior analysis model based on the isolated forest through a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library, the average path distances from root nodes of user behavior data currently acquired in real time in the malicious behavior forest, the normal behavior forest and the suspicious behavior forest to leaf nodes where the user behavior data are located are respectively calculated, and an analysis conclusion value array comprising the abnormal probability value, the normal probability value and the suspicious probability value is obtained based on the average path distances;
preferably, the maximum value of the abnormal probability value, the normal probability value and the suspicious probability value is selected from the multi-angle behavior analysis model based on the isolated forest, the ratio of the maximum value to the other two values is respectively calculated, the two ratios are used as analysis reliability values, only when the two ratios are both larger than an acceptable reliability value preset by a user, the analysis result is determined to be reliable, the analysis result is output, otherwise, the analysis result is determined to be unreliable, and the steps of feedback adjustment and retesting are executed.
The invention collects the user behavior data in real time through the sliding time window which can be fed back and adjusted, describes and reflects the behavior data of the user from a plurality of angles by constructing a multi-angle behavior library and a multi-angle behavior analysis model, analyzes and compares the analysis result data set with the acceptable confidence value set by the user, and feeds back and adjusts the parameters of the time window for data collection and updates the behavior library according to the analysis and comparison structure, thereby obtaining the comprehensive analysis and accurate judgment and obtaining the analysis result through the calculation complexity as small as possible on the premise of improving the detection accuracy.
Drawings
FIG. 1 is a schematic workflow diagram of a user behavior analysis method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a time sliding window in an embodiment of the present invention;
fig. 3 is an architecture diagram of a user behavior analysis apparatus according to an embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
The embodiment of the invention provides an abnormal behavior detection method based on user behavior analysis, which is shown in fig. 1 and comprises the following steps:
step 101, setting initial time sliding window parameters for user behavior data acquisition, acquiring user behavior data in real time based on the set time sliding window parameters, and representing the user behavior data through a multidimensional array;
preferably, in step 101, the time sliding window parameters include the length of the time sliding window and the interval of the basic time element of data acquisition;
feature selection is an important "data preprocessing" process in the detection of user behavior models. That is, it is important to select which user behavior data to identify the user. In real-world tasks, excessive attributes can cause dimension disasters, and removing irrelevant features tends to reduce the difficulty of learning tasks. The selection of the "bad" features may result in too long operation time, and even the normal user and the abnormal user may not be correctly distinguished. In this embodiment, the parameters of the time sliding window may be adjusted according to the analysis result, that is, the length of the acquired time sequence, that is, the number of attributes,
in the embodiment, the use habits naturally generated by different users when using the host are utilized to model the user behaviors. The user behavior is characterized by the input habits of the user, including information such as mouse clicking frequency, mouse running track, mouse wheel frequency, keyboard clicking frequency, keyboard special symbol use frequency and the like. Considering that even the inherent habits of the same user in different scenarios may change somewhat, for example, the frequency of keyboard strokes may increase while performing document work. This requires distinguishing the scenes by detecting the use of the application.
The operation behaviors of the user are isolated from the time, the mouse is clicked at the time t1, the keyboard is clicked at the time t2, and a continuous depiction is needed to describe the behavior habits of the user, so that the relevance among the behaviors is mined. In this embodiment, a sliding window is used to perform a certain combination on the behavior sequence. The sequence width is selected based on a time interval, operation behaviors in the latest time period are counted at intervals, a moving event of the whole sequence is triggered when the counted time is reached, the behavior record in the first time period is moved out of the queue every time, a new behavior record is added at the end of the sequence, the time width is marked as W, namely the length of a time sliding window, and the time length of interval sampling is also the interval of data acquisition basic time elements. For example, the time width W =10s is selected, and the statistics are performed every 1 second, so that the implementation of the behavior sequence can be performed by using a multidimensional array which is 10 in the dimension of time, and the whole sequence is triggered to move backwards by 1 bit every 1 second. By means of the design, the associated information in the behavior sequence can be effectively mined, and a specific schematic diagram can be shown in fig. 2.
102, constructing a standard user behavior sample library, including a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library; the system comprises a standard malicious user behavior sample library, a standard normal user behavior sample library, a suspicious user behavior sample library and a user behavior analysis module, wherein the standard malicious user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to malicious behaviors, the standard normal user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to normal behaviors, and the suspicious user behavior sample library stores a plurality of pieces of user behavior data for representing that user behaviors belong to suspicious behaviors;
daily users of a part of hosts and servers may be multiple, and behavior habits of the users may be different, but the users are legal users. Or the like, the same legitimate user may have different usage habits at different times, such as being on a phone call, talking to a person, etc. In order to solve the problem, a normal user behavior habit set needs to be formed in the learning process, normal users are contained in the set, new user behavior habits are compared with the normal user behavior set in the detection process, and emergency response is carried out when abnormality is found.
Furthermore, both malicious user behaviors and suspicious user behaviors, i.e. user behaviors that cannot be determined whether the behavior is malicious or not and need further judgment, have their own behavior characteristics, for example, a user behavior that steals user data or may have a different expression value from normal operation on the frequency of clicking a mouse, or on the sliding track of the mouse and the clicked folder, the positions clicked in sequence, etc., these typical malicious and suspicious user behaviors are also classified into behavior libraries, respectively, and whether the behavior is normal or not is accurately judged by the similarity between the user behavior data and these different behavior libraries.
Furthermore, in this embodiment, the samples in the standard user behavior sample library constructed in this step should have the same dimension as the user behavior data acquired in real time, that is, if the user behavior data has ten dimensions, for example, if the user behavior data is a vector array expressed as 1 × 10 after being acquired through a sliding time window, the samples in the sample library should also have a corresponding dimension number, so as to enable subsequent analysis and determination.
103, constructing a multi-angle behavior analysis model by using a standard user behavior sample library;
after a multi-angle, i.e. normal, abnormal and suspicious behavior library is constructed, a multi-angle behavior analysis model can be correspondingly established, compared with the single-angle analysis method in the prior art, the multi-angle behavior analysis module of the embodiment does not judge whether the user behavior is normal or abnormal from a single angle, but analyzes and compares the user behavior data with the standard normal behavior data, the standard abnormal behavior data and the suspicious behavior data one by one, judges the classification of the user behavior data from multiple angles in multiple aspects, for example, if the current user behavior data is the normal user behavior data, the behavior data has a greater similarity degree with the samples in the standard normal user behavior sample library, and the behavior data has a lower similarity degree with the standard malicious user behavior sample library and the suspicious user behavior sample library, this allows the categorization of the user behavior data to be judged from three aspects.
Preferably, in step 103, the multi-angle behavior analysis model includes a mahalanobis distance-based multi-angle behavior analysis model and an isolated forest-based multi-angle behavior analysis module.
Preferably, in the multi-angle behavior analysis model based on mahalanobis distance, mahalanobis distances between the user behavior data currently acquired in real time and samples in the standard malicious user behavior sample library, the standard normal user behavior sample library and the suspicious user behavior sample library are respectively calculated to obtain the analysis conclusion value array including the abnormal probability value, the normal probability value and the suspicious probability value.
Mahalanobis distance (Mahalanobis distance) represents the covariance distance of the data. The method is an effective method for calculating the similarity between two unknown sample sets. The essence is to utilize Cholesky transform to deal with the problem of correlation between different dimensions and different measurement scales.
The training set is assumed to be a matrix T, that is, a plurality of samples in the standard sample library form a matrix T, the row vector of which represents a record and the column vector of which represents an attribute. The covariance matrix is noted as:
using Cholesky decomposition, it can be converted into the product of the lower triangular matrix and the upper triangular matrix:
the correlation and the difference of the measurement scale between different dimensions can be eliminated by processing the real-time data x of the user behavior data as follows:
wherein
Is the mean of the training set T.
For real-time user behavior data x to be analyzed, the Euclidean distance is
Then, the corresponding mahalanobis distance M after processing can be expressed as:
by calculating the Mahalanobis distance between the current user behavior data and the existing sample library set, the statistical characteristics of the Mahalanobis distances obtained by different test sets can be examined, and thus the detection of the abnormity is completed. That is, mahalanobis distances between the user behavior data collected in real time and the samples in the standard malicious user behavior sample library, the standard normal user behavior sample library and the suspicious user behavior sample library are respectively calculated to obtain the analysis conclusion value array including the abnormal probability value, the normal probability value and the suspicious probability value.
Preferably, in the multi-angle behavior analysis model based on the isolated Forest (iForest), a malicious behavior Forest, a normal behavior Forest and a suspicious behavior Forest are respectively constructed through a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library, and average path distances from root nodes to leaf nodes where the user behavior data are located in the malicious behavior Forest, the normal behavior Forest and the suspicious behavior Forest of the user behavior data collected in real time at present are respectively calculated, and the analysis conclusion value array including the abnormal probability value, the normal probability value and the suspicious probability value is obtained based on the average path distances.
Regarding the isolated forest algorithm, generally speaking, the behaviors of abnormal users are rare, most of the behaviors should be operations of normal users, and the abnormal behavior pattern should be significantly different from the normal behavior pattern, that is, in the super-dimensional space formed by a plurality of sample points, normal data points should be significantly distinguished from abnormal data points in terms of position relation, for example, all normal data points are gathered together, and abnormal data points are scattered around the normal data points. The isolated forest algorithm utilizes the two characteristics, and the core concept can be described as follows in popular language: the method comprises the steps of cutting a super-dimensional space in which a plurality of sample points are located by constructing a plurality of super-dimensional planes, so that all the sample points are separated by the super-dimensional planes, namely, no two sample points are located in the same space, and for abnormal sample points, the abnormal sample points can be separated by the super-dimensional planes easily and quickly due to the fact that the abnormal sample points are scattered around normal sample points and have obvious difference in position relation with the normal sample points, and the normal sample points which are gathered together need to be separated by the super-dimensional planes for multiple times to be separated one by one.
In a specific algorithm operation, a series of random binary trees are constructed on data of various dimensions for a plurality of samples in a sample set in an isolated forest algorithm by means of binary trees, each node of the random binary trees has either two children or is a leaf node, and one child does not exist. The data in the range is divided into two branches by randomly taking values in the value range, and then the two branches continue to take values randomly for division, and the steps are repeated continuously until the tree height is limited or the tree height is not divided. Since the abnormal points are rare and can be quickly divided into the leaf nodes in the random tree, whether a record is abnormal or not can be quickly judged by calculating the path length from the leaf node to the root node. To reduce the computational effort, the bounding height of the random tree may be computed, and nodes that exceed the average path length are generally considered to be free of anomalies.
For the data of n samples, the path length is denoted as h (n), and the average path length c (n) is:
c(n)= 2H(n − 1) − (2(n − 1)/n)
where H (i) is the harmonic number, equal to ln (i) + Euler constant.
For the normalization of the path length, let s (x, n) be the anomaly index:
in the formula, E (h (x)) is the expectation of the path length of a given value, and it can be seen that s (x, n) is the normalization of the path corresponding to the value. When s (x, n) approaches 1, it is abnormal, when s (x, n) is far less than 0.5, it is normal, and when all points are near 0.5, it means that there is no obvious abnormality for all points.
In this embodiment, a malicious behavior forest, a normal behavior forest and a suspicious behavior forest are respectively constructed for three types of sample libraries, that is, a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library, then, average path distances from root nodes of user behavior data currently acquired in real time in the malicious behavior forest, the normal behavior forest and the suspicious behavior forest to leaf nodes where the user behavior data is located are respectively calculated, and an analysis conclusion value array including an abnormal probability value, a normal probability value and a suspicious probability value is obtained based on the average path distances.
For the multi-angle analysis method of the embodiment, the similarity between the data to be detected and the standard normal behavior, the standard abnormal behavior and the standard suspicious behavior can be calculated respectively, which has higher accuracy compared with the judgment in the prior art only through a single angle, for example, if the user behavior data is normal behavior data, the user behavior data should have the expression characteristics similar to those of the samples in the standard normal user behavior sample library, but have the expression characteristics opposite to those of the samples in the standard malicious user behavior sample library, that is, the user behavior data is normal data in a normal behavior forest and is difficult to distinguish, and further has a longer path distance; the data is abnormal data in the malicious behavior forest, and is easy to distinguish, and further, the path distance is short. Similar characteristics are also true for other properties of user behavior data.
The detection method of the isolated forest is suitable for the condition that the queue length is large, the false alarm rate is low, and the detection result of the whole set is also credible. The algorithm can achieve linear time complexity with low storage overhead, can process high-dimensional data and mass data, and can also present good results in a scene without exception.
Step 104, inputting the collected user behavior data into the constructed multi-angle behavior analysis model to obtain an analysis conclusion value array;
preferably, in step 104, the analysis conclusion value array includes an abnormal probability value, a normal probability value and a suspicious probability value, where the abnormal probability value represents a similarity between the current real-time acquired user behavior data and samples in the standard malicious user behavior sample library, the normal probability value represents a similarity between the current real-time acquired user behavior data and samples in the standard normal user behavior sample library, and the suspicious probability value represents a similarity between the current real-time acquired user behavior data and samples in the suspicious user behavior sample library;
in this step, the user behavior data is input into the multi-angle behavior analysis model, for example, as mentioned above, the analysis result in the form of an array may be obtained in the two analysis models, where the array includes three elements, and the numerical values of the three elements respectively indicate the similarity degree of the behavior data with the standard malicious user behavior, the standard normal user behavior, and the suspicious user behavior, for example, if the user behavior data is a piece of normal user behavior data, it should show a numerical value more similar to the standard normal user behavior, for example, in an interval of 0 to 1, the numerical value is shown as above 0.75, and the numerical value is not similar to the standard malicious user behavior and the suspicious user behavior, for example, the numerical value is shown as below 0.25.
And 105, calculating to obtain an analysis reliability value based on the analysis conclusion value array, comparing the analysis reliability value with an acceptable reliability value preset by a user, and selecting to execute feedback adjustment and retest according to a comparison result, wherein the steps comprise the steps of feeding back and adjusting time sliding window parameters to reacquire user behavior data, and executing the steps 101 to 104 again, or giving an analysis result of the user behavior data acquired currently in real time according to the comparison result.
In this step, an acceptable confidence value may be preset by the user, and the value is a set threshold value that is substantially used by the user to determine whether the current detection result is authentic or not, and when the analysis confidence value calculated based on the analysis conclusion value array is greater than or less than the acceptable confidence value, the current search result may be considered authentic or not, and a determination of retesting or directly outputting the result may be made.
In the step, if a multi-angle behavior analysis model based on the Mahalanobis distance is adopted, the minimum value of the abnormal probability value, the normal probability value and the suspicious probability value which are obtained through calculation is selected, the ratio of the minimum value to other two values is calculated respectively, the two ratios are used as analysis reliability values, only when the two ratios are smaller than an acceptable reliability value preset by a user, the analysis result is determined to be reliable, the analysis result is output, otherwise, the analysis result is determined to be unreliable, and the steps of feedback adjustment and retesting are executed. For example, if the analysis conclusion value array obtained by calculation is [ 0.200.850.90 ], selecting the minimum of 0.2, calculating 0.2/0.85 and 0.2/0.9 to obtain an analysis confidence value, comparing the two values with an acceptable confidence value preset by a user, such as 0.25, and if both values are smaller than the acceptable confidence value, determining that the detection result is reliable and outputting the analysis result; otherwise, executing the steps of feedback adjustment and retesting.
In the step, if a multi-angle behavior analysis model based on an isolated forest is adopted, selecting the maximum one of the abnormal probability value, the normal probability value and the suspicious probability value obtained by calculation, calculating the ratio of the maximum one to other two values respectively, taking the two ratios as an analysis reliability value, confirming that the analysis result is reliable and outputting the analysis result only when the two ratios are greater than an acceptable reliability value preset by a user, otherwise, confirming that the analysis result is not reliable, and executing the steps of feedback adjustment and retesting.
Preferably, in the feedback adjustment and retesting steps, at least one of the length of the time sliding window and the data acquisition basic time interval may be adjusted when the feedback adjustment is performed on the time sliding window parameter.
On the other hand, corresponding to the method proposed by the above-mentioned embodiment, referring to fig. 3, the present embodiment also proposes an abnormal behavior detection apparatus 300 based on user behavior analysis, wherein the apparatus 300 includes:
a parameter setting module 301, configured to set an initial time sliding window parameter for user behavior data acquisition;
the data acquisition module 302 is used for acquiring the user behavior data in real time based on the time sliding window parameter set by the parameter setting module and representing the user behavior data by a multidimensional array;
a behavior sample library construction module 303, configured to construct a standard user behavior sample library, where the standard user behavior sample library includes a standard malicious user behavior sample library, a standard normal user behavior sample library, and a suspicious user behavior sample library; the system comprises a standard malicious user behavior sample library, a standard normal user behavior sample library, a suspicious user behavior sample library and a user behavior analysis module, wherein the standard malicious user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to malicious behaviors, the standard normal user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to normal behaviors, and the suspicious user behavior sample library stores a plurality of pieces of user behavior data for representing that user behaviors belong to suspicious behaviors;
a model construction module 304, configured to construct a multi-angle behavior analysis model from a standard user behavior sample library;
an analysis module 305, configured to input the collected user behavior data into the constructed multi-angle behavior analysis model to obtain an analysis conclusion value array;
and the result feedback module 306 is used for calculating an analysis reliability value based on the analysis conclusion value array, comparing the analysis reliability value with an acceptable reliability value preset by a user, and selecting to execute feedback adjustment and retest according to the comparison result, and comprises the steps of feeding back and adjusting time sliding window parameters to reacquire user behavior data, executing reacquiring data and analyzing through the parameter setting module, the data acquisition module, the behavior sample base construction module, the model construction module and the analysis module, or giving the analysis result of the user behavior data acquired currently in real time according to the comparison result.
Preferably, the time sliding window parameter set by the parameter setting module 301 includes a length of the time sliding window and an interval of the basic time element for data acquisition, and at least one of the length of the time sliding window and the interval of the basic time element for data acquisition may be adjusted when the time sliding window parameter is feedback-adjusted;
preferably, the analysis conclusion value array obtained by the analysis module 305 through analysis includes an abnormal probability value, a normal probability value and a suspicious probability value, where the abnormal probability value represents a similarity degree between the current real-time acquired user behavior data and a sample in the standard malicious user behavior sample library, the normal probability value represents a similarity degree between the current real-time acquired user behavior data and a sample in the standard normal user behavior sample library, and the suspicious probability value represents a similarity degree between the current real-time acquired user behavior data and a sample in the suspicious user behavior sample library;
preferably, the multi-angle behavior analysis model constructed by the model construction module 304 comprises a mahalanobis distance-based multi-angle behavior analysis model and an isolated forest-based multi-angle behavior analysis module.
Preferably, in the multi-angle behavior analysis model based on mahalanobis distance, mahalanobis distances between the user behavior data currently acquired in real time and samples in the standard malicious user behavior sample library, the standard normal user behavior sample library and the suspicious user behavior sample library are respectively calculated to obtain the analysis conclusion value array including the abnormal probability value, the normal probability value and the suspicious probability value.
Preferably, the multi-angle behavior analysis model based on mahalanobis distance selects the minimum value of the abnormal probability value, the normal probability value and the suspicious probability value, calculates the ratio of the minimum value to the other two values respectively, and uses the two ratios as the analysis reliability value, only when the two ratios are both smaller than the acceptable reliability value preset by the user, the analysis result is determined to be reliable, and the analysis result is output, otherwise, the analysis result is determined to be unreliable, and the steps of feedback adjustment and retesting are executed.
Preferably, a malicious behavior forest, a normal behavior forest and a suspicious behavior forest are respectively constructed in the multi-angle behavior analysis model based on the isolated forest through a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library, the average path distances from root nodes of user behavior data currently acquired in real time in the malicious behavior forest, the normal behavior forest and the suspicious behavior forest to leaf nodes where the user behavior data are located are respectively calculated, and an analysis conclusion value array comprising the abnormal probability value, the normal probability value and the suspicious probability value is obtained based on the average path distances;
preferably, the maximum value of the abnormal probability value, the normal probability value and the suspicious probability value is selected from the multi-angle behavior analysis model based on the isolated forest, the ratio of the maximum value to the other two values is respectively calculated, the two ratios are used as analysis reliability values, only when the two ratios are both larger than an acceptable reliability value preset by a user, the analysis result is determined to be reliable, the analysis result is output, otherwise, the analysis result is determined to be unreliable, and the steps of feedback adjustment and retesting are executed.
The method adopts the feedback-adjustable sliding time window to collect the user behavior data in real time, constructs the multi-angle behavior library and the multi-angle behavior analysis model, analyzes the behavior data of the user from multiple angles, obtains all-round analysis and accurate judgment, and can obtain an analysis result through the calculation complexity as small as possible on the premise of improving the detection accuracy.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. An abnormal behavior detection method based on user behavior analysis is characterized by comprising the following steps;
firstly, setting initial time sliding window parameters for acquiring user behavior data, acquiring the user behavior data in real time based on the set time sliding window parameters, and representing the user behavior data through a multidimensional array;
secondly, constructing a standard user behavior sample library which comprises a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library; the system comprises a standard malicious user behavior sample library, a standard normal user behavior sample library, a suspicious user behavior sample library and a user behavior analysis module, wherein the standard malicious user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to malicious behaviors, the standard normal user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to normal behaviors, and the suspicious user behavior sample library stores a plurality of pieces of user behavior data for representing that user behaviors belong to suspicious behaviors;
thirdly, constructing a multi-angle behavior analysis model by using a standard user behavior sample library;
fourthly, inputting the collected user behavior data into the constructed multi-angle behavior analysis model to obtain an analysis conclusion value array;
fifthly, calculating to obtain an analysis credibility value based on the analysis conclusion value array, comparing the analysis credibility value with an acceptable credibility value preset by a user to obtain a comparison result, and selecting to execute the steps of feedback adjustment and retest when the comparison result shows that the analysis is not credible, wherein the steps comprise feeding back and adjusting time sliding window parameters to reacquire user behavior data, executing the steps from one step to the fourth step again, and when the comparison result shows that the analysis is credible, giving an analysis result of the user behavior data acquired in real time currently according to the comparison result;
the multi-angle behavior analysis model comprises a multi-angle behavior analysis model based on the Mahalanobis distance and a multi-angle behavior analysis model based on an isolated forest; in the multi-angle behavior analysis model based on the Mahalanobis distance, the Mahalanobis distance between the user behavior data collected in real time at present and the samples in the standard malicious user behavior sample library, the standard normal user behavior sample library and the suspicious user behavior sample library is respectively calculated to obtain an analysis conclusion value array comprising the abnormal probability value, the normal probability value and the suspicious probability value;
selecting the minimum one of the abnormal probability value, the normal probability value and the suspicious probability value from the multi-angle behavior analysis model based on the Mahalanobis distance, respectively calculating the ratio of the minimum value to other two values, taking the two ratios as an analysis credibility value, and determining that the analysis result is credible only when the two ratios are smaller than an acceptable confidence value preset by a user; otherwise, the analysis result is determined to be not credible;
respectively constructing a malicious behavior forest, a normal behavior forest and a suspicious behavior forest through a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library in the multi-angle behavior analysis model based on the isolated forest, respectively calculating the average path distance from a root node of user behavior data acquired in real time to a leaf node where the user behavior data is located in the malicious behavior forest, the normal behavior forest and the suspicious behavior forest, and acquiring an analysis conclusion value array comprising an abnormal probability value, a normal probability value and a suspicious probability value based on the average path distance; selecting the maximum one of the abnormal probability value, the normal probability value and the suspicious probability value from the multi-angle behavior analysis model based on the isolated forest, respectively calculating the ratio of the maximum one to other two values, taking the two ratios as analysis credibility values, and only when the two ratios are both greater than an acceptable confidence value preset by a user, determining that the analysis result is credible; otherwise, the analysis result is determined to be not credible.
2. The abnormal behavior detection method based on user behavior analysis according to claim 1, characterized in that: the time sliding window parameter includes the length of the time sliding window and the interval of the basic time element of data acquisition, and at least one of the length of the time sliding window and the interval of the basic time element of data acquisition can be adjusted when the time sliding window parameter is fed back and adjusted.
3. The abnormal behavior detection method based on user behavior analysis according to claim 1, characterized in that: the analysis conclusion value array comprises an abnormal probability value, a normal probability value and a suspicious probability value, wherein the abnormal probability value represents the similarity degree between the user behavior data acquired in real time currently and the samples in the standard malicious user behavior sample library, the normal probability value represents the similarity degree between the user behavior data acquired in real time currently and the samples in the standard normal user behavior sample library, and the suspicious probability value represents the similarity degree between the user behavior data acquired in real time currently and the samples in the suspicious user behavior sample library.
4. An abnormal behavior detection apparatus based on user behavior analysis, the apparatus comprising:
the parameter setting module is used for setting initial time sliding window parameters for user behavior data acquisition;
the data acquisition module is used for acquiring the user behavior data in real time based on the time sliding window parameter set by the parameter setting module and expressing the user behavior data through a multidimensional array;
the behavior sample library construction module is used for constructing a standard user behavior sample library, and comprises a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library; the system comprises a standard malicious user behavior sample library, a standard normal user behavior sample library, a suspicious user behavior sample library and a user behavior analysis module, wherein the standard malicious user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to malicious behaviors, the standard normal user behavior sample library stores a plurality of pieces of standard user behavior data for representing that user behaviors belong to normal behaviors, and the suspicious user behavior sample library stores a plurality of pieces of user behavior data for representing that user behaviors belong to suspicious behaviors;
the model construction module is used for constructing a multi-angle behavior analysis model by using a standard user behavior sample library;
the analysis module is used for inputting the collected user behavior data into the constructed multi-angle behavior analysis model to obtain an analysis conclusion value array;
the result feedback module is used for calculating to obtain an analysis credibility value based on the analysis conclusion value array, comparing the analysis credibility value with an acceptable credibility value preset by a user to obtain a comparison result, and selecting to execute the steps of feedback adjustment and retest when the comparison result shows that the analysis is not credible, wherein the steps comprise the steps of feeding back and adjusting time sliding window parameters to reacquire user behavior data, and executing reacquiring data and analyzing by the parameter setting module, the data acquisition module, the behavior sample library construction module, the model construction module and the analysis module; when the comparison result shows that the analysis is credible, the analysis result of the user behavior data collected in real time at present is given according to the comparison result, the time sliding window parameter set by the parameter setting module comprises the length of the time sliding window and the interval of the basic time element of data collection, and at least one of the length of the time sliding window and the interval of the basic time element of data collection can be adjusted when the time sliding window parameter is fed back and adjusted; the analysis conclusion value array obtained by the analysis module through analysis comprises an abnormal probability value, a normal probability value and a suspicious probability value, wherein the abnormal probability value represents the similarity degree between the user behavior data acquired in real time currently and the samples in the standard malicious user behavior sample library, the normal probability value represents the similarity degree between the user behavior data acquired in real time currently and the samples in the standard normal user behavior sample library, and the suspicious probability value represents the similarity degree between the user behavior data acquired in real time currently and the samples in the suspicious user behavior sample library.
5. The abnormal behavior detection apparatus based on user behavior analysis according to claim 4, wherein: the multi-angle behavior analysis model constructed by the model construction module comprises a multi-angle behavior analysis model based on the Mahalanobis distance and a multi-angle behavior analysis model based on an isolated forest; in the multi-angle behavior analysis model based on the Mahalanobis distance, the Mahalanobis distance between the user behavior data collected in real time at present and the samples in the standard malicious user behavior sample library, the standard normal user behavior sample library and the suspicious user behavior sample library is respectively calculated to obtain an analysis conclusion value array comprising the abnormal probability value, the normal probability value and the suspicious probability value; selecting the minimum one of the abnormal probability value, the normal probability value and the suspicious probability value from the multi-angle behavior analysis model based on the Mahalanobis distance, respectively calculating the ratio of the minimum value to other two values, taking the two ratios as an analysis credibility value, and determining that the analysis result is credible only when the two ratios are smaller than an acceptable confidence value preset by a user; otherwise, the analysis result is determined to be not credible.
6. The abnormal behavior detection apparatus based on user behavior analysis according to claim 5, wherein: in the multi-angle behavior analysis model based on the isolated forest, a malicious behavior forest, a normal behavior forest and a suspicious behavior forest are respectively constructed through a standard malicious user behavior sample library, a standard normal user behavior sample library and a suspicious user behavior sample library, the average path distances from root nodes of user behavior data collected in real time to leaf nodes where the user behavior data are located in the malicious behavior forest, the normal behavior forest and the suspicious behavior forest are respectively calculated, and an analysis conclusion value array comprising an abnormal probability value, a normal probability value and a suspicious probability value is obtained based on the average path distances.
7. The abnormal behavior detection apparatus based on user behavior analysis according to claim 6, wherein: selecting the maximum one of the abnormal probability value, the normal probability value and the suspicious probability value from the multi-angle behavior analysis model based on the isolated forest, respectively calculating the ratio of the maximum one to other two values, taking the two ratios as analysis credibility values, and only when the two ratios are both greater than an acceptable confidence value preset by a user, determining that the analysis result is credible; otherwise, the analysis result is determined to be not credible.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710448328.3A CN107196953B (en) | 2017-06-14 | 2017-06-14 | Abnormal behavior detection method based on user behavior analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710448328.3A CN107196953B (en) | 2017-06-14 | 2017-06-14 | Abnormal behavior detection method based on user behavior analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107196953A CN107196953A (en) | 2017-09-22 |
| CN107196953B true CN107196953B (en) | 2020-05-08 |
Family
ID=59878911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710448328.3A Active CN107196953B (en) | 2017-06-14 | 2017-06-14 | Abnormal behavior detection method based on user behavior analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107196953B (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109561052B (en) * | 2017-09-26 | 2022-01-28 | 北京国双科技有限公司 | Method and device for detecting abnormal flow of website |
| CN107992741B (en) * | 2017-10-24 | 2020-08-28 | 阿里巴巴集团控股有限公司 | Model training method, URL detection method and device |
| CN108156141B (en) * | 2017-12-14 | 2021-08-27 | 北京奇艺世纪科技有限公司 | Real-time data identification method and device and electronic equipment |
| CN108400972A (en) * | 2018-01-30 | 2018-08-14 | 北京兰云科技有限公司 | A kind of method for detecting abnormality and device |
| CN108376254A (en) * | 2018-03-21 | 2018-08-07 | 北京理工大学 | Merge the inside threat human detection method of multi-source feature |
| CN110392013A (en) * | 2018-04-17 | 2019-10-29 | 深圳先进技术研究院 | A kind of Malware recognition methods, system and electronic equipment based on net flow assorted |
| CN108776683B (en) * | 2018-06-01 | 2022-01-21 | 广东电网有限责任公司 | Electric power operation and maintenance data cleaning method based on isolated forest algorithm and neural network |
| CN108985632A (en) * | 2018-07-16 | 2018-12-11 | 国网上海市电力公司 | A kind of electricity consumption data abnormality detection model based on isolated forest algorithm |
| CN109145595A (en) * | 2018-07-31 | 2019-01-04 | 顺丰科技有限公司 | A kind of user's unusual checking system, method, equipment and storage medium |
| WO2020088739A1 (en) * | 2018-10-29 | 2020-05-07 | Hexagon Technology Center Gmbh | Facility surveillance systems and methods |
| CN109509327B (en) * | 2018-10-31 | 2020-11-24 | 武汉烽火众智数字技术有限责任公司 | Abnormal behavior early warning method and device |
| CN110009174B (en) * | 2018-12-13 | 2020-11-06 | 创新先进技术有限公司 | Risk recognition model training method and device and server |
| CN110244099A (en) * | 2019-06-24 | 2019-09-17 | 河南工业大学 | Stealing detection method based on user's voltage |
| CN112131320A (en) * | 2019-06-25 | 2020-12-25 | 杭州海康威视数字技术股份有限公司 | Abnormal data detection method and device and storage medium |
| CN111753527A (en) * | 2020-06-29 | 2020-10-09 | 平安科技(深圳)有限公司 | Data analysis method and device based on natural language processing and computer equipment |
| CN111861699B (en) * | 2020-07-02 | 2021-06-22 | 北京睿知图远科技有限公司 | Anti-fraud index generation method based on operator data |
| CN113095563A (en) * | 2021-04-07 | 2021-07-09 | 全球能源互联网研究院有限公司 | Method and device for reviewing prediction result of artificial intelligence model |
| CN113535050B (en) * | 2021-09-16 | 2021-12-07 | 深圳市至简科技设计有限公司 | Multi-interface display method, system and equipment based on interface linkage |
| CN115616341B (en) * | 2022-09-29 | 2023-06-13 | 众芯汉创(北京)科技有限公司 | Operation and maintenance monitoring system for remotely and automatically searching power cable line based on Internet of things |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103208091A (en) * | 2013-04-25 | 2013-07-17 | 国家电网公司 | Electric larceny preventing method based on data mining of electric load management system |
| CN103439933A (en) * | 2013-08-13 | 2013-12-11 | 清华大学 | System and method for production process self-adaption monitoring using OCSVM |
| US9218527B2 (en) * | 2011-09-29 | 2015-12-22 | Hewlett-Packard Development Company, L.P. | Anomaly detection in streaming data |
| CN106657160A (en) * | 2017-02-28 | 2017-05-10 | 南开大学 | Reliability-based network malicious behavior detection method for large flow |
| CN106850658A (en) * | 2017-02-28 | 2017-06-13 | 南开大学 | The network malicious act detection method of real-time online study |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9038172B2 (en) * | 2011-05-06 | 2015-05-19 | The Penn State Research Foundation | Robust anomaly detection and regularized domain adaptation of classifiers with application to internet packet-flows |
-
2017
- 2017-06-14 CN CN201710448328.3A patent/CN107196953B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9218527B2 (en) * | 2011-09-29 | 2015-12-22 | Hewlett-Packard Development Company, L.P. | Anomaly detection in streaming data |
| CN103208091A (en) * | 2013-04-25 | 2013-07-17 | 国家电网公司 | Electric larceny preventing method based on data mining of electric load management system |
| CN103439933A (en) * | 2013-08-13 | 2013-12-11 | 清华大学 | System and method for production process self-adaption monitoring using OCSVM |
| CN106657160A (en) * | 2017-02-28 | 2017-05-10 | 南开大学 | Reliability-based network malicious behavior detection method for large flow |
| CN106850658A (en) * | 2017-02-28 | 2017-06-13 | 南开大学 | The network malicious act detection method of real-time online study |
Non-Patent Citations (1)
| Title |
|---|
| An Anomaly Detection Approach Based on Isolation Forest Algorithm forStreaming Data using Sliding Window;Zhiguo Ding;《3rd IFAC International Conference on Intelligent Control》;20130904;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107196953A (en) | 2017-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107196953B (en) | Abnormal behavior detection method based on user behavior analysis | |
| CN107992746B (en) | Malicious behavior mining method and device | |
| WO2021189730A1 (en) | Method, apparatus and device for detecting abnormal dense subgraph, and storage medium | |
| McFee et al. | Analyzing Song Structure with Spectral Clustering. | |
| CN111833172A (en) | Consumption credit fraud detection method and system based on isolated forest | |
| CN111027069B (en) | Malicious software family detection method, storage medium and computing device | |
| Hammer et al. | A seismic‐event spotting system for volcano fast‐response systems | |
| CN111314329B (en) | Traffic intrusion detection system and method | |
| CN112434208A (en) | Training of isolated forest and identification method and related device of web crawler of isolated forest | |
| CN109447180A (en) | A kind of fooled people's discovery method of the telecommunication fraud based on big data and machine learning | |
| CN113297578B (en) | Information perception method and information security system based on big data and artificial intelligence | |
| CN109450671B (en) | Log multi-combination alarm classification method and system | |
| CN112311803B (en) | Rule base updating method and device, electronic equipment and readable storage medium | |
| US11533373B2 (en) | Global iterative clustering algorithm to model entities' behaviors and detect anomalies | |
| Megantara et al. | Feature importance ranking for increasing performance of intrusion detection system | |
| CN113965390A (en) | Malicious encrypted traffic detection method, system and related device | |
| Reif et al. | Anomaly detection by combining decision trees and parametric densities | |
| Vázquez et al. | Anomaly detection in streaming data: A comparison and evaluation study | |
| CN112257076B (en) | Vulnerability detection method based on random detection algorithm and information aggregation | |
| CN107832611B (en) | Zombie program detection and classification method combining dynamic and static characteristics | |
| CN111583963B (en) | Repeated audio detection method, device, equipment and storage medium | |
| CN111797395A (en) | Malicious code visualization and variety detection method, device, equipment and storage medium | |
| CN109376531B (en) | Web intrusion detection method based on semantic recoding and feature space separation | |
| CN115879028A (en) | Real-time anomaly detection method and device based on isolated forest dynamic training, electronic equipment and storage medium | |
| CN111507368B (en) | Campus network intrusion detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20171013 Address after: 200030 No. 332 clear water road, Shanghai, Minhang District Applicant after: Shi Yong Applicant after: Liu Ning Applicant after: Fu Yewen Applicant after: He Xiang Address before: 200030 2 building 203, 168 lane, Hongqiao Road, Shanghai, Xuhui District Applicant before: Shanghai Ding Niu Mdt InfoTech Ltd |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20180625 Address after: 200120 Shanghai 3 free trade trial area 1 3 of Fang Chun Road No. 1 Applicant after: Shanghai leading Mdt InfoTech Ltd Address before: No. 332, Shui Qing Road, Minhang District, Shanghai Applicant before: Shi Yong Applicant before: Liu Ning Applicant before: Fu Yewen Applicant before: He Xiang |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 200120 Shanghai City, Pudong New Area free trade zone fanchun Road No. 400 Building 1 layer 3 Patentee after: Shanghai leading Mdt InfoTech Ltd. Address before: 200120 Shanghai 3 free trade trial area 1 3 of Fang Chun Road No. 1 Patentee before: Shanghai leading Mdt InfoTech Ltd. |