CN108055281B - Account abnormity detection method, device, server and storage medium - Google Patents
Account abnormity detection method, device, server and storage medium Download PDFInfo
- Publication number
- CN108055281B CN108055281B CN201711450524.0A CN201711450524A CN108055281B CN 108055281 B CN108055281 B CN 108055281B CN 201711450524 A CN201711450524 A CN 201711450524A CN 108055281 B CN108055281 B CN 108055281B
- Authority
- CN
- China
- Prior art keywords
- behavior
- account
- abnormal
- preset
- stolen
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The embodiment of the invention discloses an account abnormity detection method, an account abnormity detection device, a server and a storage medium, wherein the method comprises the following steps: mining the behavior data of all stolen accounts by using an association rule algorithm, and determining an abnormal behavior sequence according to a frequent item set obtained by mining; acquiring a behavior combination of a current account under a preset condition; and obtaining an abnormal detection result according to the proportion of the abnormal behavior sequence hit by the behavior combination. According to the embodiment of the invention, the behavior of the stolen account is automatically mined by using the association rule algorithm to obtain the abnormal behavior sequence, and the account abnormality detection is carried out according to the proportion of hitting the abnormal behavior sequence in the account behavior combination, so that the problems of large workload and low accuracy caused by manually marking the abnormal behavior according to experience are solved, the account safety risk can be predicted without manually marking the abnormal behavior according to experience, the labor cost is reduced, and the accuracy is high.
Description
Technical Field
The embodiment of the invention relates to an account anomaly detection technology, in particular to an account anomaly detection method, an account anomaly detection device, a server and a storage medium.
Background
With the development of network information, a user can have a plurality of accounts, and aspects such as social contact, financial management and life management are involved. Once the account is stolen, inconvenience is brought to the user, and even economic loss is caused. Therefore, it is a problem to pay attention to the abnormality detection and early warning of the account.
At present, the danger coefficient of a certain behavior of a user account is marked manually according to experience, and the abnormal behavior of the account is detected based on marked information, so that the workload is large and the accuracy is low.
Disclosure of Invention
The embodiment of the invention provides an account abnormity detection method, an account abnormity detection device, a server and a storage medium, which can predict the safety risk of an account without manually marking abnormal behaviors according to experience, remind a user, effectively inhibit the account from being stolen, improve the safety degree of the account, reduce the labor cost and have high accuracy.
In a first aspect, an embodiment of the present invention provides an account anomaly detection method, including:
mining the behavior data of all stolen accounts by using an association rule algorithm, and determining an abnormal behavior sequence according to a frequent item set obtained by mining;
acquiring a behavior combination of a current account under a preset condition;
and obtaining an abnormal detection result according to the proportion of the abnormal behavior sequence hit by the behavior combination.
In a second aspect, an embodiment of the present invention further provides an account anomaly detection apparatus, including:
the data mining module is used for mining the behavior data of all stolen accounts by using an association rule algorithm and determining an abnormal behavior sequence according to a frequent item set obtained by mining;
the behavior acquisition module is used for acquiring a behavior combination of the current account under a preset condition;
and the anomaly detection module is used for obtaining an anomaly detection result according to the proportion of the behavior combination hitting the abnormal behavior sequence.
In a third aspect, an embodiment of the present invention further provides a server, where the server includes:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a method of account anomaly detection as described in any embodiment of the invention.
In a fourth aspect, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the account abnormality detection method according to any embodiment of the present invention.
According to the technical scheme of the embodiment of the invention, the behavior of the stolen account is automatically mined by using the association rule algorithm to obtain the abnormal behavior sequence, the behavior combination of the account under the preset condition is obtained, and the account abnormality detection is carried out according to the proportion of hitting the abnormal behavior sequence in the behavior combination, so that the problems of large workload and low accuracy caused by manually marking the abnormal behavior according to experience are solved, the safety risk of the account can be predicted without manually marking the abnormal behavior according to the experience, the user is reminded, the account is effectively inhibited from being stolen, the safety degree of the account is improved, the labor cost is reduced, and the accuracy is high.
Drawings
Fig. 1 is a flowchart of an account anomaly detection method according to an embodiment of the present invention;
fig. 2 is a flowchart of an account anomaly detection method according to a second embodiment of the present invention;
fig. 3 is a flowchart of an account anomaly detection method according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an account abnormality detection apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a server according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of an account anomaly detection method according to an embodiment of the present invention, which is applicable to detecting whether an account has an anomalous behavior, where the method may be executed by an account anomaly detection apparatus, and the apparatus may be implemented by software and/or hardware, and may generally be integrated in a server. As shown in fig. 1, the method specifically includes:
and S110, mining the behavior data of all stolen accounts by using an association rule algorithm, and determining an abnormal behavior sequence according to a frequent item set obtained by mining.
The behavior of the stolen account can reflect operations performed by lawless persons after stealing the account, such as password modification, false advertisement release, fraud information release and the like. The stolen account can be determined through complaints of users, then mining is carried out on the basis of the behavior data of the stolen account, and an abnormal behavior sequence is determined to be used as a basis for abnormal detection. The manual labeling method cannot cope with new abnormal behaviors, and the new abnormal behaviors can be labeled only after the account is really stolen.
The frequent item set refers to a frequently occurring combination, the frequent item set in the embodiment includes at least one behavior, for example, { I1, I2} is a frequent 2 item set, and I1 and I2 respectively represent different behaviors. The association rule algorithm is used for mining association among item sets of data, is mainly applied to analysis of customer transaction data, and is a recursion algorithm based on a two-stage frequent set idea, and comprises the following steps: all frequent itemsets are found, and strong association rules that satisfy a minimum confidence are generated from the frequent itemsets. In this embodiment, a frequent item set is mined by using an association rule algorithm to determine an abnormal behavior sequence.
And S120, acquiring a behavior combination of the current account under a preset condition.
And obtaining a behavior combination of the current account, and comparing the behavior combination with the abnormal behavior sequence to determine whether the current account is abnormal or not and the abnormal degree. The preset condition is a condition for acquiring a behavior combination set according to behavior characteristics of the stolen account, for example, the behavior characteristics of the stolen account before the stolen account is determined to be continuously performed a series of operations such as login, password modification, false advertisement submission and the like, and the preset condition can be set to acquire a series of operations performed in the process from login to logout of the account. For another example, if the lawbreaker knows the preset conditions, thinks of countermeasures, and performs only one operation for multiple logins, the preset conditions can be changed to collect the behavior combination performed by the account in the process of multiple logins (for example, 3 times), and to cope with new abnormal behaviors. It should be noted that the preset condition can be changed at any time to cope with the new abnormal behavior, so as to improve the accuracy of the abnormal detection.
And S130, obtaining an abnormal detection result according to the ratio of the abnormal behavior sequence hit by the behavior combination.
According to different hit ratios and preset thresholds, different abnormal degrees can be determined, and corresponding abnormal processing operations are executed, for example, all behaviors in a behavior combination belong to an abnormal behavior sequence, that is, all hits are performed, account abnormality can be determined, and corresponding abnormal processing operations are executed, for example, an account is forcibly withdrawn, so that user loss is avoided. The abnormal behavior sequence may include a plurality of frequent item sets, at this time, the behavior combination may be compared with each frequent item set in the abnormal behavior sequence, a corresponding hit ratio is determined, a final hit ratio is determined from the plurality of hit ratios according to a preset policy, for example, the highest hit ratio is used as the final hit ratio, and then an account abnormality detection result is determined according to the final hit ratio.
According to the technical scheme, the behavior of the stolen account is automatically mined by using the association rule algorithm to obtain the abnormal behavior sequence, the behavior combination of the account under the preset condition is obtained, and the account abnormality detection is carried out according to the proportion of the behavior combination hitting the abnormal behavior sequence, so that the problems of large workload and low accuracy caused by manually marking the abnormal behavior according to experience are solved, the safety risk of the account can be predicted without manually marking the abnormal behavior according to experience, the user is reminded, the account is effectively restrained from being stolen, the safety degree of the account is improved, the labor cost is reduced, and the accuracy is high. In addition, the abnormal behavior sequence is updated at regular time, and new abnormal behaviors can be found and dealt with in time.
Example two
Fig. 2 is a flowchart of an account anomaly detection method provided in the second embodiment of the present invention, and this embodiment provides an implementation manner of "mining behavior data of all stolen accounts by using an association rule algorithm, and determining an anomalous behavior sequence according to a frequent item set obtained by mining" based on the above embodiment, and as shown in fig. 2, the method specifically includes:
and S210, acquiring behavior data of all stolen accounts within preset time before theft is determined according to preset time intervals.
The preset time interval can be set according to actual requirements, for example, the preset time interval is set to one day, so that not only is the processing load not too large guaranteed, but also the abnormal behavior sequence can be timely updated, and new abnormal behaviors of lawbreakers can be dealt with. After the account is stolen, a lawbreaker may use the account to perform fraud, for example, a false advertisement is issued after a password is modified, and the like, so the preset time may be a period of time before the account is confirmed to be stolen (that is, a complaint account of a user is stolen), for example, the day before the complaint of the user, and correspondingly, collected is behavior data of the stolen account the day before the complaint of the user, and the data can sufficiently reflect operations performed after the lawbreaker steals the account. Specifically, all stolen accounts are determined according to user complaints, and then for each stolen account, behavior data of the account on the day before the account is determined to be stolen is collected and used as a basis for data mining.
And S220, mining a plurality of frequent item sets from the behavior data according to a preset minimum support degree.
In this embodiment, the support degree refers to the number of times a behavior or a combination of behaviors appears in a stolen account. The minimum support degree can not be set too low, so that misjudgment is easily caused, and inconvenience is brought to a user; and the setting cannot be too high, which can result in the omission of abnormal accounts. The minimum support degree can be initially set as an empirical value, and subsequently can be adjusted according to the accuracy of actual anomaly detection so as to achieve the expected detection effect. Specifically, sampling an actual result of account number anomaly detection, calculating the detection accuracy, and if the accuracy reaches an expected value, continuing to use the minimum support; if the accuracy is lower than expected, the minimum support is modified for subsequent better detection.
Optionally, mining a plurality of frequent item sets from the behavior data by using an association rule algorithm includes: and iterating the behavior data layer by layer to obtain a frequent N item set meeting the minimum support degree, wherein N represents the number of behavior items (referred to as item number for short) included in the frequent item set, and the value of N is a positive integer.
The layer-by-layer iteration refers to obtaining a frequent k +1 item set based on the frequent k item set. Satisfying the minimum support level means that the set of items appears in the behavior data no less than the minimum support level. When a frequent item set is generated, the following theorem is followed: if a set of items is a frequent set of items, then its non-empty subset must be a frequent set of items.
In this embodiment, a condition for stopping iteration may be set, where the support degrees of all frequent item sets of the current layer are preset values, and for example, if the support degrees of the obtained three frequent item sets of 5 are equal to the minimum support degree, the iteration is stopped; the condition may also be that a preset number of frequent item sets is reached, e.g., 20 frequent item sets are obtained, and the iteration is stopped.
And S230, selecting a frequent item set which accords with a preset number of items from the multiple frequent item sets as the abnormal behavior sequence.
The preset number of terms can be set according to actual requirements, can be a specific number or an interval, exemplarily, the preset number of terms is 20-25, and then, from all the obtained frequent term sets, a frequent term set with the number of terms being 20-25 is selected as an abnormal behavior sequence. In addition, the preset number of terms may also be embodied by a ratio, for example, an interval determined by an integer part corresponding to 80% to 85% of the maximum number of terms is selected as the preset number of terms.
And S240, acquiring a behavior combination of the current account under a preset condition.
And S250, obtaining an abnormal detection result according to the ratio of the abnormal behavior sequence hit by the behavior combination.
According to the technical scheme, the behavior data of all stolen accounts within the preset time before the stolen accounts are confirmed are collected and used as the basis of data mining, the operation performed after lawless persons steal the accounts can be fully reflected, the fact that the abnormal behavior sequence obtained based on the operation is accurate is guaranteed, and the accuracy of account detection is further improved. The behavior of the stolen account is automatically mined by using the association rule algorithm, and the abnormal behavior does not need to be marked manually according to experience, so that the labor cost is reduced. In addition, the abnormal behavior sequence is updated at regular time, and new abnormal behaviors can be found and dealt with in time.
The following describes a process of determining an abnormal behavior sequence according to behavior data of all stolen accounts by using Apriori algorithm as an example. The preset minimum support degree is 2, all stolen accounts are determined according to the complaints of the users, and the behaviors of all stolen accounts in the day before the stolen accounts are respectively collected, as shown in table 1.
TABLE 1 stolen accounts and behavior table thereof
| Stolen account | Behavior |
| User A | I1、I2、I5 |
| User B | I2、I4 |
| User C | I2、I3 |
| User D | I1、I2、I4 |
| User E | I1、I3 |
| User F | I2、I3 |
| User G | I1、I3 |
| User H | I1、I2、I3、I5 |
| User J | I1、I2、I3 |
The behavior data of all stolen accounts are scanned, the occurrence frequency of each behavior is counted, the occurrence frequency of the behavior I1 is 6, the occurrence frequency of the behavior I2 is 7, the occurrence frequency of the behavior I3 is 6, the occurrence frequency of the behavior I4 is 2, and the occurrence frequency of the behavior I5 is 2. From the above-mentioned behaviors, find out the frequent 1 item set that satisfies the minimum support (i.e. the number of occurrences is not less than 2), and the resulting frequent 1 item set is shown in table 2.
TABLE 2 schematic diagram of frequent 1 item set
| Action item set | Count of support counts |
| {I1} | 6 |
| {I2} | 7 |
| {I3} | 6 |
| {I4} | 2 |
| {I5} | 2 |
Based on the frequent 1 item set, a candidate item set with the number of items of 2 (i.e. containing two behaviors) and the occurrence number thereof are determined: the occurrence number of { I1, I2} is 4, the occurrence number of { I1, I3} is 4, the occurrence number of { I1, I4} is 1, the occurrence number of { I1, I5} is 2, the occurrence number of { I2, I3} is 4, the occurrence number of { I2, I4} is 2, the occurrence number of { I2, I5} is 2, the occurrence number of { I3, I4} is 0, the occurrence number of { I3, I5} is 1, and the occurrence number of { I4, I5} is 0. From the above candidate set, find the frequent 2 item set satisfying the minimum support (i.e. the number of occurrences is not less than 2), and the resulting frequent 2 item set is shown in table 3.
TABLE 3 schematic table of frequent 2-item set
| Action item set | Count of support counts |
| {I1,I2} | 4 |
| {I1,I3} | 4 |
| {I1,I5} | 2 |
| {I2,I3} | 4 |
| {I2,I4} | 2 |
| {I2,I5} | 2 |
Based on the frequent 2-item set, a candidate item set with a number of items of 3 (i.e., containing three behaviors) and the occurrence number thereof are determined: the occurrence number of { I1, I2, I3} is 2, and the occurrence number of { I1, I2, I5} is 2. From the above candidate set, find the frequent 3 item sets that satisfy the minimum support (i.e. the number of occurrences is not less than 2), and the resulting frequent 3 item sets are shown in table 4. It should be noted that since the non-empty subset of the frequent item set is necessarily the frequent item set, the { I1, I2} and { I2, I4} in the frequent 2 item set generate the item set { I1, I2, I4}, and since the non-empty subset { I1, I4} is not in the frequent 2 item set, the { I1, I2, I4} does not conform to the theorem and cannot be used as the candidate set with the item number of 3.
TABLE 4 schematic table of frequent 3-item set
| Action item set | Count of support counts |
| {I1,I2,I3} | 2 |
| {I1,I2,I5} | 2 |
The support degrees of the two frequent item sets are equal to the minimum support degree, iteration is stopped, and finally all the frequent item sets are obtained and are shown in tables 1-3. A frequent item set with the item number of 3 is selected as an abnormal behavior sequence, namely { I1, I2, I3} and { I1, I2, I5 }.
The method comprises the steps of obtaining behavior combinations of an account to be detected, wherein the behavior combinations are I1 and I2, the ratio of hit { I1, I2, I3} is 2/3, the ratio of hit { I1, I2, I5} is also 2/3, according to a preset threshold value, the operation corresponding to the ratio is to prompt a user to verify preset information, after the verification is passed, the user can normally operate, and if the verification is not passed, the user can be prompted to execute operation for preventing the account from being stolen, for example, password modification and the like.
EXAMPLE III
Fig. 3 is a flowchart of an account anomaly detection method according to a third embodiment of the present invention, and this embodiment provides an implementation manner of "obtaining an anomaly detection result according to a ratio of hit of the behavior combination on the abnormal behavior sequence" based on the above embodiments. As shown in fig. 3, the method specifically includes:
s310, mining the behavior data of all stolen accounts by using an association rule algorithm, and determining an abnormal behavior sequence according to a frequent item set obtained by mining.
And S320, acquiring a behavior combination of the current account under a preset condition.
And S330, calculating the proportion of the abnormal behavior sequence hit by the behavior combination.
The abnormal behavior sequence comprises at least one frequent item set, the behavior combination is compared with each frequent item set in the abnormal behavior sequence, a corresponding hit ratio is determined, a final hit ratio is determined from a plurality of hit ratios according to a preset strategy, and then an account abnormality detection result is determined according to the final hit ratio.
And S340, if the proportion reaches a first preset threshold value, determining that the current account is abnormal, and quitting the current account.
And S350, if the proportion reaches a second preset threshold and is smaller than the first preset threshold, determining that the current account is suspected to be abnormal, and prompting the user to execute an operation of preventing the account from being stolen.
The operation for preventing the account from being stolen can be as follows: modifying the password, starting secondary verification and the like.
And S360, if the proportion reaches a third preset threshold and is smaller than a second preset threshold, prompting a user to verify the preset information.
The preset information may be a secret security problem set by the user when registering the account. And the preset information passes the verification, which indicates that the account is not stolen, and the user can continue to operate. Illustratively, the first predetermined threshold is 95%, the second predetermined threshold is 80%, and the third predetermined threshold is 50%.
Optionally, the method may further include: collecting a stolen result of the detected account; and adjusting a first preset threshold, a second preset threshold and a third preset threshold according to the stolen result. The stolen result of the detected account can be determined by whether a user complains, the accuracy of abnormal detection is determined according to the comparison between the stolen result and the abnormal detection result, and if the accuracy does not reach the expectation, the first preset threshold, the second preset threshold and the third preset threshold can be reduced.
According to the technical scheme of the embodiment, the abnormal detection result is determined according to the proportion of the hit of the behavior combination on the abnormal behavior sequence, and corresponding abnormal processing operation is executed, so that the occurrence of abnormal detection misjudgment can be reduced, and the influence of the misjudgment on a user can be reduced even if the misjudgment occurs. And moreover, the first preset threshold, the second preset threshold and the third preset threshold are adjusted in time according to the stolen result of the detected account, so that the accuracy of the abnormal detection can be further improved.
Example four
Fig. 4 is a schematic structural diagram of an account abnormality detection apparatus according to a fourth embodiment of the present invention, and as shown in fig. 4, the apparatus includes: a data mining module 410, a behavior acquisition module 420, and an anomaly detection module 430.
The data mining module 410 is used for mining the behavior data of all stolen accounts by using an association rule algorithm and determining an abnormal behavior sequence according to a frequent item set obtained by mining;
a behavior obtaining module 420, configured to obtain a behavior combination of the current account under a preset condition;
and an anomaly detection module 430, configured to obtain an anomaly detection result according to a ratio of the behavior combination hitting the abnormal behavior sequence.
Optionally, the data mining module 410 includes:
the data acquisition unit is used for acquiring behavior data of all stolen accounts within preset time before theft is determined according to preset time intervals;
the data mining unit is used for mining a plurality of frequent item sets from the behavior data according to a preset minimum support degree;
and the sequence determining unit is used for selecting a frequent item set which accords with a preset item number from the multiple frequent item sets as the abnormal behavior sequence.
Further, the data mining unit is specifically configured to: and iterating the behavior data layer by layer to obtain a frequent N item set meeting the minimum support degree, wherein N represents the number of the behavior items included in the frequent item set, and the value of N is a positive integer.
Optionally, the anomaly detection module 430 includes:
the proportion calculation unit is used for calculating the proportion of the behavior combination hitting the abnormal behavior sequence;
the abnormality detection unit is used for determining that the current account is abnormal and quitting the current account if the proportion reaches a first preset threshold value; if the proportion reaches a second preset threshold and is smaller than the first preset threshold, determining that the current account is suspected to be abnormal, and prompting a user to execute an operation for preventing the account from being stolen; and if the proportion reaches a third preset threshold and is smaller than the second preset threshold, prompting a user to verify preset information.
Optionally, the apparatus further comprises:
the result acquisition module is used for acquiring the stolen result of the detected account;
and the threshold value adjusting module is used for adjusting a first preset threshold value, a second preset threshold value and a third preset threshold value according to the stolen result.
The account abnormity detection device provided by the embodiment of the invention can execute the account abnormity detection method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For details of the account abnormality detection method provided in any embodiment of the present invention, reference may be made to the technical details not described in detail in this embodiment.
EXAMPLE five
Fig. 5 is a schematic structural diagram of a server according to a fifth embodiment of the present invention. FIG. 5 illustrates a block diagram of an exemplary server 12 suitable for use in implementing embodiments of the present invention. The server 12 shown in fig. 5 is only an example, and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in FIG. 5, the server 12 is in the form of a general purpose computing device. The components of the server 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.
The server 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by server 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. The server 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, and commonly referred to as a "hard drive"). Although not shown in FIG. 5, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. System memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in system memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
The server 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with the server 12, and/or with any devices (e.g., network card, modem, etc.) that enable the server 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the server 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown in FIG. 5, the network adapter 20 communicates with the other modules of the server 12 via the bus 18. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the server 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing by executing programs stored in the system memory 28, for example, to implement the account abnormality detection method provided by the embodiment of the present invention.
EXAMPLE six
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the account abnormality detection method according to any embodiment of the present invention.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. An account anomaly detection method, comprising:
mining the behavior data of all stolen accounts by using an association rule algorithm, and determining an abnormal behavior sequence according to a frequent item set obtained by mining;
acquiring a behavior combination of a current account under a preset condition;
obtaining an abnormal detection result according to the proportion of the abnormal behavior sequence hit by the behavior combination;
the method comprises the following steps of mining the behavior data of all stolen accounts by using an association rule algorithm, and determining an abnormal behavior sequence according to a frequent item set obtained by mining, wherein the method comprises the following steps:
acquiring behavior data of all stolen accounts within preset time before theft is determined according to preset time intervals;
mining a plurality of frequent item sets from the behavior data according to a preset minimum support degree; wherein the minimum support degree is determined by: calculating detection accuracy according to an actual result of account abnormity detection, and determining the minimum support according to the detection accuracy;
and selecting a frequent item set which accords with a preset number of items from the multiple frequent item sets as the abnormal behavior sequence.
2. The method of claim 1, wherein mining a plurality of frequent item sets from the behavior data according to a preset minimum support degree comprises:
and iterating the behavior data layer by layer to obtain a frequent N item set meeting the minimum support degree, wherein N represents the number of the behavior items included in the frequent item set, and the value of N is a positive integer.
3. The method of claim 1, wherein obtaining the abnormal detection result according to the ratio of the behavior combination hitting the abnormal behavior sequence comprises:
calculating the proportion of the abnormal behavior sequence hit by the behavior combination;
if the proportion reaches a first preset threshold value, determining that the current account is abnormal, and quitting the current account;
if the proportion reaches a second preset threshold and is smaller than the first preset threshold, determining that the current account is suspected to be abnormal, and prompting a user to execute an operation for preventing the account from being stolen;
and if the ratio reaches a third preset threshold and is smaller than the second preset threshold, prompting a user to verify preset information.
4. The method according to any one of claims 1 to 3, further comprising, after obtaining an abnormal detection result according to a ratio of the behavior combination hitting the abnormal behavior sequence:
collecting a stolen result of the detected account;
and adjusting a first preset threshold, a second preset threshold and a third preset threshold according to the stolen result.
5. An account abnormality detection apparatus, comprising:
the data mining module is used for mining the behavior data of all stolen accounts by using an association rule algorithm and determining an abnormal behavior sequence according to a frequent item set obtained by mining;
the behavior acquisition module is used for acquiring a behavior combination of the current account under a preset condition;
the abnormal detection module is used for obtaining an abnormal detection result according to the proportion of the behavior combination hitting the abnormal behavior sequence;
the data acquisition unit is used for acquiring behavior data of all stolen accounts within preset time before theft is determined according to preset time intervals;
the data mining unit is used for mining a plurality of frequent item sets from the behavior data according to a preset minimum support degree; wherein the minimum support degree is determined by: calculating detection accuracy according to an actual result of account abnormity detection, and determining the minimum support according to the detection accuracy;
and the sequence determining unit is used for selecting a frequent item set which accords with a preset item number from the multiple frequent item sets as the abnormal behavior sequence.
6. The apparatus of claim 5, wherein the data mining unit is specifically configured to:
and iterating the behavior data layer by layer to obtain a frequent N item set meeting the minimum support degree, wherein N represents the number of the behavior items included in the frequent item set, and the value of N is a positive integer.
7. The apparatus of claim 5, wherein the anomaly detection module comprises:
the proportion calculation unit is used for calculating the proportion of the behavior combination hitting the abnormal behavior sequence;
the abnormality detection unit is used for determining that the current account is abnormal and quitting the current account if the proportion reaches a first preset threshold value; if the proportion reaches a second preset threshold and is smaller than the first preset threshold, determining that the current account is suspected to be abnormal, and prompting a user to execute an operation for preventing the account from being stolen; and if the proportion reaches a third preset threshold and is smaller than the second preset threshold, prompting a user to verify preset information.
8. The apparatus of any of claims 5 to 7, further comprising:
the result acquisition module is used for acquiring the stolen result of the detected account;
and the threshold value adjusting module is used for adjusting a first preset threshold value, a second preset threshold value and a third preset threshold value according to the stolen result.
9. A server, characterized in that the server comprises:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the account anomaly detection method of any one of claims 1 to 4.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the account abnormality detection method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711450524.0A CN108055281B (en) | 2017-12-27 | 2017-12-27 | Account abnormity detection method, device, server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711450524.0A CN108055281B (en) | 2017-12-27 | 2017-12-27 | Account abnormity detection method, device, server and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108055281A CN108055281A (en) | 2018-05-18 |
| CN108055281B true CN108055281B (en) | 2021-05-18 |
Family
ID=62127911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711450524.0A Active CN108055281B (en) | 2017-12-27 | 2017-12-27 | Account abnormity detection method, device, server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108055281B (en) |
Families Citing this family (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110704773B (en) * | 2018-06-25 | 2022-06-03 | 顺丰科技有限公司 | Abnormal behavior detection method and system based on frequent behavior sequence mode |
| CN108984721A (en) * | 2018-07-10 | 2018-12-11 | 阿里巴巴集团控股有限公司 | The recognition methods of rubbish account and device |
| CN109120634B (en) * | 2018-09-05 | 2021-02-05 | 广州视源电子科技股份有限公司 | Port scanning detection method and device, computer equipment and storage medium |
| CN109408556B (en) * | 2018-09-28 | 2024-02-02 | 中国平安人寿保险股份有限公司 | Abnormal user identification method and device based on big data, electronic equipment and medium |
| CN109658109A (en) * | 2018-10-29 | 2019-04-19 | 平安医疗健康管理股份有限公司 | Detection method, device, terminal and the storage medium that medical insurance is swiped the card extremely |
| CN109714636B (en) * | 2018-12-21 | 2021-04-23 | 武汉瓯越网视有限公司 | User identification method, device, equipment and medium |
| CN109818942B (en) * | 2019-01-07 | 2021-08-24 | 微梦创科网络科技(中国)有限公司 | User account abnormity detection method and device based on time sequence characteristics |
| CN109857779B (en) * | 2019-01-10 | 2020-07-31 | 北京三快在线科技有限公司 | Method and device for searching fraud account, storage medium and electronic equipment |
| CN109815042B (en) * | 2019-01-21 | 2022-05-27 | 南方科技大学 | Abnormal factor positioning method, abnormal factor positioning device, server and storage medium |
| CN109862004B (en) * | 2019-01-28 | 2021-08-24 | 杭州数梦工场科技有限公司 | Account use behavior detection method and device |
| CN110399543A (en) * | 2019-05-23 | 2019-11-01 | 北京鑫宇创世科技有限公司 | A kind of advertising accounts method for early warning |
| CN110209551B (en) * | 2019-05-24 | 2023-12-08 | 北京奇艺世纪科技有限公司 | Abnormal equipment identification method and device, electronic equipment and storage medium |
| CN110222243B (en) * | 2019-05-27 | 2021-08-31 | 北京小米移动软件有限公司 | Method, device and storage medium for determining abnormal behavior |
| CN110543762A (en) * | 2019-08-12 | 2019-12-06 | 广州海颐信息安全技术有限公司 | Privileged account threat analysis system |
| CN110532760A (en) * | 2019-08-12 | 2019-12-03 | 广州海颐信息安全技术有限公司 | Compatible structure and unstructured privilege threaten the method and device of behavioral data |
| CN110750238B (en) * | 2019-09-20 | 2023-10-03 | 创新先进技术有限公司 | Method and device for determining product demand and electronic equipment |
| CN111221722B (en) * | 2019-09-23 | 2024-01-30 | 平安科技(深圳)有限公司 | Behavior detection method, behavior detection device, electronic equipment and storage medium |
| CN110675228B (en) * | 2019-09-27 | 2021-05-28 | 支付宝(杭州)信息技术有限公司 | User ticket buying behavior detection method and device |
| CN112583768A (en) * | 2019-09-30 | 2021-03-30 | 北京国双科技有限公司 | User abnormal behavior detection method and device |
| CN110728583A (en) * | 2019-10-11 | 2020-01-24 | 支付宝(杭州)信息技术有限公司 | Method and system for identifying cheating claim behaviors |
| CN111031017B (en) * | 2019-11-29 | 2021-12-14 | 腾讯科技(深圳)有限公司 | Abnormal business account identification method, device, server and storage medium |
| CN111459797B (en) * | 2020-02-27 | 2023-04-28 | 上海交通大学 | Abnormality detection method, system and medium for developer behavior in open source community |
| CN111698247B (en) * | 2020-06-11 | 2021-09-07 | 腾讯科技(深圳)有限公司 | Abnormal account detection method, device, equipment and storage medium |
| CN112667706A (en) * | 2020-12-23 | 2021-04-16 | 微梦创科网络科技(中国)有限公司 | Method and device for identifying stolen account |
| CN112860741B (en) * | 2021-01-18 | 2022-08-23 | 平安科技(深圳)有限公司 | Data sampling detection method, device, equipment and storage medium |
| CN113098912B (en) * | 2021-06-09 | 2022-10-14 | 北京达佳互联信息技术有限公司 | User account abnormity identification method and device, electronic equipment and storage medium |
| CN113835919B (en) * | 2021-09-26 | 2023-06-13 | 中国联合网络通信集团有限公司 | Data processing method, server and storage medium |
| CN113868010B (en) * | 2021-12-01 | 2022-02-18 | 杭银消费金融股份有限公司 | Abnormal data processing method and system applied to business system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471819A (en) * | 2014-08-19 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Account abnormity detection method and account abnormity detection device |
| CN105681312A (en) * | 2016-01-28 | 2016-06-15 | 李青山 | Mobile internet exceptional user detection method based on frequent itemset mining |
| CN105843947A (en) * | 2016-04-08 | 2016-08-10 | 华南师范大学 | Abnormal behavior detection method and system based on big-data association rule mining |
| CN106156026A (en) * | 2015-03-24 | 2016-11-23 | 中国人民解放军国防科学技术大学 | A kind of method based on the data online anomaly of stream fictitious assets |
| CN106850632A (en) * | 2017-02-10 | 2017-06-13 | 北京奇艺世纪科技有限公司 | The detection method and device of a kind of unusual combination data |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10021118B2 (en) * | 2015-09-01 | 2018-07-10 | Paypal, Inc. | Predicting account takeover tsunami using dump quakes |
-
2017
- 2017-12-27 CN CN201711450524.0A patent/CN108055281B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471819A (en) * | 2014-08-19 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Account abnormity detection method and account abnormity detection device |
| CN106156026A (en) * | 2015-03-24 | 2016-11-23 | 中国人民解放军国防科学技术大学 | A kind of method based on the data online anomaly of stream fictitious assets |
| CN105681312A (en) * | 2016-01-28 | 2016-06-15 | 李青山 | Mobile internet exceptional user detection method based on frequent itemset mining |
| CN105843947A (en) * | 2016-04-08 | 2016-08-10 | 华南师范大学 | Abnormal behavior detection method and system based on big-data association rule mining |
| CN106850632A (en) * | 2017-02-10 | 2017-06-13 | 北京奇艺世纪科技有限公司 | The detection method and device of a kind of unusual combination data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108055281A (en) | 2018-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108055281B (en) | Account abnormity detection method, device, server and storage medium | |
| US20200342097A1 (en) | Systems and methods for detecting resources responsible for events | |
| US9832214B2 (en) | Method and apparatus for classifying and combining computer attack information | |
| CN107122669B (en) | Method and device for evaluating data leakage risk | |
| US20150067835A1 (en) | Detecting Anomalous User Behavior Using Generative Models of User Actions | |
| KR20180013998A (en) | Account theft risk identification method, identification device, prevention and control system | |
| US10178108B1 (en) | System, method, and computer program for automatically classifying user accounts in a computer network based on account behavior | |
| CN107392801B (en) | Method and device for controlling order disorder, storage medium and electronic equipment | |
| US20210067548A1 (en) | Detection of malicious activity within a network | |
| CN111754241A (en) | User behavior perception method, device, equipment and medium | |
| CN111191925A (en) | Data processing method, device, equipment and storage medium | |
| CN111931047A (en) | Artificial intelligence-based black product account detection method and related device | |
| CN111784176A (en) | Data processing method, device, server and medium | |
| CN111724079A (en) | Industry economic data management system based on big data | |
| CN114595765A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN111427878B (en) | Data monitoring alarm method, device, server and storage medium | |
| CN111047433B (en) | Analysis method, analysis device, server and storage medium for user anomaly reasons | |
| CN113379469A (en) | Abnormal flow detection method, device, equipment and storage medium | |
| CN111489101A (en) | Order auditing method, device, equipment and medium based on big data | |
| CN110580625A (en) | circulating data supervision method and device, storage medium and terminal | |
| CN111369346B (en) | User credit evaluation method, device, server and storage medium | |
| US11797999B1 (en) | Detecting fraudulent transactions | |
| US20230385456A1 (en) | Automatic segmentation using hierarchical timeseries analysis | |
| CN110648208B (en) | Group identification method and device and electronic equipment | |
| CN117493420A (en) | Financial cloud data processing method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |