CN108076032A - A kind of abnormal behaviour user identification method and device - Google Patents
A kind of abnormal behaviour user identification method and device Download PDFInfo
- Publication number
- CN108076032A CN108076032A CN201611035558.9A CN201611035558A CN108076032A CN 108076032 A CN108076032 A CN 108076032A CN 201611035558 A CN201611035558 A CN 201611035558A CN 108076032 A CN108076032 A CN 108076032A
- Authority
- CN
- China
- Prior art keywords
- user
- rate
- identified
- network
- current network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
- H04L43/067—Generation of reports using time frame reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0894—Packet rate
Abstract
The embodiment of the present invention provides a kind of abnormal behaviour user identification method and device, the described method includes:The status information of current network is obtained, the status information includes:The whole network rate, network element rate and Business Stream magnitude;According to the status information of the current network, prefixed time interval t and observing time i, judge that the current network whether there is abnormal behaviour user;If the current network obtains user conversation record information to be identified and the user terminal information to be identified there are abnormal behaviour user;According to the conversation recording information and the user terminal information, the abnormal behaviour user is identified.Described device performs the above method.Abnormal behaviour user identification method and device provided in an embodiment of the present invention by judging current network with the presence or absence of abnormal behaviour user, and identify abnormal behaviour user, ensure that the stability of current network rate.
Description
Technical field
The present embodiments relate to mobile communication technology fields, and in particular to a kind of abnormal behaviour user identification method and dress
It puts.
Background technology
With the development of mobile communication technology, people more and more obtain information by surfing the Internet, to meet daily study
The demand of work.
But simultaneously some steal-number sending advertisements, issue malicious link, defraud of Internet user's wealth etc. and internet information safety
Related behavior also generates therewith, this class behavior is referred to as " user's abnormal behaviour ", these user's abnormal behaviours are for a long time, in large quantities
Occupy limited Internet resources, the strong influence online experience of normal users causes user's networking speed slow or can not
Online, the existing mode for solving the problems, such as this mainly by customer complaint after, treatment people to on-the-spot test, and according to test knot
Fruit optimizes specific network environment, but None- identified goes out the user of abnormal behaviour, it is impossible to solve normal users from source
The problem of networking speed is slow.
Therefore, the user of abnormal behaviour how is effectively identified, becoming need solve the problems, such as.
The content of the invention
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of abnormal behaviour user identification method and dress
It puts.
On the one hand, the embodiment of the present invention provides a kind of abnormal behaviour user identification method, including:
The status information of current network is obtained, the status information includes:The whole network rate, network element rate and service traffics
Value;
According to the status information of the current network, prefixed time interval t and observing time i, the current network is judged
With the presence or absence of abnormal behaviour user;
If the current network there are abnormal behaviour user, obtains user conversation record information to be identified and described waits to know
Other user terminal information;
According to the conversation recording information and the user terminal information, the abnormal behaviour user is identified.
On the other hand, the embodiment of the present invention provides a kind of abnormal behaviour customer identification device, including:
Network information acquiring unit, for obtaining the status information of current network, the status information includes:The whole network speed
Rate, network element rate and Business Stream magnitude;
Judging unit for status information, prefixed time interval t and the observing time i according to the current network, judges
The current network whether there is abnormal behaviour user;
User information acquiring unit, if obtaining user to be identified there are abnormal behaviour user for the current network
Conversation recording information and the user terminal information to be identified;
Recognition unit, for according to the conversation recording information and the user terminal information, using the abnormal behaviour
Family is identified.
Abnormal behaviour user identification method and device provided in an embodiment of the present invention, by judging that current network whether there is
Abnormal behaviour user, and identify abnormal behaviour user, it ensure that the stability of current network rate.
Description of the drawings
It in order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Some bright embodiments, for those of ordinary skill in the art, without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram of abnormal behaviour user identification method of the embodiment of the present invention;
Fig. 2 is the flow diagram of further embodiment of this invention abnormal behaviour user identification method;
Fig. 3 is the structure diagram of abnormal behaviour customer identification device of the embodiment of the present invention;
Fig. 4 is device entity structure diagram provided in an embodiment of the present invention.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, the technical solution in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
Part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
All other embodiments obtained without creative efforts belong to the scope of protection of the invention.
Fig. 1 is the flow diagram of abnormal behaviour user identification method of the embodiment of the present invention, as shown in Figure 1, the present embodiment
A kind of abnormal behaviour user identification method provided, comprises the following steps:
S1:The status information of current network is obtained, the status information includes:The whole network rate, network element rate and Business Stream
Magnitude.
Specifically, device obtains the status information of current network, the status information includes:The whole network rate, network element rate
With Business Stream magnitude.It should be noted that:Current network state information can include the whole network rate, network element rate and service traffics
Value, but it is not limited to above-mentioned the whole network rate, network element rate and Business Stream magnitude.
S2:According to the status information of the current network, prefixed time interval t and observing time i, the current net is judged
Network whether there is abnormal behaviour user.
Specifically, device judges institute according to the status information of the current network, prefixed time interval t and observing time i
Current network is stated with the presence or absence of abnormal behaviour user.It should be noted that:Prefixed time interval t and observing time i can bases
Actual conditions are independently set, such as:Prefixed time interval t could be provided as 1 it is small when, it can be understood as:Device at interval of 1 it is small when
It performs the abnormal behaviour user and knows method for distinguishing once, and user behavior to be selected is identified;Prefixed time interval t
The numerical value of setting is smaller, and the frequency that user behavior is identified is higher, and the numerical value that prefixed time interval t is set is bigger, right
User behavior is identified that the frequency is lower, observing time i the initial time corresponding to prefixed time interval t and terminate the time it
Between can arbitrarily be arranged to one or many, such as:When prefixed time interval t be arranged to 1 it is small when, if perform this method it is current
Time is 17:00, then initial time is corresponding to 17:00, the time is terminated corresponding to 18:00, observing time i can be 17:00
~18:00 it is arbitrary once or several times it is corresponding to the whole network rate either the acquisition of network element rate or Business Stream magnitude when
Between.
S3:If the current network there are abnormal behaviour user, obtains user conversation record information to be identified and described
User terminal information to be identified.
Specifically, if device knows that the current network there are abnormal behaviour user, obtains user conversation note to be identified
Record information and the user terminal information to be identified.It should be noted that:User conversation record information can include but is not limited to:
To the access record information of domain names, session duration, source TCP/UDP ports, target TCP/UDP ports etc., user terminal letter
Breath can include but is not limited to:Mobile phone terminal brand and model used by a user etc..
S4:According to the conversation recording information and the user terminal information, the abnormal behaviour user is identified.
Specifically, device is according to the conversation recording information and the user terminal information, to the abnormal behaviour user
It is identified.It should be noted that:It can be to specific in conversation recording information that abnormal behaviour user, which is identified,
The access times of domain name and the mobile phone terminal brand and model of user terminal information, phone number used and the mobile phone are whole
What the position at end was realized.
Abnormal behaviour user identification method provided in an embodiment of the present invention, by judging that current network whether there is abnormal row
It for user, and identifies abnormal behaviour user, ensure that the stability of current network rate.
It is described according to the status information of the current network, prefixed time interval t and sight on the basis of above-described embodiment
Time i is examined, judges that the current network whether there is abnormal behaviour user, including:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the current network is judged
The whole network rate whether decline.
Specifically, device judges institute according to the whole network rate of the current network, prefixed time interval t and observing time i
Whether the whole network rate for stating current network declines.It should be noted that:The basis for estimation whether the whole network rate declines can be worked as
The whole network rate of preceding network declines percentage, is described as follows with continued reference to above-mentioned implementation example:When prefixed time interval t is arranged to
1 it is small when, if perform this method current time be 17:00, then initial time is corresponding to 17:00, the time is terminated corresponding to 18:
00, it is assumed that observing time i is 17:10、17:25 and, then number of observation n is 3 times, can be according to formula:Meter
The average value of interior the whole network rate when calculating prefixed time interval 1 is smallWherein VAiBe current network status information in the whole network
Rate, further according to formula:The whole network rate for calculating current network declines percentage PA, further according to
Formula:Judge whether the whole network rate of current network in decline state (works as PA>=5%, it represents
The whole network rate has decline;Work as PA< 5% represents that the whole network rate does not decline), therein 5% is default the whole network rate percentage, can
Independently to be set according to actual conditions, here 5% be a kind of optional scheme, the embodiment of the present invention does not do this specific limit
It is fixed.
If judging to know the whole network rate of the current network as decline state, the network element speed of the current network is judged
Whether rate declines.
Specifically, if device judges to know the whole network rate of the current network as decline state, judge described current
Whether the network element rate of network declines.If the whole network rate for judging to know the current network can recognize not decline state
Abnormal behaviour user is not present for current network.It should be noted that:The basis for estimation whether network element rate declines can be worked as
The network element rate of preceding network declines percentage, is described as follows with continued reference to above-mentioned implementation example:Number of observation n is 3 times, Ke Yigen
According to formula:Calculate prefixed time interval 1 it is small when interior network element rate average valueWherein VBiIt is current net
Network element rate in the status information of network, further according to formula:Calculate the network element rate of current network
Decline percentage PB, further according to formula:Judge the network element rate of current network
Whether it is default network element rate percentage in decline state, therein 10%, can be independently set according to actual conditions, here
10% be a kind of optional scheme, the embodiment of the present invention does not do this specific restriction.
If judge to know the network element rate of the current network as decline state, according to the big of the Business Stream magnitude
It is small, preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected.
Specifically, if device judges to know the network element rate of the current network as decline state, according to the business
The size of flow value selects in the Business Stream magnitude preceding m Business Stream magnitude as Business Stream magnitude to be selected.If device judges
The network element rate of the current network is known not decline state, it may be considered that abnormal behaviour user is not present in current network.m
Numerical value can independently be set according to actual conditions, be not specifically limited herein, the present embodiment enumerate m=10 acquisition industry to be selected
Business flow value is as shown in table 1:
Table 1 is can be as preceding 10 Business Stream magnitudes of Business Stream magnitude to be selected
Table 1
Business | Flow (MB) | Accounting | Rate (kbps) |
360 security guards | 3687 | 14% | 283 |
Fetion | 1090 | 4% | 198 |
Netease | 570 | 2% | 108 |
The Industrial and Commercial Bank of China | 553 | 2% | 93 |
QQ space | 370 | 1% | 479 |
Www.qq.com | 284 | 1% | 591 |
UC is browsed | 151 | 1% | 480 |
Sina | 148 | 1% | 503 |
Baidu | 110 | 0% | 397 |
Apple official website | 77 | 0% | 470 |
RNC is whole | 25598 | 100% | 278 |
According to the prefixed time interval t and the Business Stream magnitude to be selected, calculate and treated corresponding to the business to be selected
Select service rate.
Specifically, device calculates the business to be selected according to the prefixed time interval t and the Business Stream magnitude to be selected
Corresponding service rate to be selected.It is illustrated below:It can be according to formula:Calculate service rate V to be selectedij,
Wherein i is the observing time, j is j-th of business, MijFor Business Stream magnitude to be selected.
Judge whether the service rate to be selected of the current network declines.
Specifically, device judges whether the service rate to be selected of the current network declines.It can be according to formula:
Calculate the average value of service rate to be selectedIt can be further according to formula:
Judge the current network service rate to be selected whether be decline condition adjudgement described in the service rate to be selected of current network be
No is decline state.
If judging to know the service rate to be selected of the current network as decline state, judge that the current network exists
Abnormal behaviour user.
Specifically, if device judges to know the service rate to be selected of the current network as decline state, described in judgement
There are abnormal behaviour users for current network.If the service rate to be selected for judging to know the current network not decline state,
It is considered that abnormal behaviour user is not present in current network.
Abnormal behaviour user identification method provided in an embodiment of the present invention, by the whole network rate, the net that judge current network
Whether first rate and service rate to be selected decline, and can accurately identify that current network whether there is abnormal behaviour user.
It is described according to the whole network rate of the current network, prefixed time interval t and sight on the basis of above-described embodiment
Time i is examined, judges whether the whole network rate of the current network declines, including:
According to prefixed time interval t and observing time i, the number of observation n in the prefixed time interval t is obtained,
In, the observing time i was located between the initial time corresponding to the prefixed time interval t and termination time.
Specifically, device obtains the sight in the prefixed time interval t according to prefixed time interval t and observing time i
Examine frequency n, wherein, the observing time i be located at initial time corresponding to the prefixed time interval t and terminate the time it
Between.Illustrate in the above-described embodiments, details are not described herein again.
According to the number of observation n and the whole network rate of the current network, calculate complete in the prefixed time interval t
The average value of network speed rate.
Specifically, device is calculated according to the number of observation n and the whole network rate of the current network when described default
Between be spaced t in the whole network rate average value.Illustrate in the above-described embodiments, details are not described herein again.
According to the average value of the whole network rate and the whole network rate of the current network, the complete of the current network is calculated
Network speed rate declines percentage.
Specifically, device is according to the average value of the whole network rate and the whole network rate of the current network, described in calculating
The whole network rate of current network declines percentage.Illustrate in the above-described embodiments, details are not described herein again.
If the whole network rate of the current network, which declines percentage, is more than or equal to default the whole network rate percentage, institute is judged
The whole network rate for stating current network is decline state.
Specifically, if device knows that the whole network rate of the current network declines percentage and is more than or equal to default the whole network rate
Percentage then judges the whole network rate of the current network for decline state.Illustrate in the above-described embodiments, it is no longer superfluous herein
It states.
Abnormal behaviour user identification method provided in an embodiment of the present invention is declined by the whole network rate for calculating current network
Percentage ensure that the whole network rate declines the accuracy of condition adjudgement.
It is described on the basis of above-described embodiment, judge whether the network element rate of the current network declines, including:
According to the number of observation n and the network element rate of the current network, calculate in the prefixed time interval t Intranets
The average value of first rate.
Specifically, device is calculated according to the number of observation n and the network element rate of the current network when described default
Between be spaced t in network element rate average value.Illustrate in the above-described embodiments, details are not described herein again.
According to the average value of the network element rate and the network element rate of the current network, the net of the current network is calculated
First rate declines percentage.
Specifically, device is according to the average value of the network element rate and the network element rate of the current network, described in calculating
The network element rate of current network declines percentage.Illustrate in the above-described embodiments, details are not described herein again.
If the network element rate of the current network, which declines percentage, is more than or equal to default network element rate percentage, institute is judged
The network element rate for stating current network is decline state.
Specifically, if device knows that the network element rate of the current network declines percentage and is more than or equal to default network element rate
Percentage then judges the network element rate of the current network for decline state.Illustrate in the above-described embodiments, it is no longer superfluous herein
It states.
Abnormal behaviour user identification method provided in an embodiment of the present invention is declined by the network element rate for calculating current network
Percentage ensure that network element rate declines the accuracy of condition adjudgement.
On the basis of above-described embodiment, whether the service rate to be selected for judging the current network declines, including:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected.
Specifically, device calculates the business speed to be selected according to the service rate to be selected and service traffics number m to be selected
The average value of rate.Illustrate in the above-described embodiments, details are not described herein again.
According to the average value of the service rate to be selectedThe service rate V to be selectedijWith being averaged for the network element rate
ValueIf pass through formulaThe result of calculating is 1, then judges treating for the current network
It is decline state to select service rate.
Specifically, average value of the device according to the service rate to be selectedThe service rate V to be selectedijWith the net
The average value of first rateIf pass through formulaThe result of calculating is 1, then described in judgement
The service rate to be selected of current network is decline state.Illustrate in the above-described embodiments, details are not described herein again.
Abnormal behaviour user identification method provided in an embodiment of the present invention, according to the service rate and network element to be selected calculated
The average value of rate ensure that service rate to be selected to decline the accuracy of condition adjudgement.
It is described according to the conversation recording information and the user terminal information on the basis of above-described embodiment, to institute
Abnormal behaviour user is stated to be identified, including:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than the
The user identifier to be identified of one access times threshold value is abnormal user.
Specifically, Fig. 2 is the flow diagram of further embodiment of this invention abnormal behaviour user identification method, such as Fig. 2 institutes
Show, certain domain name access times of the device in the conversation recording information, the certain domain name access times are more than the
The user identifier to be identified of one access times threshold value is abnormal user.First access times threshold value can be according to actual conditions
It is autonomous to set, it is not construed as limiting herein.It is illustrated below:User to be identified is 1000, and the first access times threshold value 50 times is treated
There are 40 certain domain name access times to be more than the first access times threshold value 50 times in identification user, then by this 40 users to be identified
It is identified as abnormal user.
The user to be identified that the certain domain name access times are less than to the first access times threshold value treats as first
Identify user.
Specifically, the certain domain name access times are less than the user to be identified of the first access times threshold value by device
As the first user to be identified.With continued reference to above-described embodiment, it is illustrated below:Above-mentioned 960 (1000-40=960) are a
User to be identified is as the first user to be identified.
The phone number of the described first user to be identified is extracted, if same phone number is to the certain domain name access times
Then it is abnormal user by the described first user identifier to be identified more than the second access times threshold value, wherein, second access time
Number threshold value is less than the first access times threshold value.
Specifically, device extracts the phone number of first user to be identified, if same phone number is to described specific
Domain name access number is more than the second access times threshold value, then is abnormal user by the described first user identifier to be identified, wherein, institute
The second access times threshold value is stated less than the first access times threshold value.Second access times threshold value can be according to actual conditions certainly
Main setting, is not construed as limiting herein.With continued reference to above-described embodiment, it is illustrated below:First user to be identified is 960, the
Two access times threshold values are 40 times, and same phone number in the first user to be identified is more than second to certain domain name access times
60 the first user identifiers to be identified that access times threshold value is 40 times are abnormal user.
Same phone number is treated to the certain domain name access times are less than the second access times threshold value described first
Identify user as the second user to be identified.
Specifically, same phone number is less than the second access times threshold value by device to the certain domain name access times
First user to be identified is as the second user to be identified.It is illustrated below:First user to be identified is 960, by 900
(960-60) a first user to be identified is as the second user to be identified.
The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone terminal factory
Family and model.
Specifically, device extracts the information of mobile phone terminal of second user to be identified, the information of mobile phone terminal can be with
Including but not limited to:Mobile phone terminal producer and model.
If the mobile phone terminal of the identical mobile phone terminal producer and model is more than the certain domain name access times
Described second user identifier to be identified is then abnormal user by the 3rd access times threshold value, wherein, the 3rd access times threshold
Value is less than the second access times threshold value.
Specifically, if device knows the mobile phone terminal of the identical mobile phone terminal producer and model to the special domain
Name access times are more than the 3rd access times threshold value, then are abnormal user by the described second user identifier to be identified, wherein, it is described
3rd access times threshold value is less than the second access times threshold value.3rd access times threshold value can be autonomous according to actual conditions
It sets, does not limit herein.With continued reference to above-described embodiment, it is illustrated below:Second user to be identified be 900, the 3rd
Access times threshold value is 30 times, by the mobile phone terminal of the identical mobile phone terminal producer and model in the second user to be identified
It is abnormal to the certain domain name access times 20 the second user identifiers to be identified of 30 times more than the 3rd access times threshold value
User.
The mobile phone terminal of the identical mobile phone terminal producer and model is less than the certain domain name access times
Described second user to be identified of the 3rd access times threshold value is as the 3rd user to be identified.
Specifically, device visits the certain domain name mobile phone terminal of the identical mobile phone terminal producer and model
Ask described second to be identified user of the number less than the 3rd access times threshold value as the 3rd user to be identified.It illustrates such as
Under:Second user to be identified is 900, using 880 (900-20) a second user to be identified as the 3rd user to be identified.
The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is described pre-
Then it is different by the 3rd user identifier to be identified if the displacement variable generated in time interval t is less than pre-determined distance threshold value
Common family.
Specifically, device extracts the location information of the 3rd user mobile phone terminal to be identified, if the mobile phone terminal
The displacement variable that position generates in the prefixed time interval t is less than pre-determined distance threshold value, then to be identified by the described 3rd
User identifier is abnormal user.Pre-determined distance threshold value can independently be set according to actual conditions, not limited herein.With continued reference to
Above-described embodiment is illustrated below:3rd user to be identified is 880, and pre-determined distance threshold value is 200 meters, and the 3rd is waited to know
The displacement variable that the position of mobile phone terminal generates in the prefixed time interval t in other user is less than pre-determined distance threshold value
200 meters of 10 the 3rd user identifiers to be identified are abnormal user.By the position of mobile phone terminal in the 3rd user to be identified in institute
State 870 (880-10) a 3rd that the displacement variable generated in prefixed time interval t is more than or equal to 200 meters of pre-determined distance threshold value
User identifier to be identified is normal users.
Abnormal behaviour user identification method provided in an embodiment of the present invention by gradually identifying abnormal behaviour user, is protected
The accuracy of recognition effect is demonstrate,proved.
The acquisition modes of abnormal behaviour user identification method flow chart as shown in Figure 2 can be according to following steps:
R1:User conversation record information to be identified, extraction key feature is as sample storehouse factor.To other features without shadow
Loud independent characteristic as a sample storehouse factor, interact and coefficient multiple features merge into a sample storehouse because
Element.The sample storehouse comprising normal users and abnormal user internet behavior session is established as a result,.
R2:Sample storehouse factor based on step R1 randomly selects a certain number of objects, constructs training dataset, passes through
Training and beta pruning, generate abnormal behaviour user identification method flow chart as shown in Figure 2.Identify abnormal behaviour user identification method
The detailed construction and algorithm of flow chart are as follows:
Decision Tree algorithms use CART (Classification and Regression Trees) algorithm, that is, classify back
Return tree algorithm.
CART algorithms mainly include two steps:(1) division of sample recurrence is subjected to achievement process, (2) use verification data
Carry out beta pruning.
The recurrence of step (1) establishes binary tree, section x1, x2..., xnN attribute of single sample is represented, belonging to y is represented
Classification.The n spaces tieed up are divided into nonoverlapping rectangle by CART algorithms by recursive mode.Partiting step approximately as:
(1) an independent variable x is selectedi, then choose xiA value vi, viN-dimensional space is divided into two parts, it is a part of
All samples all meet xi≤vi, all samples of another part all meet xi> vi, the value of property value for discrete variable
There are two only, i.e., equal to the value or not equal to the value.Also need to first carry out sliding-model control for continuous variable, this motion it is different
Common family internet behavior feature belongs to continuous variable.
(2) two parts obtained above are chosen an attribute by step (1) and continue to divide by Recursion process again, until
Entire n-dimensional space has all been divided.
In partition process, for a variable's attribute, its division points are in a pair of of continuous variable property value
Point.Assuming that the collection unification attribute of m sample has m continuous values, then there will be m-1 split point, each split point is
The average of two neighboring successive value.The division of each attribute according to can the amount of impurity of reduction be ranked up, and impurity subtracts
The impurity before division is defined as on a small quantity subtracts the sum of ratio shared by the impurity level division of each node after division.And impurity is measured
For method often with Gini indexs, Gini values mainly metric data divides or the impurity level of training dataset K, enterprising in branch node
The test of row Gini values, left subtree is divided into if certain purity is met, is otherwise divided into right subtree, ultimately generates one two
Pitch decision tree.Gini values are smaller, show that " degree of purity " of sample is higher.Assuming that a sample shares Z classes, belong to the probability of i classes
For pi, then the Gini impurity levels of a node K may be defined as equation below:
As Gini (K)=0, all samples belong to similar, when all classes occur in node with equiprobability, Gini (K)
It maximizes,
In actual recurrence partition process, if all samples of present node are all not belonging to same class or only remaining one
A sample, then this node is non-leaf nodes, it is therefore desirable to attempt each attribute of sample and corresponding point of each attribute
Knick point is attempted to find a maximum division of impurity variable, and the subtree of the Attribute transposition is optimum branching.
Step (2) CART algorithms use rear beta pruning, this motion uses cost complexity beta pruning method in rear beta pruning:R (t) is section
The error rate of point t, p (t) are the ratios that the data on node t account for all data, if the node, by beta pruning, R (t) is node t
Error cost, then
R (t)=r (t) × p (t) (9)
If the node is not by beta pruning, R (Tt) it is subtree TtError cost, it be equal to subtree TtUpper all leaf nodes
The sum of error cost;It is the leaf node number included in subtree, by formula (9), for every in post-class processing
The surface error rate gain value alpha of one non-leaf nodes, has
Fig. 3 is the structure diagram of abnormal behaviour customer identification device of the embodiment of the present invention, as shown in figure 3, the present embodiment
A kind of abnormal behaviour customer identification device is provided, is obtained including network information acquiring unit 1, judging unit 2, user information single
Member 3 and recognition unit 4, wherein:
Network information acquiring unit 1 is used to obtain the status information of current network, and the status information includes:The whole network speed
Rate, network element rate and Business Stream magnitude;Judging unit 2 for according to the current network status information, prefixed time interval t
With observing time i, judge that the current network whether there is abnormal behaviour user;If user information acquiring unit 3 is for described
Current network then obtains user conversation record information to be identified and the user terminal letter to be identified there are abnormal behaviour user
Breath;Recognition unit 4 is used to, according to the conversation recording information and the user terminal information, carry out the abnormal behaviour user
Identification.
Specifically, network information acquiring unit 1 is used to obtain the status information of current network, the status information includes:
Status information is sent to judging unit 2 by the whole network rate, network element rate and Business Stream magnitude, network information acquiring unit 1, is judged
Unit 2 is used for according to the status information of the current network, prefixed time interval t and observing time i, judges the current network
With the presence or absence of abnormal behaviour user, the judging result of abnormal behaviour user is sent to user information acquiring unit by judging unit 2
3, if user information acquiring unit 3 is used for the current network there are abnormal behaviour user, obtain user conversation note to be identified
Record information and the user terminal information to be identified, user information acquiring unit 3 is by conversation recording information and user terminal information
Recognition unit 4 is sent to, recognition unit 4 is used for according to the conversation recording information and the user terminal information, to described different
Chang Hangwei user is identified.
Abnormal behaviour customer identification device provided in an embodiment of the present invention, by judging that current network whether there is abnormal row
It for user, and identifies abnormal behaviour user, ensure that the stability of current network rate.
On the basis of above-described embodiment, the judging unit 2 is used for:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the current network is judged
The whole network rate whether decline;If judging to know the whole network rate of the current network as decline state, judge described current
Whether the network element rate of network declines;If judging to know the network element rate of the current network as decline state, according to
The size of Business Stream magnitude selects in the Business Stream magnitude preceding m Business Stream magnitude as Business Stream magnitude to be selected;According to institute
Prefixed time interval t and the Business Stream magnitude to be selected are stated, calculates the service rate to be selected corresponding to the business to be selected;Judge
Whether the service rate to be selected of the current network declines;If judge to know the service rate to be selected of the current network to decline
State, then judging the current network, there are abnormal behaviour users.
Specifically, the judging unit 2 is used for according to the whole network rate of the current network, prefixed time interval t and sight
Time i is examined, judges whether the whole network rate of the current network declines;If the judging unit 2 knows described work as judgement
The whole network rate of preceding network is decline state, then judges whether the network element rate of the current network declines;The judging unit 2
If for judging to know the network element rate of the current network as decline state, according to the size of the Business Stream magnitude, choosing
Preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected;The judging unit 2 is used for according to
Prefixed time interval t and the Business Stream magnitude to be selected calculate the service rate to be selected corresponding to the business to be selected;It is described to sentence
Disconnected unit 2 is used to judge whether the service rate to be selected of the current network declines;If the judging unit 2 is known for judgement
The service rate to be selected of the current network is decline state, then judging the current network, there are abnormal behaviour users.
Abnormal behaviour customer identification device provided in an embodiment of the present invention, by the whole network rate, the net that judge current network
Whether first rate and service rate to be selected decline, and can accurately identify that current network whether there is abnormal behaviour user.
On the basis of above-described embodiment, the judging unit 2 is additionally operable to:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected;
According to the average value of the service rate to be selectedThe service rate V to be selectedijWith the average value of the network element rate
If pass through formulaThe result of calculating is 1, then judges the business to be selected of the current network
Rate is decline state.
Specifically, judging unit 2 is additionally operable to, according to the service rate to be selected and service traffics number m to be selected, calculate institute
State the average value of service rate to be selected;Judging unit 2 is additionally operable to the average value according to the service rate to be selectedIt is described to be selected
Service rate VijWith the average value of the network element rateIf pass through formulaIt calculates
As a result it is 1, then judges the service rate to be selected of the current network for decline state.
Abnormal behaviour customer identification device provided in an embodiment of the present invention, according to the service rate and network element to be selected calculated
The average value of rate ensure that service rate to be selected to decline the accuracy of condition adjudgement.
On the basis of above-described embodiment, the recognition unit 4 is used for:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than the
The user identifier to be identified of one access times threshold value is abnormal user;The certain domain name access times are less than first to visit
Ask the user to be identified of frequency threshold value as the first user to be identified;Extract the cell-phone number of the described first user to be identified
Code if same phone number is more than the second access times threshold value to the certain domain name access times, described first is waited to know
Other user identifier is abnormal user, wherein, the second access times threshold value is less than the first access times threshold value;It will be same
Phone number is less than the certain domain name access times the described first user to be identified of the second access times threshold value as the
Two users to be identified;The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone is whole
Hold producer and model;If the mobile phone terminal of the identical mobile phone terminal producer and model is to the certain domain name access times
Then it is abnormal user by the described second user identifier to be identified more than the 3rd access times threshold value, wherein, the 3rd access time
Number threshold value is less than the second access times threshold value;By the mobile phone terminal of the identical mobile phone terminal producer and model to institute
Described second to be identified user of the certain domain name access times less than the 3rd access times threshold value is stated as the 3rd user to be identified;
The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is between the preset time
It is less than pre-determined distance threshold value every the displacement variable generated in t, then is abnormal user by the 3rd user identifier to be identified.
Specifically, recognition unit 4 is used for the certain domain name access times in the conversation recording information, by the spy
The user identifier to be identified that localization name access times are more than the first access times threshold value is abnormal user;Recognition unit 4 is used
In using the to be identified user of the certain domain name access times less than the first access times threshold value as the first use to be identified
Family;Recognition unit 4 is used to extract the phone number of the described first user to be identified, if same phone number is to the certain domain name
Access times are more than the second access times threshold value, then are abnormal user by the described first user identifier to be identified, wherein, described the
Two access times threshold values are less than the first access times threshold value;Recognition unit 4 is used for same phone number to described specific
Domain name access number is less than the described first user to be identified of the second access times threshold value as the second user to be identified;Identification is single
For extracting the information of mobile phone terminal of the described second user to be identified, the information of mobile phone terminal includes member 4:Mobile phone terminal producer
And model;If recognition unit 4 is for the mobile phone terminal of the identical mobile phone terminal producer and model to the certain domain name
Access times are more than the 3rd access times threshold value, then are abnormal user by the described second user identifier to be identified, wherein, described the
Three access times threshold values are less than the second access times threshold value;Recognition unit 4 be used for will the identical mobile phone terminal producer with
The mobile phone terminal of model is less than the described second to be identified of the 3rd access times threshold value to the certain domain name access times
User is as the 3rd user to be identified;Recognition unit 4 is used to extract the location information of the 3rd user mobile phone terminal to be identified,
If the displacement variable that the position of the mobile phone terminal generates in the prefixed time interval t is less than pre-determined distance threshold value,
It is abnormal user by the 3rd user identifier to be identified.
Abnormal behaviour customer identification device provided in an embodiment of the present invention by gradually identifying abnormal behaviour user, is protected
The accuracy of recognition effect is demonstrate,proved.
Abnormal behaviour customer identification device provided in this embodiment specifically can be used for performing above-mentioned each method embodiment
Process flow, details are not described herein for function, is referred to the detailed description of above method embodiment.
Fig. 4 is device entity structure diagram provided in an embodiment of the present invention, as shown in figure 4, the Neighborhood Optimization is handled
Device, including:Processor (processor) 401, memory (memory) 402 and bus 403;
Wherein, the processor 401, memory 402 complete mutual communication by bus 403;
The processor 401 is used to call the program instruction in the memory 402, to perform above-mentioned each method embodiment
The method provided, such as including:The whole network rate, network element rate and Business Stream magnitude;Believed according to the state of the current network
Breath, prefixed time interval t and observing time i judge that the current network whether there is abnormal behaviour user;If the current net
Network then obtains user conversation record information to be identified and the user terminal information to be identified there are abnormal behaviour user;According to
The abnormal behaviour user is identified in the conversation recording information and the user terminal information.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating
Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated
When machine performs, computer is able to carry out the method that above-mentioned each method embodiment is provided, such as including:The whole network rate, network element speed
Rate and Business Stream magnitude;According to the status information of the current network, prefixed time interval t and observing time i, described work as is judged
Preceding network whether there is abnormal behaviour user;If the current network obtains user's meeting to be identified there are abnormal behaviour user
Words record information and the user terminal information to be identified;It is right according to the conversation recording information and the user terminal information
The abnormal behaviour user is identified.
The present embodiment provides a kind of non-transient computer readable storage medium storing program for executing, the non-transient computer readable storage medium storing program for executing
Computer instruction is stored, the computer instruction makes the computer perform the method that above-mentioned each method embodiment is provided, example
Such as include:The whole network rate, network element rate and Business Stream magnitude;According to the status information of the current network, prefixed time interval t
With observing time i, judge that the current network whether there is abnormal behaviour user;If there are abnormal behaviour use for the current network
Family then obtains user conversation record information to be identified and the user terminal information to be identified;According to the conversation recording information
With the user terminal information, the abnormal behaviour user is identified.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
The relevant hardware of program instruction is completed, and foregoing program can be stored in a computer read/write memory medium, the program
Upon execution, the step of execution includes above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or light
The various media that can store program code such as disk.
The embodiments such as abnormal behaviour customer identification device described above are only schematical, wherein described be used as is divided
Unit from part description may or may not be it is physically separate, the component shown as unit can be or
It may not be physical location, you can be located at a place or can also be distributed in multiple network element.It can basis
It is actual to need that some or all of module therein is selected to realize the purpose of this embodiment scheme.Ordinary skill people
Member is not in the case where paying performing creative labour, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on such understanding, on
Technical solution is stated substantially in other words to embody the part that the prior art contributes in the form of software product, it should
Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers
Order, which is used, so that computer equipment (can be personal computer, server or the network equipment etc.) performs each implementation
Method described in some parts of example or embodiment.
Finally it should be noted that:Various embodiments above is only to illustrate the technical solution of the embodiment of the present invention rather than right
It is limited;Although the embodiment of the present invention is described in detail with reference to foregoing embodiments, the ordinary skill of this field
Personnel should be understood:It can still modify to the technical solution recorded in foregoing embodiments or to which part
Or all technical characteristic carries out equivalent substitution;And these modifications or replacement, do not make the essence disengaging of appropriate technical solution
The scope of each embodiment technical solution of the embodiment of the present invention.
Claims (10)
1. a kind of abnormal behaviour user identification method, which is characterized in that including:
The status information of current network is obtained, the status information includes:The whole network rate, network element rate and Business Stream magnitude;
According to the status information of the current network, prefixed time interval t and observing time i, whether the current network is judged
There are abnormal behaviour users;
If the current network obtains user conversation record information to be identified and the use to be identified there are abnormal behaviour user
Family end message;
According to the conversation recording information and the user terminal information, the abnormal behaviour user is identified.
It is 2. according to the method described in claim 1, it is characterized in that, the status information according to the current network, default
Time interval t and observing time i judges that the current network whether there is abnormal behaviour user, including:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the complete of the current network is judged
Whether network speed rate declines;
If judging to know the whole network rate of the current network as decline state, judging the network element rate of the current network is
No decline;
If judging to know the network element rate of the current network as decline state, according to the size of the Business Stream magnitude, choosing
Preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected;
According to the prefixed time interval t and the Business Stream magnitude to be selected, the industry to be selected corresponding to the business to be selected is calculated
Business rate;
Judge whether the service rate to be selected of the current network declines;
If judging to know the service rate to be selected of the current network as decline state, it is abnormal to judge that the current network exists
Behavior user.
It is 3. according to the method described in claim 2, it is characterized in that, the whole network rate according to the current network, default
Time interval t and observing time i, judges whether the whole network rate of the current network declines, including:
According to prefixed time interval t and observing time i, the number of observation n in the prefixed time interval t is obtained, wherein, institute
Observing time i is stated to be located between the initial time corresponding to the prefixed time interval t and termination time;
According to the number of observation n and the whole network rate of the current network, the whole network speed in the prefixed time interval t is calculated
The average value of rate;
According to the average value of the whole network rate and the whole network rate of the current network, the whole network for calculating the current network is fast
Rate declines percentage;
If the whole network rate of the current network, which declines percentage, is more than or equal to default the whole network rate percentage, described work as is judged
The whole network rate of preceding network is decline state.
4. according to the method described in claim 2, it is characterized in that, described, judge the current network network element rate whether
Decline, including:
According to the number of observation n and the network element rate of the current network, the network element speed in the prefixed time interval t is calculated
The average value of rate;
According to the average value of the network element rate and the network element rate of the current network, the network element for calculating the current network is fast
Rate declines percentage;
If the network element rate of the current network, which declines percentage, is more than or equal to default network element rate percentage, described work as is judged
The network element rate of preceding network is decline state.
5. according to the method described in claim 2, it is characterized in that, the service rate to be selected of the judgement current network is
No decline, including:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected;
According to the average value of the service rate to be selectedThe service rate V to be selectedijWith the average value of the network element rateIf pass through formulaThe result of calculating is 1, then judges the to be selected of the current network
Service rate is decline state.
It is 6. according to the method described in claim 1, it is characterized in that, described whole according to the conversation recording information and the user
The abnormal behaviour user is identified in client information, including:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than first and are visited
The user identifier to be identified for asking frequency threshold value is abnormal user;
The user to be identified that the certain domain name access times are less than to the first access times threshold value is to be identified as first
User;
The phone number of the described first user to be identified is extracted, if same phone number is more than the certain domain name access times
Described first user identifier to be identified is then abnormal user by the second access times threshold value, wherein, the second access times threshold
Value is less than the first access times threshold value;
Same phone number is less than the described first to be identified of the second access times threshold value to the certain domain name access times
User is as the second user to be identified;
The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone terminal producer and
Model;
If the mobile phone terminal of the identical mobile phone terminal producer and model is more than the 3rd to the certain domain name access times
Described second user identifier to be identified is then abnormal user by access times threshold value, wherein, the 3rd access times threshold value is small
In the second access times threshold value;
The mobile phone terminal of the identical mobile phone terminal producer and model is less than the 3rd to the certain domain name access times
Described second user to be identified of access times threshold value is as the 3rd user to be identified;
The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is when described default
Between be spaced the displacement variable generated in t and be less than pre-determined distance threshold value, then be abnormal use by the 3rd user identifier to be identified
Family.
7. a kind of abnormal behaviour customer identification device, which is characterized in that including:
Network information acquiring unit, for obtaining the status information of current network, the status information includes:The whole network rate, net
First rate and Business Stream magnitude;
Judging unit, for status information, prefixed time interval t and the observing time i according to the current network, described in judgement
Current network whether there is abnormal behaviour user;
User information acquiring unit, if obtaining user conversation to be identified there are abnormal behaviour user for the current network
Record information and the user terminal information to be identified;
Recognition unit, for according to the conversation recording information and the user terminal information, to the abnormal behaviour user into
Row identification.
8. device according to claim 7, which is characterized in that the judging unit is used for:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the complete of the current network is judged
Whether network speed rate declines;
If judging to know the whole network rate of the current network as decline state, judging the network element rate of the current network is
No decline;
If judging to know the network element rate of the current network as decline state, according to the size of the Business Stream magnitude, choosing
Preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected;
According to the prefixed time interval t and the Business Stream magnitude to be selected, the industry to be selected corresponding to the business to be selected is calculated
Business rate;
Judge whether the service rate to be selected of the current network declines;
If judging to know the service rate to be selected of the current network as decline state, it is abnormal to judge that the current network exists
Behavior user.
9. device according to claim 8, which is characterized in that the judging unit is additionally operable to:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected;
According to the average value of the service rate to be selectedThe service rate V to be selectedijWith the average value of the network element rateIf pass through formulaThe result of calculating is 1, then judges the to be selected of the current network
Service rate is decline state.
10. device according to claim 7, which is characterized in that the recognition unit is used for:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than first and are visited
The user identifier to be identified for asking frequency threshold value is abnormal user;
The user to be identified that the certain domain name access times are less than to the first access times threshold value is to be identified as first
User;
The phone number of the described first user to be identified is extracted, if same phone number is more than the certain domain name access times
Described first user identifier to be identified is then abnormal user by the second access times threshold value, wherein, the second access times threshold
Value is less than the first access times threshold value;
Same phone number is less than the described first to be identified of the second access times threshold value to the certain domain name access times
User is as the second user to be identified;
The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone terminal producer and
Model;
If the mobile phone terminal of the identical mobile phone terminal producer and model is more than the 3rd to the certain domain name access times
Described second user identifier to be identified is then abnormal user by access times threshold value, wherein, the 3rd access times threshold value is small
In the second access times threshold value;
The mobile phone terminal of the identical mobile phone terminal producer and model is less than the 3rd to the certain domain name access times
Described second user to be identified of access times threshold value is as the 3rd user to be identified;
The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is when described default
Between be spaced the displacement variable generated in t and be less than pre-determined distance threshold value, then be abnormal use by the 3rd user identifier to be identified
Family.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611035558.9A CN108076032B (en) | 2016-11-15 | 2016-11-15 | Abnormal behavior user identification method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611035558.9A CN108076032B (en) | 2016-11-15 | 2016-11-15 | Abnormal behavior user identification method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108076032A true CN108076032A (en) | 2018-05-25 |
CN108076032B CN108076032B (en) | 2020-11-06 |
Family
ID=62161671
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611035558.9A Active CN108076032B (en) | 2016-11-15 | 2016-11-15 | Abnormal behavior user identification method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108076032B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109409902A (en) * | 2018-09-04 | 2019-03-01 | 平安普惠企业管理有限公司 | Risk subscribers recognition methods, device, computer equipment and storage medium |
CN111526381A (en) * | 2020-04-20 | 2020-08-11 | 北京创世云科技有限公司 | Method and device for optimizing live broadcast resources and electronic equipment |
CN113127881A (en) * | 2021-04-20 | 2021-07-16 | 重庆电子工程职业学院 | Data security processing method based on big data |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102014031A (en) * | 2010-12-31 | 2011-04-13 | 湖南神州祥网科技有限公司 | Method and system for network flow anomaly detection |
CN102368842A (en) * | 2011-10-12 | 2012-03-07 | 中国联合网络通信集团有限公司 | Detection method of abnormal behavior of mobile terminal and detection system thereof |
CN104320297A (en) * | 2014-10-15 | 2015-01-28 | 中冶长天国际工程有限责任公司 | Method and device for network anomaly detection and network communication control |
US20150341380A1 (en) * | 2014-05-20 | 2015-11-26 | Electronics And Telecommunications Research Institute | System and method for detecting abnormal behavior of control system |
CN105451257A (en) * | 2015-12-04 | 2016-03-30 | 中国联合网络通信集团有限公司 | Data business problem locating method and device |
CN106027577A (en) * | 2016-08-04 | 2016-10-12 | 四川无声信息技术有限公司 | Exception access behavior detection method and device |
-
2016
- 2016-11-15 CN CN201611035558.9A patent/CN108076032B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102014031A (en) * | 2010-12-31 | 2011-04-13 | 湖南神州祥网科技有限公司 | Method and system for network flow anomaly detection |
CN102368842A (en) * | 2011-10-12 | 2012-03-07 | 中国联合网络通信集团有限公司 | Detection method of abnormal behavior of mobile terminal and detection system thereof |
US20150341380A1 (en) * | 2014-05-20 | 2015-11-26 | Electronics And Telecommunications Research Institute | System and method for detecting abnormal behavior of control system |
CN104320297A (en) * | 2014-10-15 | 2015-01-28 | 中冶长天国际工程有限责任公司 | Method and device for network anomaly detection and network communication control |
CN105451257A (en) * | 2015-12-04 | 2016-03-30 | 中国联合网络通信集团有限公司 | Data business problem locating method and device |
CN106027577A (en) * | 2016-08-04 | 2016-10-12 | 四川无声信息技术有限公司 | Exception access behavior detection method and device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109409902A (en) * | 2018-09-04 | 2019-03-01 | 平安普惠企业管理有限公司 | Risk subscribers recognition methods, device, computer equipment and storage medium |
CN111526381A (en) * | 2020-04-20 | 2020-08-11 | 北京创世云科技有限公司 | Method and device for optimizing live broadcast resources and electronic equipment |
CN111526381B (en) * | 2020-04-20 | 2021-07-09 | 北京创世云科技股份有限公司 | Method and device for optimizing live broadcast resources and electronic equipment |
CN113127881A (en) * | 2021-04-20 | 2021-07-16 | 重庆电子工程职业学院 | Data security processing method based on big data |
Also Published As
Publication number | Publication date |
---|---|
CN108076032B (en) | 2020-11-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Cortes et al. | Communities of interest | |
CN110099059B (en) | Domain name identification method and device and storage medium | |
US9223968B2 (en) | Determining whether virtual network user is malicious user based on degree of association | |
US11361045B2 (en) | Method, apparatus, and computer-readable storage medium for grouping social network nodes | |
CN107918905A (en) | Abnormal transaction identification method, apparatus and server | |
CN111090807B (en) | Knowledge graph-based user identification method and device | |
CN106815226A (en) | Text matching technique and device | |
CN108985954B (en) | Method for establishing association relation of each identifier and related equipment | |
CN110415107B (en) | Data processing method, data processing device, storage medium and electronic equipment | |
CN109918498B (en) | Problem warehousing method and device | |
CN106708841B (en) | The polymerization and device of website visitation path | |
CN108647997A (en) | A kind of method and device of detection abnormal data | |
CN108021651A (en) | Network public opinion risk assessment method and device | |
CN109257617B (en) | Method for determining suspected user in live broadcast platform and related equipment | |
CN108076032A (en) | A kind of abnormal behaviour user identification method and device | |
CN107977678A (en) | Method and apparatus for output information | |
CN110224859A (en) | The method and system of clique for identification | |
US8700756B2 (en) | Systems, methods and devices for extracting and visualizing user-centric communities from emails | |
CN109784403B (en) | Method for identifying risk equipment and related equipment | |
CN109460930B (en) | Method for determining risk account and related equipment | |
CN111586001A (en) | Abnormal user identification method and device, electronic equipment and storage medium | |
CN110222790A (en) | Method for identifying ID, device and server | |
US20160292258A1 (en) | Method and apparatus for filtering out low-frequency click, computer program, and computer readable medium | |
WO2016106944A1 (en) | Method for creating virtual human on mapreduce platform | |
CN113065748A (en) | Business risk assessment method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address | ||
CP03 | Change of name, title or address |
Address after: Guangdong global building, No.11 Zhujiang West Road, Zhujiang New Town, Tianhe District, Guangzhou, Guangdong 510630 Patentee after: China Mobile Group Guangdong Co.,Ltd. Patentee after: CHINA MOBILE COMMUNICATIONS GROUP Co.,Ltd. Address before: 510623 Guangdong global building, 11 Zhujiang West Road, Zhujiang New Town, Guangzhou City, Guangdong Province Patentee before: China Mobile Group Guangdong Co.,Ltd. Patentee before: China Mobile Communications Corp. |