CN108076032A - A kind of abnormal behaviour user identification method and device - Google Patents

A kind of abnormal behaviour user identification method and device Download PDF

Info

Publication number
CN108076032A
CN108076032A CN201611035558.9A CN201611035558A CN108076032A CN 108076032 A CN108076032 A CN 108076032A CN 201611035558 A CN201611035558 A CN 201611035558A CN 108076032 A CN108076032 A CN 108076032A
Authority
CN
China
Prior art keywords
user
rate
identified
network
current network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611035558.9A
Other languages
Chinese (zh)
Other versions
CN108076032B (en
Inventor
罗骁茜
吴栩欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Guangdong Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611035558.9A priority Critical patent/CN108076032B/en
Publication of CN108076032A publication Critical patent/CN108076032A/en
Application granted granted Critical
Publication of CN108076032B publication Critical patent/CN108076032B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/067Generation of reports using time frame reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate

Abstract

The embodiment of the present invention provides a kind of abnormal behaviour user identification method and device, the described method includes:The status information of current network is obtained, the status information includes:The whole network rate, network element rate and Business Stream magnitude;According to the status information of the current network, prefixed time interval t and observing time i, judge that the current network whether there is abnormal behaviour user;If the current network obtains user conversation record information to be identified and the user terminal information to be identified there are abnormal behaviour user;According to the conversation recording information and the user terminal information, the abnormal behaviour user is identified.Described device performs the above method.Abnormal behaviour user identification method and device provided in an embodiment of the present invention by judging current network with the presence or absence of abnormal behaviour user, and identify abnormal behaviour user, ensure that the stability of current network rate.

Description

A kind of abnormal behaviour user identification method and device
Technical field
The present embodiments relate to mobile communication technology fields, and in particular to a kind of abnormal behaviour user identification method and dress It puts.
Background technology
With the development of mobile communication technology, people more and more obtain information by surfing the Internet, to meet daily study The demand of work.
But simultaneously some steal-number sending advertisements, issue malicious link, defraud of Internet user's wealth etc. and internet information safety Related behavior also generates therewith, this class behavior is referred to as " user's abnormal behaviour ", these user's abnormal behaviours are for a long time, in large quantities Occupy limited Internet resources, the strong influence online experience of normal users causes user's networking speed slow or can not Online, the existing mode for solving the problems, such as this mainly by customer complaint after, treatment people to on-the-spot test, and according to test knot Fruit optimizes specific network environment, but None- identified goes out the user of abnormal behaviour, it is impossible to solve normal users from source The problem of networking speed is slow.
Therefore, the user of abnormal behaviour how is effectively identified, becoming need solve the problems, such as.
The content of the invention
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of abnormal behaviour user identification method and dress It puts.
On the one hand, the embodiment of the present invention provides a kind of abnormal behaviour user identification method, including:
The status information of current network is obtained, the status information includes:The whole network rate, network element rate and service traffics Value;
According to the status information of the current network, prefixed time interval t and observing time i, the current network is judged With the presence or absence of abnormal behaviour user;
If the current network there are abnormal behaviour user, obtains user conversation record information to be identified and described waits to know Other user terminal information;
According to the conversation recording information and the user terminal information, the abnormal behaviour user is identified.
On the other hand, the embodiment of the present invention provides a kind of abnormal behaviour customer identification device, including:
Network information acquiring unit, for obtaining the status information of current network, the status information includes:The whole network speed Rate, network element rate and Business Stream magnitude;
Judging unit for status information, prefixed time interval t and the observing time i according to the current network, judges The current network whether there is abnormal behaviour user;
User information acquiring unit, if obtaining user to be identified there are abnormal behaviour user for the current network Conversation recording information and the user terminal information to be identified;
Recognition unit, for according to the conversation recording information and the user terminal information, using the abnormal behaviour Family is identified.
Abnormal behaviour user identification method and device provided in an embodiment of the present invention, by judging that current network whether there is Abnormal behaviour user, and identify abnormal behaviour user, it ensure that the stability of current network rate.
Description of the drawings
It in order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Some bright embodiments, for those of ordinary skill in the art, without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram of abnormal behaviour user identification method of the embodiment of the present invention;
Fig. 2 is the flow diagram of further embodiment of this invention abnormal behaviour user identification method;
Fig. 3 is the structure diagram of abnormal behaviour customer identification device of the embodiment of the present invention;
Fig. 4 is device entity structure diagram provided in an embodiment of the present invention.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, the technical solution in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art All other embodiments obtained without creative efforts belong to the scope of protection of the invention.
Fig. 1 is the flow diagram of abnormal behaviour user identification method of the embodiment of the present invention, as shown in Figure 1, the present embodiment A kind of abnormal behaviour user identification method provided, comprises the following steps:
S1:The status information of current network is obtained, the status information includes:The whole network rate, network element rate and Business Stream Magnitude.
Specifically, device obtains the status information of current network, the status information includes:The whole network rate, network element rate With Business Stream magnitude.It should be noted that:Current network state information can include the whole network rate, network element rate and service traffics Value, but it is not limited to above-mentioned the whole network rate, network element rate and Business Stream magnitude.
S2:According to the status information of the current network, prefixed time interval t and observing time i, the current net is judged Network whether there is abnormal behaviour user.
Specifically, device judges institute according to the status information of the current network, prefixed time interval t and observing time i Current network is stated with the presence or absence of abnormal behaviour user.It should be noted that:Prefixed time interval t and observing time i can bases Actual conditions are independently set, such as:Prefixed time interval t could be provided as 1 it is small when, it can be understood as:Device at interval of 1 it is small when It performs the abnormal behaviour user and knows method for distinguishing once, and user behavior to be selected is identified;Prefixed time interval t The numerical value of setting is smaller, and the frequency that user behavior is identified is higher, and the numerical value that prefixed time interval t is set is bigger, right User behavior is identified that the frequency is lower, observing time i the initial time corresponding to prefixed time interval t and terminate the time it Between can arbitrarily be arranged to one or many, such as:When prefixed time interval t be arranged to 1 it is small when, if perform this method it is current Time is 17:00, then initial time is corresponding to 17:00, the time is terminated corresponding to 18:00, observing time i can be 17:00 ~18:00 it is arbitrary once or several times it is corresponding to the whole network rate either the acquisition of network element rate or Business Stream magnitude when Between.
S3:If the current network there are abnormal behaviour user, obtains user conversation record information to be identified and described User terminal information to be identified.
Specifically, if device knows that the current network there are abnormal behaviour user, obtains user conversation note to be identified Record information and the user terminal information to be identified.It should be noted that:User conversation record information can include but is not limited to: To the access record information of domain names, session duration, source TCP/UDP ports, target TCP/UDP ports etc., user terminal letter Breath can include but is not limited to:Mobile phone terminal brand and model used by a user etc..
S4:According to the conversation recording information and the user terminal information, the abnormal behaviour user is identified.
Specifically, device is according to the conversation recording information and the user terminal information, to the abnormal behaviour user It is identified.It should be noted that:It can be to specific in conversation recording information that abnormal behaviour user, which is identified, The access times of domain name and the mobile phone terminal brand and model of user terminal information, phone number used and the mobile phone are whole What the position at end was realized.
Abnormal behaviour user identification method provided in an embodiment of the present invention, by judging that current network whether there is abnormal row It for user, and identifies abnormal behaviour user, ensure that the stability of current network rate.
It is described according to the status information of the current network, prefixed time interval t and sight on the basis of above-described embodiment Time i is examined, judges that the current network whether there is abnormal behaviour user, including:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the current network is judged The whole network rate whether decline.
Specifically, device judges institute according to the whole network rate of the current network, prefixed time interval t and observing time i Whether the whole network rate for stating current network declines.It should be noted that:The basis for estimation whether the whole network rate declines can be worked as The whole network rate of preceding network declines percentage, is described as follows with continued reference to above-mentioned implementation example:When prefixed time interval t is arranged to 1 it is small when, if perform this method current time be 17:00, then initial time is corresponding to 17:00, the time is terminated corresponding to 18: 00, it is assumed that observing time i is 17:10、17:25 and, then number of observation n is 3 times, can be according to formula:Meter The average value of interior the whole network rate when calculating prefixed time interval 1 is smallWherein VAiBe current network status information in the whole network Rate, further according to formula:The whole network rate for calculating current network declines percentage PA, further according to Formula:Judge whether the whole network rate of current network in decline state (works as PA>=5%, it represents The whole network rate has decline;Work as PA< 5% represents that the whole network rate does not decline), therein 5% is default the whole network rate percentage, can Independently to be set according to actual conditions, here 5% be a kind of optional scheme, the embodiment of the present invention does not do this specific limit It is fixed.
If judging to know the whole network rate of the current network as decline state, the network element speed of the current network is judged Whether rate declines.
Specifically, if device judges to know the whole network rate of the current network as decline state, judge described current Whether the network element rate of network declines.If the whole network rate for judging to know the current network can recognize not decline state Abnormal behaviour user is not present for current network.It should be noted that:The basis for estimation whether network element rate declines can be worked as The network element rate of preceding network declines percentage, is described as follows with continued reference to above-mentioned implementation example:Number of observation n is 3 times, Ke Yigen According to formula:Calculate prefixed time interval 1 it is small when interior network element rate average valueWherein VBiIt is current net Network element rate in the status information of network, further according to formula:Calculate the network element rate of current network Decline percentage PB, further according to formula:Judge the network element rate of current network Whether it is default network element rate percentage in decline state, therein 10%, can be independently set according to actual conditions, here 10% be a kind of optional scheme, the embodiment of the present invention does not do this specific restriction.
If judge to know the network element rate of the current network as decline state, according to the big of the Business Stream magnitude It is small, preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected.
Specifically, if device judges to know the network element rate of the current network as decline state, according to the business The size of flow value selects in the Business Stream magnitude preceding m Business Stream magnitude as Business Stream magnitude to be selected.If device judges The network element rate of the current network is known not decline state, it may be considered that abnormal behaviour user is not present in current network.m Numerical value can independently be set according to actual conditions, be not specifically limited herein, the present embodiment enumerate m=10 acquisition industry to be selected Business flow value is as shown in table 1:
Table 1 is can be as preceding 10 Business Stream magnitudes of Business Stream magnitude to be selected
Table 1
Business Flow (MB) Accounting Rate (kbps)
360 security guards 3687 14% 283
Fetion 1090 4% 198
Netease 570 2% 108
The Industrial and Commercial Bank of China 553 2% 93
QQ space 370 1% 479
Www.qq.com 284 1% 591
UC is browsed 151 1% 480
Sina 148 1% 503
Baidu 110 0% 397
Apple official website 77 0% 470
RNC is whole 25598 100% 278
According to the prefixed time interval t and the Business Stream magnitude to be selected, calculate and treated corresponding to the business to be selected Select service rate.
Specifically, device calculates the business to be selected according to the prefixed time interval t and the Business Stream magnitude to be selected Corresponding service rate to be selected.It is illustrated below:It can be according to formula:Calculate service rate V to be selectedij, Wherein i is the observing time, j is j-th of business, MijFor Business Stream magnitude to be selected.
Judge whether the service rate to be selected of the current network declines.
Specifically, device judges whether the service rate to be selected of the current network declines.It can be according to formula: Calculate the average value of service rate to be selectedIt can be further according to formula: Judge the current network service rate to be selected whether be decline condition adjudgement described in the service rate to be selected of current network be No is decline state.
If judging to know the service rate to be selected of the current network as decline state, judge that the current network exists Abnormal behaviour user.
Specifically, if device judges to know the service rate to be selected of the current network as decline state, described in judgement There are abnormal behaviour users for current network.If the service rate to be selected for judging to know the current network not decline state, It is considered that abnormal behaviour user is not present in current network.
Abnormal behaviour user identification method provided in an embodiment of the present invention, by the whole network rate, the net that judge current network Whether first rate and service rate to be selected decline, and can accurately identify that current network whether there is abnormal behaviour user.
It is described according to the whole network rate of the current network, prefixed time interval t and sight on the basis of above-described embodiment Time i is examined, judges whether the whole network rate of the current network declines, including:
According to prefixed time interval t and observing time i, the number of observation n in the prefixed time interval t is obtained, In, the observing time i was located between the initial time corresponding to the prefixed time interval t and termination time.
Specifically, device obtains the sight in the prefixed time interval t according to prefixed time interval t and observing time i Examine frequency n, wherein, the observing time i be located at initial time corresponding to the prefixed time interval t and terminate the time it Between.Illustrate in the above-described embodiments, details are not described herein again.
According to the number of observation n and the whole network rate of the current network, calculate complete in the prefixed time interval t The average value of network speed rate.
Specifically, device is calculated according to the number of observation n and the whole network rate of the current network when described default Between be spaced t in the whole network rate average value.Illustrate in the above-described embodiments, details are not described herein again.
According to the average value of the whole network rate and the whole network rate of the current network, the complete of the current network is calculated Network speed rate declines percentage.
Specifically, device is according to the average value of the whole network rate and the whole network rate of the current network, described in calculating The whole network rate of current network declines percentage.Illustrate in the above-described embodiments, details are not described herein again.
If the whole network rate of the current network, which declines percentage, is more than or equal to default the whole network rate percentage, institute is judged The whole network rate for stating current network is decline state.
Specifically, if device knows that the whole network rate of the current network declines percentage and is more than or equal to default the whole network rate Percentage then judges the whole network rate of the current network for decline state.Illustrate in the above-described embodiments, it is no longer superfluous herein It states.
Abnormal behaviour user identification method provided in an embodiment of the present invention is declined by the whole network rate for calculating current network Percentage ensure that the whole network rate declines the accuracy of condition adjudgement.
It is described on the basis of above-described embodiment, judge whether the network element rate of the current network declines, including:
According to the number of observation n and the network element rate of the current network, calculate in the prefixed time interval t Intranets The average value of first rate.
Specifically, device is calculated according to the number of observation n and the network element rate of the current network when described default Between be spaced t in network element rate average value.Illustrate in the above-described embodiments, details are not described herein again.
According to the average value of the network element rate and the network element rate of the current network, the net of the current network is calculated First rate declines percentage.
Specifically, device is according to the average value of the network element rate and the network element rate of the current network, described in calculating The network element rate of current network declines percentage.Illustrate in the above-described embodiments, details are not described herein again.
If the network element rate of the current network, which declines percentage, is more than or equal to default network element rate percentage, institute is judged The network element rate for stating current network is decline state.
Specifically, if device knows that the network element rate of the current network declines percentage and is more than or equal to default network element rate Percentage then judges the network element rate of the current network for decline state.Illustrate in the above-described embodiments, it is no longer superfluous herein It states.
Abnormal behaviour user identification method provided in an embodiment of the present invention is declined by the network element rate for calculating current network Percentage ensure that network element rate declines the accuracy of condition adjudgement.
On the basis of above-described embodiment, whether the service rate to be selected for judging the current network declines, including:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected.
Specifically, device calculates the business speed to be selected according to the service rate to be selected and service traffics number m to be selected The average value of rate.Illustrate in the above-described embodiments, details are not described herein again.
According to the average value of the service rate to be selectedThe service rate V to be selectedijWith being averaged for the network element rate ValueIf pass through formulaThe result of calculating is 1, then judges treating for the current network It is decline state to select service rate.
Specifically, average value of the device according to the service rate to be selectedThe service rate V to be selectedijWith the net The average value of first rateIf pass through formulaThe result of calculating is 1, then described in judgement The service rate to be selected of current network is decline state.Illustrate in the above-described embodiments, details are not described herein again.
Abnormal behaviour user identification method provided in an embodiment of the present invention, according to the service rate and network element to be selected calculated The average value of rate ensure that service rate to be selected to decline the accuracy of condition adjudgement.
It is described according to the conversation recording information and the user terminal information on the basis of above-described embodiment, to institute Abnormal behaviour user is stated to be identified, including:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than the The user identifier to be identified of one access times threshold value is abnormal user.
Specifically, Fig. 2 is the flow diagram of further embodiment of this invention abnormal behaviour user identification method, such as Fig. 2 institutes Show, certain domain name access times of the device in the conversation recording information, the certain domain name access times are more than the The user identifier to be identified of one access times threshold value is abnormal user.First access times threshold value can be according to actual conditions It is autonomous to set, it is not construed as limiting herein.It is illustrated below:User to be identified is 1000, and the first access times threshold value 50 times is treated There are 40 certain domain name access times to be more than the first access times threshold value 50 times in identification user, then by this 40 users to be identified It is identified as abnormal user.
The user to be identified that the certain domain name access times are less than to the first access times threshold value treats as first Identify user.
Specifically, the certain domain name access times are less than the user to be identified of the first access times threshold value by device As the first user to be identified.With continued reference to above-described embodiment, it is illustrated below:Above-mentioned 960 (1000-40=960) are a User to be identified is as the first user to be identified.
The phone number of the described first user to be identified is extracted, if same phone number is to the certain domain name access times Then it is abnormal user by the described first user identifier to be identified more than the second access times threshold value, wherein, second access time Number threshold value is less than the first access times threshold value.
Specifically, device extracts the phone number of first user to be identified, if same phone number is to described specific Domain name access number is more than the second access times threshold value, then is abnormal user by the described first user identifier to be identified, wherein, institute The second access times threshold value is stated less than the first access times threshold value.Second access times threshold value can be according to actual conditions certainly Main setting, is not construed as limiting herein.With continued reference to above-described embodiment, it is illustrated below:First user to be identified is 960, the Two access times threshold values are 40 times, and same phone number in the first user to be identified is more than second to certain domain name access times 60 the first user identifiers to be identified that access times threshold value is 40 times are abnormal user.
Same phone number is treated to the certain domain name access times are less than the second access times threshold value described first Identify user as the second user to be identified.
Specifically, same phone number is less than the second access times threshold value by device to the certain domain name access times First user to be identified is as the second user to be identified.It is illustrated below:First user to be identified is 960, by 900 (960-60) a first user to be identified is as the second user to be identified.
The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone terminal factory Family and model.
Specifically, device extracts the information of mobile phone terminal of second user to be identified, the information of mobile phone terminal can be with Including but not limited to:Mobile phone terminal producer and model.
If the mobile phone terminal of the identical mobile phone terminal producer and model is more than the certain domain name access times Described second user identifier to be identified is then abnormal user by the 3rd access times threshold value, wherein, the 3rd access times threshold Value is less than the second access times threshold value.
Specifically, if device knows the mobile phone terminal of the identical mobile phone terminal producer and model to the special domain Name access times are more than the 3rd access times threshold value, then are abnormal user by the described second user identifier to be identified, wherein, it is described 3rd access times threshold value is less than the second access times threshold value.3rd access times threshold value can be autonomous according to actual conditions It sets, does not limit herein.With continued reference to above-described embodiment, it is illustrated below:Second user to be identified be 900, the 3rd Access times threshold value is 30 times, by the mobile phone terminal of the identical mobile phone terminal producer and model in the second user to be identified It is abnormal to the certain domain name access times 20 the second user identifiers to be identified of 30 times more than the 3rd access times threshold value User.
The mobile phone terminal of the identical mobile phone terminal producer and model is less than the certain domain name access times Described second user to be identified of the 3rd access times threshold value is as the 3rd user to be identified.
Specifically, device visits the certain domain name mobile phone terminal of the identical mobile phone terminal producer and model Ask described second to be identified user of the number less than the 3rd access times threshold value as the 3rd user to be identified.It illustrates such as Under:Second user to be identified is 900, using 880 (900-20) a second user to be identified as the 3rd user to be identified.
The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is described pre- Then it is different by the 3rd user identifier to be identified if the displacement variable generated in time interval t is less than pre-determined distance threshold value Common family.
Specifically, device extracts the location information of the 3rd user mobile phone terminal to be identified, if the mobile phone terminal The displacement variable that position generates in the prefixed time interval t is less than pre-determined distance threshold value, then to be identified by the described 3rd User identifier is abnormal user.Pre-determined distance threshold value can independently be set according to actual conditions, not limited herein.With continued reference to Above-described embodiment is illustrated below:3rd user to be identified is 880, and pre-determined distance threshold value is 200 meters, and the 3rd is waited to know The displacement variable that the position of mobile phone terminal generates in the prefixed time interval t in other user is less than pre-determined distance threshold value 200 meters of 10 the 3rd user identifiers to be identified are abnormal user.By the position of mobile phone terminal in the 3rd user to be identified in institute State 870 (880-10) a 3rd that the displacement variable generated in prefixed time interval t is more than or equal to 200 meters of pre-determined distance threshold value User identifier to be identified is normal users.
Abnormal behaviour user identification method provided in an embodiment of the present invention by gradually identifying abnormal behaviour user, is protected The accuracy of recognition effect is demonstrate,proved.
The acquisition modes of abnormal behaviour user identification method flow chart as shown in Figure 2 can be according to following steps:
R1:User conversation record information to be identified, extraction key feature is as sample storehouse factor.To other features without shadow Loud independent characteristic as a sample storehouse factor, interact and coefficient multiple features merge into a sample storehouse because Element.The sample storehouse comprising normal users and abnormal user internet behavior session is established as a result,.
R2:Sample storehouse factor based on step R1 randomly selects a certain number of objects, constructs training dataset, passes through Training and beta pruning, generate abnormal behaviour user identification method flow chart as shown in Figure 2.Identify abnormal behaviour user identification method The detailed construction and algorithm of flow chart are as follows:
Decision Tree algorithms use CART (Classification and Regression Trees) algorithm, that is, classify back Return tree algorithm.
CART algorithms mainly include two steps:(1) division of sample recurrence is subjected to achievement process, (2) use verification data Carry out beta pruning.
The recurrence of step (1) establishes binary tree, section x1, x2..., xnN attribute of single sample is represented, belonging to y is represented Classification.The n spaces tieed up are divided into nonoverlapping rectangle by CART algorithms by recursive mode.Partiting step approximately as:
(1) an independent variable x is selectedi, then choose xiA value vi, viN-dimensional space is divided into two parts, it is a part of All samples all meet xi≤vi, all samples of another part all meet xi> vi, the value of property value for discrete variable There are two only, i.e., equal to the value or not equal to the value.Also need to first carry out sliding-model control for continuous variable, this motion it is different Common family internet behavior feature belongs to continuous variable.
(2) two parts obtained above are chosen an attribute by step (1) and continue to divide by Recursion process again, until Entire n-dimensional space has all been divided.
In partition process, for a variable's attribute, its division points are in a pair of of continuous variable property value Point.Assuming that the collection unification attribute of m sample has m continuous values, then there will be m-1 split point, each split point is The average of two neighboring successive value.The division of each attribute according to can the amount of impurity of reduction be ranked up, and impurity subtracts The impurity before division is defined as on a small quantity subtracts the sum of ratio shared by the impurity level division of each node after division.And impurity is measured For method often with Gini indexs, Gini values mainly metric data divides or the impurity level of training dataset K, enterprising in branch node The test of row Gini values, left subtree is divided into if certain purity is met, is otherwise divided into right subtree, ultimately generates one two Pitch decision tree.Gini values are smaller, show that " degree of purity " of sample is higher.Assuming that a sample shares Z classes, belong to the probability of i classes For pi, then the Gini impurity levels of a node K may be defined as equation below:
As Gini (K)=0, all samples belong to similar, when all classes occur in node with equiprobability, Gini (K) It maximizes,
In actual recurrence partition process, if all samples of present node are all not belonging to same class or only remaining one A sample, then this node is non-leaf nodes, it is therefore desirable to attempt each attribute of sample and corresponding point of each attribute Knick point is attempted to find a maximum division of impurity variable, and the subtree of the Attribute transposition is optimum branching.
Step (2) CART algorithms use rear beta pruning, this motion uses cost complexity beta pruning method in rear beta pruning:R (t) is section The error rate of point t, p (t) are the ratios that the data on node t account for all data, if the node, by beta pruning, R (t) is node t Error cost, then
R (t)=r (t) × p (t) (9)
If the node is not by beta pruning, R (Tt) it is subtree TtError cost, it be equal to subtree TtUpper all leaf nodes The sum of error cost;It is the leaf node number included in subtree, by formula (9), for every in post-class processing The surface error rate gain value alpha of one non-leaf nodes, has
Fig. 3 is the structure diagram of abnormal behaviour customer identification device of the embodiment of the present invention, as shown in figure 3, the present embodiment A kind of abnormal behaviour customer identification device is provided, is obtained including network information acquiring unit 1, judging unit 2, user information single Member 3 and recognition unit 4, wherein:
Network information acquiring unit 1 is used to obtain the status information of current network, and the status information includes:The whole network speed Rate, network element rate and Business Stream magnitude;Judging unit 2 for according to the current network status information, prefixed time interval t With observing time i, judge that the current network whether there is abnormal behaviour user;If user information acquiring unit 3 is for described Current network then obtains user conversation record information to be identified and the user terminal letter to be identified there are abnormal behaviour user Breath;Recognition unit 4 is used to, according to the conversation recording information and the user terminal information, carry out the abnormal behaviour user Identification.
Specifically, network information acquiring unit 1 is used to obtain the status information of current network, the status information includes: Status information is sent to judging unit 2 by the whole network rate, network element rate and Business Stream magnitude, network information acquiring unit 1, is judged Unit 2 is used for according to the status information of the current network, prefixed time interval t and observing time i, judges the current network With the presence or absence of abnormal behaviour user, the judging result of abnormal behaviour user is sent to user information acquiring unit by judging unit 2 3, if user information acquiring unit 3 is used for the current network there are abnormal behaviour user, obtain user conversation note to be identified Record information and the user terminal information to be identified, user information acquiring unit 3 is by conversation recording information and user terminal information Recognition unit 4 is sent to, recognition unit 4 is used for according to the conversation recording information and the user terminal information, to described different Chang Hangwei user is identified.
Abnormal behaviour customer identification device provided in an embodiment of the present invention, by judging that current network whether there is abnormal row It for user, and identifies abnormal behaviour user, ensure that the stability of current network rate.
On the basis of above-described embodiment, the judging unit 2 is used for:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the current network is judged The whole network rate whether decline;If judging to know the whole network rate of the current network as decline state, judge described current Whether the network element rate of network declines;If judging to know the network element rate of the current network as decline state, according to The size of Business Stream magnitude selects in the Business Stream magnitude preceding m Business Stream magnitude as Business Stream magnitude to be selected;According to institute Prefixed time interval t and the Business Stream magnitude to be selected are stated, calculates the service rate to be selected corresponding to the business to be selected;Judge Whether the service rate to be selected of the current network declines;If judge to know the service rate to be selected of the current network to decline State, then judging the current network, there are abnormal behaviour users.
Specifically, the judging unit 2 is used for according to the whole network rate of the current network, prefixed time interval t and sight Time i is examined, judges whether the whole network rate of the current network declines;If the judging unit 2 knows described work as judgement The whole network rate of preceding network is decline state, then judges whether the network element rate of the current network declines;The judging unit 2 If for judging to know the network element rate of the current network as decline state, according to the size of the Business Stream magnitude, choosing Preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected;The judging unit 2 is used for according to Prefixed time interval t and the Business Stream magnitude to be selected calculate the service rate to be selected corresponding to the business to be selected;It is described to sentence Disconnected unit 2 is used to judge whether the service rate to be selected of the current network declines;If the judging unit 2 is known for judgement The service rate to be selected of the current network is decline state, then judging the current network, there are abnormal behaviour users.
Abnormal behaviour customer identification device provided in an embodiment of the present invention, by the whole network rate, the net that judge current network Whether first rate and service rate to be selected decline, and can accurately identify that current network whether there is abnormal behaviour user.
On the basis of above-described embodiment, the judging unit 2 is additionally operable to:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected; According to the average value of the service rate to be selectedThe service rate V to be selectedijWith the average value of the network element rate If pass through formulaThe result of calculating is 1, then judges the business to be selected of the current network Rate is decline state.
Specifically, judging unit 2 is additionally operable to, according to the service rate to be selected and service traffics number m to be selected, calculate institute State the average value of service rate to be selected;Judging unit 2 is additionally operable to the average value according to the service rate to be selectedIt is described to be selected Service rate VijWith the average value of the network element rateIf pass through formulaIt calculates As a result it is 1, then judges the service rate to be selected of the current network for decline state.
Abnormal behaviour customer identification device provided in an embodiment of the present invention, according to the service rate and network element to be selected calculated The average value of rate ensure that service rate to be selected to decline the accuracy of condition adjudgement.
On the basis of above-described embodiment, the recognition unit 4 is used for:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than the The user identifier to be identified of one access times threshold value is abnormal user;The certain domain name access times are less than first to visit Ask the user to be identified of frequency threshold value as the first user to be identified;Extract the cell-phone number of the described first user to be identified Code if same phone number is more than the second access times threshold value to the certain domain name access times, described first is waited to know Other user identifier is abnormal user, wherein, the second access times threshold value is less than the first access times threshold value;It will be same Phone number is less than the certain domain name access times the described first user to be identified of the second access times threshold value as the Two users to be identified;The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone is whole Hold producer and model;If the mobile phone terminal of the identical mobile phone terminal producer and model is to the certain domain name access times Then it is abnormal user by the described second user identifier to be identified more than the 3rd access times threshold value, wherein, the 3rd access time Number threshold value is less than the second access times threshold value;By the mobile phone terminal of the identical mobile phone terminal producer and model to institute Described second to be identified user of the certain domain name access times less than the 3rd access times threshold value is stated as the 3rd user to be identified; The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is between the preset time It is less than pre-determined distance threshold value every the displacement variable generated in t, then is abnormal user by the 3rd user identifier to be identified.
Specifically, recognition unit 4 is used for the certain domain name access times in the conversation recording information, by the spy The user identifier to be identified that localization name access times are more than the first access times threshold value is abnormal user;Recognition unit 4 is used In using the to be identified user of the certain domain name access times less than the first access times threshold value as the first use to be identified Family;Recognition unit 4 is used to extract the phone number of the described first user to be identified, if same phone number is to the certain domain name Access times are more than the second access times threshold value, then are abnormal user by the described first user identifier to be identified, wherein, described the Two access times threshold values are less than the first access times threshold value;Recognition unit 4 is used for same phone number to described specific Domain name access number is less than the described first user to be identified of the second access times threshold value as the second user to be identified;Identification is single For extracting the information of mobile phone terminal of the described second user to be identified, the information of mobile phone terminal includes member 4:Mobile phone terminal producer And model;If recognition unit 4 is for the mobile phone terminal of the identical mobile phone terminal producer and model to the certain domain name Access times are more than the 3rd access times threshold value, then are abnormal user by the described second user identifier to be identified, wherein, described the Three access times threshold values are less than the second access times threshold value;Recognition unit 4 be used for will the identical mobile phone terminal producer with The mobile phone terminal of model is less than the described second to be identified of the 3rd access times threshold value to the certain domain name access times User is as the 3rd user to be identified;Recognition unit 4 is used to extract the location information of the 3rd user mobile phone terminal to be identified, If the displacement variable that the position of the mobile phone terminal generates in the prefixed time interval t is less than pre-determined distance threshold value, It is abnormal user by the 3rd user identifier to be identified.
Abnormal behaviour customer identification device provided in an embodiment of the present invention by gradually identifying abnormal behaviour user, is protected The accuracy of recognition effect is demonstrate,proved.
Abnormal behaviour customer identification device provided in this embodiment specifically can be used for performing above-mentioned each method embodiment Process flow, details are not described herein for function, is referred to the detailed description of above method embodiment.
Fig. 4 is device entity structure diagram provided in an embodiment of the present invention, as shown in figure 4, the Neighborhood Optimization is handled Device, including:Processor (processor) 401, memory (memory) 402 and bus 403;
Wherein, the processor 401, memory 402 complete mutual communication by bus 403;
The processor 401 is used to call the program instruction in the memory 402, to perform above-mentioned each method embodiment The method provided, such as including:The whole network rate, network element rate and Business Stream magnitude;Believed according to the state of the current network Breath, prefixed time interval t and observing time i judge that the current network whether there is abnormal behaviour user;If the current net Network then obtains user conversation record information to be identified and the user terminal information to be identified there are abnormal behaviour user;According to The abnormal behaviour user is identified in the conversation recording information and the user terminal information.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated When machine performs, computer is able to carry out the method that above-mentioned each method embodiment is provided, such as including:The whole network rate, network element speed Rate and Business Stream magnitude;According to the status information of the current network, prefixed time interval t and observing time i, described work as is judged Preceding network whether there is abnormal behaviour user;If the current network obtains user's meeting to be identified there are abnormal behaviour user Words record information and the user terminal information to be identified;It is right according to the conversation recording information and the user terminal information The abnormal behaviour user is identified.
The present embodiment provides a kind of non-transient computer readable storage medium storing program for executing, the non-transient computer readable storage medium storing program for executing Computer instruction is stored, the computer instruction makes the computer perform the method that above-mentioned each method embodiment is provided, example Such as include:The whole network rate, network element rate and Business Stream magnitude;According to the status information of the current network, prefixed time interval t With observing time i, judge that the current network whether there is abnormal behaviour user;If there are abnormal behaviour use for the current network Family then obtains user conversation record information to be identified and the user terminal information to be identified;According to the conversation recording information With the user terminal information, the abnormal behaviour user is identified.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through The relevant hardware of program instruction is completed, and foregoing program can be stored in a computer read/write memory medium, the program Upon execution, the step of execution includes above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or light The various media that can store program code such as disk.
The embodiments such as abnormal behaviour customer identification device described above are only schematical, wherein described be used as is divided Unit from part description may or may not be it is physically separate, the component shown as unit can be or It may not be physical location, you can be located at a place or can also be distributed in multiple network element.It can basis It is actual to need that some or all of module therein is selected to realize the purpose of this embodiment scheme.Ordinary skill people Member is not in the case where paying performing creative labour, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on such understanding, on Technical solution is stated substantially in other words to embody the part that the prior art contributes in the form of software product, it should Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers Order, which is used, so that computer equipment (can be personal computer, server or the network equipment etc.) performs each implementation Method described in some parts of example or embodiment.
Finally it should be noted that:Various embodiments above is only to illustrate the technical solution of the embodiment of the present invention rather than right It is limited;Although the embodiment of the present invention is described in detail with reference to foregoing embodiments, the ordinary skill of this field Personnel should be understood:It can still modify to the technical solution recorded in foregoing embodiments or to which part Or all technical characteristic carries out equivalent substitution;And these modifications or replacement, do not make the essence disengaging of appropriate technical solution The scope of each embodiment technical solution of the embodiment of the present invention.

Claims (10)

1. a kind of abnormal behaviour user identification method, which is characterized in that including:
The status information of current network is obtained, the status information includes:The whole network rate, network element rate and Business Stream magnitude;
According to the status information of the current network, prefixed time interval t and observing time i, whether the current network is judged There are abnormal behaviour users;
If the current network obtains user conversation record information to be identified and the use to be identified there are abnormal behaviour user Family end message;
According to the conversation recording information and the user terminal information, the abnormal behaviour user is identified.
It is 2. according to the method described in claim 1, it is characterized in that, the status information according to the current network, default Time interval t and observing time i judges that the current network whether there is abnormal behaviour user, including:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the complete of the current network is judged Whether network speed rate declines;
If judging to know the whole network rate of the current network as decline state, judging the network element rate of the current network is No decline;
If judging to know the network element rate of the current network as decline state, according to the size of the Business Stream magnitude, choosing Preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected;
According to the prefixed time interval t and the Business Stream magnitude to be selected, the industry to be selected corresponding to the business to be selected is calculated Business rate;
Judge whether the service rate to be selected of the current network declines;
If judging to know the service rate to be selected of the current network as decline state, it is abnormal to judge that the current network exists Behavior user.
It is 3. according to the method described in claim 2, it is characterized in that, the whole network rate according to the current network, default Time interval t and observing time i, judges whether the whole network rate of the current network declines, including:
According to prefixed time interval t and observing time i, the number of observation n in the prefixed time interval t is obtained, wherein, institute Observing time i is stated to be located between the initial time corresponding to the prefixed time interval t and termination time;
According to the number of observation n and the whole network rate of the current network, the whole network speed in the prefixed time interval t is calculated The average value of rate;
According to the average value of the whole network rate and the whole network rate of the current network, the whole network for calculating the current network is fast Rate declines percentage;
If the whole network rate of the current network, which declines percentage, is more than or equal to default the whole network rate percentage, described work as is judged The whole network rate of preceding network is decline state.
4. according to the method described in claim 2, it is characterized in that, described, judge the current network network element rate whether Decline, including:
According to the number of observation n and the network element rate of the current network, the network element speed in the prefixed time interval t is calculated The average value of rate;
According to the average value of the network element rate and the network element rate of the current network, the network element for calculating the current network is fast Rate declines percentage;
If the network element rate of the current network, which declines percentage, is more than or equal to default network element rate percentage, described work as is judged The network element rate of preceding network is decline state.
5. according to the method described in claim 2, it is characterized in that, the service rate to be selected of the judgement current network is No decline, including:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected;
According to the average value of the service rate to be selectedThe service rate V to be selectedijWith the average value of the network element rateIf pass through formulaThe result of calculating is 1, then judges the to be selected of the current network Service rate is decline state.
It is 6. according to the method described in claim 1, it is characterized in that, described whole according to the conversation recording information and the user The abnormal behaviour user is identified in client information, including:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than first and are visited The user identifier to be identified for asking frequency threshold value is abnormal user;
The user to be identified that the certain domain name access times are less than to the first access times threshold value is to be identified as first User;
The phone number of the described first user to be identified is extracted, if same phone number is more than the certain domain name access times Described first user identifier to be identified is then abnormal user by the second access times threshold value, wherein, the second access times threshold Value is less than the first access times threshold value;
Same phone number is less than the described first to be identified of the second access times threshold value to the certain domain name access times User is as the second user to be identified;
The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone terminal producer and Model;
If the mobile phone terminal of the identical mobile phone terminal producer and model is more than the 3rd to the certain domain name access times Described second user identifier to be identified is then abnormal user by access times threshold value, wherein, the 3rd access times threshold value is small In the second access times threshold value;
The mobile phone terminal of the identical mobile phone terminal producer and model is less than the 3rd to the certain domain name access times Described second user to be identified of access times threshold value is as the 3rd user to be identified;
The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is when described default Between be spaced the displacement variable generated in t and be less than pre-determined distance threshold value, then be abnormal use by the 3rd user identifier to be identified Family.
7. a kind of abnormal behaviour customer identification device, which is characterized in that including:
Network information acquiring unit, for obtaining the status information of current network, the status information includes:The whole network rate, net First rate and Business Stream magnitude;
Judging unit, for status information, prefixed time interval t and the observing time i according to the current network, described in judgement Current network whether there is abnormal behaviour user;
User information acquiring unit, if obtaining user conversation to be identified there are abnormal behaviour user for the current network Record information and the user terminal information to be identified;
Recognition unit, for according to the conversation recording information and the user terminal information, to the abnormal behaviour user into Row identification.
8. device according to claim 7, which is characterized in that the judging unit is used for:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the complete of the current network is judged Whether network speed rate declines;
If judging to know the whole network rate of the current network as decline state, judging the network element rate of the current network is No decline;
If judging to know the network element rate of the current network as decline state, according to the size of the Business Stream magnitude, choosing Preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected;
According to the prefixed time interval t and the Business Stream magnitude to be selected, the industry to be selected corresponding to the business to be selected is calculated Business rate;
Judge whether the service rate to be selected of the current network declines;
If judging to know the service rate to be selected of the current network as decline state, it is abnormal to judge that the current network exists Behavior user.
9. device according to claim 8, which is characterized in that the judging unit is additionally operable to:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected;
According to the average value of the service rate to be selectedThe service rate V to be selectedijWith the average value of the network element rateIf pass through formulaThe result of calculating is 1, then judges the to be selected of the current network Service rate is decline state.
10. device according to claim 7, which is characterized in that the recognition unit is used for:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than first and are visited The user identifier to be identified for asking frequency threshold value is abnormal user;
The user to be identified that the certain domain name access times are less than to the first access times threshold value is to be identified as first User;
The phone number of the described first user to be identified is extracted, if same phone number is more than the certain domain name access times Described first user identifier to be identified is then abnormal user by the second access times threshold value, wherein, the second access times threshold Value is less than the first access times threshold value;
Same phone number is less than the described first to be identified of the second access times threshold value to the certain domain name access times User is as the second user to be identified;
The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone terminal producer and Model;
If the mobile phone terminal of the identical mobile phone terminal producer and model is more than the 3rd to the certain domain name access times Described second user identifier to be identified is then abnormal user by access times threshold value, wherein, the 3rd access times threshold value is small In the second access times threshold value;
The mobile phone terminal of the identical mobile phone terminal producer and model is less than the 3rd to the certain domain name access times Described second user to be identified of access times threshold value is as the 3rd user to be identified;
The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is when described default Between be spaced the displacement variable generated in t and be less than pre-determined distance threshold value, then be abnormal use by the 3rd user identifier to be identified Family.
CN201611035558.9A 2016-11-15 2016-11-15 Abnormal behavior user identification method and device Active CN108076032B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611035558.9A CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611035558.9A CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Publications (2)

Publication Number Publication Date
CN108076032A true CN108076032A (en) 2018-05-25
CN108076032B CN108076032B (en) 2020-11-06

Family

ID=62161671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611035558.9A Active CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Country Status (1)

Country Link
CN (1) CN108076032B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409902A (en) * 2018-09-04 2019-03-01 平安普惠企业管理有限公司 Risk subscribers recognition methods, device, computer equipment and storage medium
CN111526381A (en) * 2020-04-20 2020-08-11 北京创世云科技有限公司 Method and device for optimizing live broadcast resources and electronic equipment
CN113127881A (en) * 2021-04-20 2021-07-16 重庆电子工程职业学院 Data security processing method based on big data

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN102368842A (en) * 2011-10-12 2012-03-07 中国联合网络通信集团有限公司 Detection method of abnormal behavior of mobile terminal and detection system thereof
CN104320297A (en) * 2014-10-15 2015-01-28 中冶长天国际工程有限责任公司 Method and device for network anomaly detection and network communication control
US20150341380A1 (en) * 2014-05-20 2015-11-26 Electronics And Telecommunications Research Institute System and method for detecting abnormal behavior of control system
CN105451257A (en) * 2015-12-04 2016-03-30 中国联合网络通信集团有限公司 Data business problem locating method and device
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN102368842A (en) * 2011-10-12 2012-03-07 中国联合网络通信集团有限公司 Detection method of abnormal behavior of mobile terminal and detection system thereof
US20150341380A1 (en) * 2014-05-20 2015-11-26 Electronics And Telecommunications Research Institute System and method for detecting abnormal behavior of control system
CN104320297A (en) * 2014-10-15 2015-01-28 中冶长天国际工程有限责任公司 Method and device for network anomaly detection and network communication control
CN105451257A (en) * 2015-12-04 2016-03-30 中国联合网络通信集团有限公司 Data business problem locating method and device
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409902A (en) * 2018-09-04 2019-03-01 平安普惠企业管理有限公司 Risk subscribers recognition methods, device, computer equipment and storage medium
CN111526381A (en) * 2020-04-20 2020-08-11 北京创世云科技有限公司 Method and device for optimizing live broadcast resources and electronic equipment
CN111526381B (en) * 2020-04-20 2021-07-09 北京创世云科技股份有限公司 Method and device for optimizing live broadcast resources and electronic equipment
CN113127881A (en) * 2021-04-20 2021-07-16 重庆电子工程职业学院 Data security processing method based on big data

Also Published As

Publication number Publication date
CN108076032B (en) 2020-11-06

Similar Documents

Publication Publication Date Title
Cortes et al. Communities of interest
CN110099059B (en) Domain name identification method and device and storage medium
US9223968B2 (en) Determining whether virtual network user is malicious user based on degree of association
US11361045B2 (en) Method, apparatus, and computer-readable storage medium for grouping social network nodes
CN107918905A (en) Abnormal transaction identification method, apparatus and server
CN111090807B (en) Knowledge graph-based user identification method and device
CN106815226A (en) Text matching technique and device
CN108985954B (en) Method for establishing association relation of each identifier and related equipment
CN110415107B (en) Data processing method, data processing device, storage medium and electronic equipment
CN109918498B (en) Problem warehousing method and device
CN106708841B (en) The polymerization and device of website visitation path
CN108647997A (en) A kind of method and device of detection abnormal data
CN108021651A (en) Network public opinion risk assessment method and device
CN109257617B (en) Method for determining suspected user in live broadcast platform and related equipment
CN108076032A (en) A kind of abnormal behaviour user identification method and device
CN107977678A (en) Method and apparatus for output information
CN110224859A (en) The method and system of clique for identification
US8700756B2 (en) Systems, methods and devices for extracting and visualizing user-centric communities from emails
CN109784403B (en) Method for identifying risk equipment and related equipment
CN109460930B (en) Method for determining risk account and related equipment
CN111586001A (en) Abnormal user identification method and device, electronic equipment and storage medium
CN110222790A (en) Method for identifying ID, device and server
US20160292258A1 (en) Method and apparatus for filtering out low-frequency click, computer program, and computer readable medium
WO2016106944A1 (en) Method for creating virtual human on mapreduce platform
CN113065748A (en) Business risk assessment method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: Guangdong global building, No.11 Zhujiang West Road, Zhujiang New Town, Tianhe District, Guangzhou, Guangdong 510630

Patentee after: China Mobile Group Guangdong Co.,Ltd.

Patentee after: CHINA MOBILE COMMUNICATIONS GROUP Co.,Ltd.

Address before: 510623 Guangdong global building, 11 Zhujiang West Road, Zhujiang New Town, Guangzhou City, Guangdong Province

Patentee before: China Mobile Group Guangdong Co.,Ltd.

Patentee before: China Mobile Communications Corp.