CN108076032B - Abnormal behavior user identification method and device - Google Patents

Abnormal behavior user identification method and device Download PDF

Info

Publication number
CN108076032B
CN108076032B CN201611035558.9A CN201611035558A CN108076032B CN 108076032 B CN108076032 B CN 108076032B CN 201611035558 A CN201611035558 A CN 201611035558A CN 108076032 B CN108076032 B CN 108076032B
Authority
CN
China
Prior art keywords
user
rate
network
current network
identified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611035558.9A
Other languages
Chinese (zh)
Other versions
CN108076032A (en
Inventor
罗骁茜
吴栩欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Original Assignee
China Mobile Group Guangdong Co Ltd
China Mobile Communications Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Guangdong Co Ltd, China Mobile Communications Corp filed Critical China Mobile Group Guangdong Co Ltd
Priority to CN201611035558.9A priority Critical patent/CN108076032B/en
Publication of CN108076032A publication Critical patent/CN108076032A/en
Application granted granted Critical
Publication of CN108076032B publication Critical patent/CN108076032B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/067Generation of reports using time frame reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供一种异常行为用户识别方法及装置,所述方法包括:获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值;根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。所述装置执行上述方法。本发明实施例提供的异常行为用户识别方法及装置,通过判断当前网络是否存在异常行为用户,并识别出异常行为用户,保证了当前网络速率的稳定性。

Figure 201611035558

Embodiments of the present invention provide a method and device for identifying abnormal behavior users. The method includes: acquiring status information of a current network, where the status information includes: a network-wide rate, a network element rate, and a service flow value; state information, preset time interval t and observation time i, determine whether there are users with abnormal behavior in the current network; if there are users with abnormal behavior in the current network, obtain the session record information of the user to be identified and the user terminal to be identified. information; identify the abnormal behavior user according to the session record information and the user terminal information. The apparatus performs the above-described method. The abnormal behavior user identification method and device provided by the embodiments of the present invention ensure the stability of the current network rate by judging whether there are abnormal behavior users in the current network and identifying the abnormal behavior users.

Figure 201611035558

Description

一种异常行为用户识别方法及装置A kind of abnormal behavior user identification method and device

技术领域technical field

本发明实施例涉及移动通信技术领域,具体涉及一种异常行为用户识别方法及装置。Embodiments of the present invention relate to the field of mobile communication technologies, and in particular, to a method and device for identifying abnormal behavior users.

背景技术Background technique

随着移动通信技术的发展,人们越来越多的通过上网获取信息,来满足日常学习工作的需求。With the development of mobile communication technology, more and more people obtain information through the Internet to meet the needs of daily study and work.

但同时一些盗号发广告、发布恶意链接、骗取互联网用户钱财等与上网信息安全有关的行为也随之产生,这类行为统称为“用户异常行为”,这些用户异常行为长期、大量地占用有限的网络资源,极大的影响了正常用户的上网体验,导致用户上网速度慢或者无法上网,现有的解决该问题的方式主要通过用户投诉后,处理人员到现场测试,并根据测试结果对特定的网络环境进行优化,但无法识别出异常行为的用户,不能从源头解决正常用户上网速度慢的问题。However, at the same time, some behaviors related to online information security, such as stealing accounts, posting malicious links, defrauding Internet users' money, etc., also occur. Such behaviors are collectively referred to as "abnormal user behaviors". These abnormal user behaviors occupy a large amount of limited space for a long time. Network resources greatly affect the normal user's Internet experience, resulting in slow Internet access or inability for users to access the Internet. The existing method to solve this problem is mainly through the user's complaint. The network environment is optimized, but users with abnormal behavior cannot be identified, and the problem of slow Internet access for normal users cannot be solved from the source.

因此,如何有效识别出异常行为的用户,成为亟须解决的问题。Therefore, how to effectively identify users with abnormal behavior has become an urgent problem to be solved.

发明内容SUMMARY OF THE INVENTION

针对现有技术存在的问题,本发明实施例提供一种异常行为用户识别方法及装置。In view of the problems existing in the prior art, embodiments of the present invention provide a method and device for identifying abnormal behavior users.

一方面,本发明实施例提供一种异常行为用户识别方法,包括:On the one hand, an embodiment of the present invention provides a method for identifying a user with abnormal behavior, including:

获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值;Acquire status information of the current network, where the status information includes: the rate of the entire network, the rate of the network element, and the service flow value;

根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;According to the state information of the current network, the preset time interval t and the observation time i, determine whether there are abnormal users in the current network;

若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;If there is a user with abnormal behavior in the current network, acquiring the session record information of the user to be identified and the terminal information of the user to be identified;

根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。Identify the user with abnormal behavior according to the session record information and the user terminal information.

另一方面,本发明实施例提供一种异常行为用户识别装置,包括:On the other hand, an embodiment of the present invention provides an abnormal behavior user identification device, including:

网络信息获取单元,用于获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值;a network information acquisition unit, configured to acquire state information of the current network, where the state information includes: a network-wide rate, a network element rate and a service flow value;

判断单元,用于根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;a judging unit, configured to judge whether there are abnormal users in the current network according to the state information of the current network, the preset time interval t and the observation time i;

用户信息获取单元,用于若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;a user information acquisition unit, configured to acquire the session record information of the user to be identified and the terminal information of the user to be identified if there is a user with abnormal behavior in the current network;

识别单元,用于根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。An identification unit, configured to identify the abnormal behavior user according to the session record information and the user terminal information.

本发明实施例提供的异常行为用户识别方法及装置,通过判断当前网络是否存在异常行为用户,并识别出异常行为用户,保证了当前网络速率的稳定性。The abnormal behavior user identification method and device provided by the embodiments of the present invention ensure the stability of the current network rate by judging whether there are abnormal behavior users in the current network and identifying the abnormal behavior users.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

图1为本发明实施例异常行为用户识别方法的流程示意图;1 is a schematic flowchart of a method for identifying a user with abnormal behavior according to an embodiment of the present invention;

图2为本发明又一实施例异常行为用户识别方法的流程示意图;2 is a schematic flowchart of a method for identifying a user with abnormal behavior according to another embodiment of the present invention;

图3为本发明实施例异常行为用户识别装置的结构示意图;3 is a schematic structural diagram of an abnormal behavior user identification device according to an embodiment of the present invention;

图4为本发明实施例提供的装置实体结构示意图。FIG. 4 is a schematic diagram of a physical structure of an apparatus according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

图1为本发明实施例异常行为用户识别方法的流程示意图,如图1所示,本实施例提供的一种异常行为用户识别方法,包括以下步骤:FIG. 1 is a schematic flowchart of a method for identifying a user with abnormal behavior according to an embodiment of the present invention. As shown in FIG. 1 , a method for identifying a user with abnormal behavior provided by the present embodiment includes the following steps:

S1:获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值。S1: Acquire status information of the current network, where the status information includes: a network-wide rate, a network element rate, and a service flow value.

具体的,装置获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值。需要说明的是:当前网络状态信息可以包括全网速率、网元速率和业务流量值,但不限定于上述的全网速率、网元速率和业务流量值。Specifically, the apparatus acquires state information of the current network, where the state information includes: a network-wide rate, a network element rate, and a service flow value. It should be noted that: the current network status information may include the entire network rate, network element rate and service flow value, but is not limited to the above-mentioned overall network rate, network element rate and service flow value.

S2:根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户。S2: According to the state information of the current network, the preset time interval t and the observation time i, determine whether there are users with abnormal behaviors in the current network.

具体的,装置根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户。需要说明的是:预设时间间隔t和观察时间i可以根据实际情况自主设置,例如:预设时间间隔t可以设置为1小时,可以理解为:装置每间隔1小时执行所述异常行为用户识别的方法一次,并对待选的用户行为进行识别;该预设时间间隔t设置的数值越小,对用户行为进行识别的频次越高,该预设时间间隔t设置的数值越大,对用户行为进行识别频次越低,观察时间i在预设时间间隔t所对应的起始时间和终止时间之间可以任意设置为一次或多次,例如:当预设时间间隔t设置为1小时,若执行该方法的当前时间为17:00,则起始时间对应于17:00,终止时间对应于18:00,观察时间i就可以是17:00~18:00的任意一次或几次所对应的对全网速率或者网元速率或者业务流量值的获取时间。Specifically, the device determines whether there are users with abnormal behaviors in the current network according to the state information of the current network, the preset time interval t and the observation time i. It should be noted that the preset time interval t and the observation time i can be set independently according to the actual situation. For example, the preset time interval t can be set to 1 hour, which can be understood as: the device performs the abnormal behavior user identification every 1 hour. method once, and identify the user behavior to be selected; the smaller the value set by the preset time interval t, the higher the frequency of identifying user behavior The lower the frequency of identification, the observation time i can be arbitrarily set to one or more times between the start time and the end time corresponding to the preset time interval t, for example: when the preset time interval t is set to 1 hour, if the The current time of this method is 17:00, the start time corresponds to 17:00, the end time corresponds to 18:00, and the observation time i can be any one or several times from 17:00 to 18:00. The acquisition time of the whole network rate or network element rate or service flow value.

S3:若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息。S3: If there is a user with abnormal behavior in the current network, acquire the session record information of the user to be identified and the terminal information of the user to be identified.

具体的,装置若获知所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息。需要说明的是:用户会话记录信息可以包括但不限于:对网络域名的访问记录信息、会话时长、源TCP/UDP端口、目标TCP/UDP端口等,用户终端信息可以包括但不限于:用户所使用的手机终端品牌和型号等。Specifically, the apparatus acquires the session record information of the to-be-identified user and the to-be-identified user terminal information if it learns that there is a user with abnormal behavior in the current network. It should be noted that the user session record information may include but is not limited to: access record information to the network domain name, session duration, source TCP/UDP port, destination TCP/UDP port, etc. The user terminal information may include but not limited to: The brand and model of the mobile phone terminal used, etc.

S4:根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。S4: Identify the abnormal behavior user according to the session record information and the user terminal information.

具体的,装置根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。需要说明的是:对异常行为用户进行识别可以是根据会话记录信息中的对特定域名的访问次数、和用户终端信息的手机终端品牌和型号,所用的手机号码,以及该手机终端的位置实现的。Specifically, the apparatus identifies the abnormal behavior user according to the session record information and the user terminal information. It should be noted that the identification of the user with abnormal behavior can be realized according to the number of visits to a specific domain name in the session record information, the brand and model of the mobile terminal in the user terminal information, the mobile phone number used, and the location of the mobile terminal. .

本发明实施例提供的异常行为用户识别方法,通过判断当前网络是否存在异常行为用户,并识别出异常行为用户,保证了当前网络速率的稳定性。The abnormal behavior user identification method provided by the embodiment of the present invention ensures the stability of the current network rate by judging whether there is an abnormal behavior user in the current network, and identifying the abnormal behavior user.

在上述实施例的基础上,所述根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户,包括:On the basis of the above-mentioned embodiment, according to the state information of the current network, the preset time interval t and the observation time i, judging whether there are users with abnormal behavior in the current network, including:

根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降。According to the entire network rate of the current network, the preset time interval t and the observation time i, it is determined whether the entire network rate of the current network has decreased.

具体的,装置根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降。需要说明的是:全网速率是否下降的判断依据可以是当前网络的全网速率下降百分比,继续参照上述实施举例说明如下:当预设时间间隔t设置为1小时,若执行该方法的当前时间为17:00,则起始时间对应于17:00,终止时间对应于18:00,假设观察时间i为17:10、17:25、和17:50,则观察次数n为3次,可以根据公式:

Figure GDA0002407844330000051
计算出预设时间间隔1小时内全网速率的平均值
Figure GDA0002407844330000052
其中VAi是当前网络的状态信息中的全网速率,再根据公式:
Figure GDA0002407844330000053
计算出当前网络的全网速率下降百分比PA,再根据公式:
Figure GDA0002407844330000054
判断出当前网络的全网速率是否处于下降状态(即当PA≥5%,表示全网速率有下降;当PA<5%,表示全网速率未下降),其中的5%为预设全网速率百分比,可以根据实际情况自主设置,这里的5%是一种可选的方案,本发明实施例对此不做具体的限定。Specifically, the apparatus determines whether the entire network rate of the current network decreases according to the current network-wide rate, the preset time interval t and the observation time i. It should be noted that: the basis for judging whether the speed of the entire network has dropped may be the percentage of drop in the speed of the entire network of the current network. Continuing to refer to the above-mentioned implementation, the following examples are described: when the preset time interval t is set to 1 hour, if the current time for executing the method is is 17:00, then the start time corresponds to 17:00, and the end time corresponds to 18:00. Assuming that the observation time i is 17:10, 17:25, and 17:50, then the number of observations n is 3, which can be According to the formula:
Figure GDA0002407844330000051
Calculate the average rate of the entire network within 1 hour of the preset time interval
Figure GDA0002407844330000052
Among them, V Ai is the entire network rate in the current network status information, and then according to the formula:
Figure GDA0002407844330000053
Calculate the percentage P A of the current network rate drop of the entire network, and then according to the formula:
Figure GDA0002407844330000054
Determine whether the current network speed of the entire network is in a state of decline (that is, when P A ≥ 5%, it means that the speed of the whole network has dropped; when P A <5%, it means that the speed of the whole network has not dropped), of which 5% is preset The rate percentage of the entire network can be set independently according to the actual situation, and the 5% here is an optional solution, which is not specifically limited in this embodiment of the present invention.

若判断获知所述当前网络的全网速率为下降状态,则判断所述当前网络的网元速率是否下降。If it is determined that the entire network rate of the current network is in a declining state, it is determined whether the network element rate of the current network has decreased.

具体的,装置若判断获知所述当前网络的全网速率为下降状态,则判断所述当前网络的网元速率是否下降。若判断获知所述当前网络的全网速率为未下降状态,则可以认为当前网络不存在异常行为用户。需要说明的是:网元速率是否下降的判断依据可以是当前网络的网元速率下降百分比,继续参照上述实施举例说明如下:观察次数n为3次,可以根据公式:

Figure GDA0002407844330000055
计算出预设时间间隔1小时内网元速率的平均值
Figure GDA0002407844330000056
其中VBi是当前网络的状态信息中的网元速率,再根据公式:
Figure GDA0002407844330000057
计算出当前网络的网元速率下降百分比PB,再根据公式:
Figure GDA0002407844330000058
判断出当前网络的网元速率是否处于下降状态,其中的10%为预设网元速率百分比,可以根据实际情况自主设置,这里的10%是一种可选的方案,本发明实施例对此不做具体的限定。Specifically, if the device determines that the network-wide rate of the current network is in a declining state, the device determines whether the network element rate of the current network has decreased. If it is determined that the network-wide rate of the current network is in a state of not decreasing, it can be considered that there are no abnormal behavior users in the current network. It should be noted that the basis for judging whether the network element rate has dropped can be the percentage of the network element rate drop of the current network. Continuing to refer to the above implementation example, the following is an example: the number of observations n is 3 times, which can be based on the formula:
Figure GDA0002407844330000055
Calculate the average rate of network elements within a preset time interval of 1 hour
Figure GDA0002407844330000056
Where V Bi is the network element rate in the current network state information, and then according to the formula:
Figure GDA0002407844330000057
Calculate the NE rate drop percentage P B of the current network, and then follow the formula:
Figure GDA0002407844330000058
It is judged whether the network element rate of the current network is in a declining state, and 10% of which is the preset network element rate percentage, which can be set independently according to the actual situation. The 10% here is an optional solution, and this embodiment of the present invention No specific restrictions are made.

若判断获知所述当前网络的网元速率为下降状态,则根据所述业务流量值的大小,选择所述业务流量值中前m个业务流量值作为待选业务流量值。If it is determined that the network element rate of the current network is in a declining state, the first m service flow values in the service flow value are selected as the candidate service flow value according to the size of the service flow value.

具体的,装置若判断获知所述当前网络的网元速率为下降状态,则根据所述业务流量值的大小,选择所述业务流量值中前m个业务流量值作为待选业务流量值。装置若判断获知所述当前网络的网元速率为未下降状态,则可以认为当前网络不存在异常行为用户。m的数值可以根据实际情况自主设置,此处不做具体限定,本实施例列举m=10获取的待选业务流量值如表1所示:Specifically, if the device determines that the network element rate of the current network is in a declining state, it selects the first m service flow values in the service flow value as the candidate service flow value according to the size of the service flow value. If the device determines that the network element rate of the current network is in a state of not decreasing, it can be considered that there is no abnormal behavior user in the current network. The value of m can be set independently according to the actual situation, which is not specifically limited here. In this embodiment, the value of the candidate service traffic obtained by m=10 is listed as shown in Table 1:

表1为可作为待选业务流量值的前10个业务流量值表1Table 1 is the top 10 business flow values that can be used as candidate business flow values. Table 1

业务business 流量(MB)Traffic (MB) 占比proportion 速率(kbps)Rate (kbps) 360安全卫士360 Security Guard 36873687 14%14% 283283 飞信Fetion 10901090 4%4% 198198 网易NetEase 570570 2%2% 108108 中国工商银行ICBC 553553 2%2% 9393 QQ空间QQ space 370370 1%1% 479479 腾讯网Tencent.com 284284 1%1% 591591 UC浏览UC Browse 151151 1%1% 480480 新浪Sina 148148 1%1% 503503 百度Baidu 110110 0%0% 397397 苹果官方网站Apple official website 7777 0%0% 470470 RNC整体RNC overall 2559825598 100%100% 278278

根据所述预设时间间隔t和所述待选业务流量值,计算所述待选业务所对应的待选业务速率。According to the preset time interval t and the traffic value of the service to be selected, the rate of the service to be selected corresponding to the service to be selected is calculated.

具体的,装置根据所述预设时间间隔t和所述待选业务流量值,计算所述待选业务所对应的待选业务速率。举例说明如下:可以根据公式:

Figure GDA0002407844330000071
计算出待选业务速率Vij,其中i为所述观察时间、j为第j个业务、Mij为待选业务流量值。Specifically, the apparatus calculates the service rate to be selected corresponding to the service to be selected according to the preset time interval t and the flow value of the service to be selected. An example is as follows: According to the formula:
Figure GDA0002407844330000071
The rate V ij of the service to be selected is calculated, where i is the observation time, j is the jth service, and Mi ij is the flow value of the service to be selected.

判断所述当前网络的待选业务速率是否下降。It is judged whether the rate of the candidate service of the current network decreases.

具体的,装置判断所述当前网络的待选业务速率是否下降。可以根据公式:

Figure GDA0002407844330000072
计算出待选业务速率的平均值
Figure GDA0002407844330000074
可以再根据公式:
Figure GDA0002407844330000073
判断所述当前网络的待选业务速率是否为下降状态判断所述当前网络的待选业务速率是否为下降状态。Specifically, the apparatus judges whether the rate of the candidate service of the current network decreases. According to the formula:
Figure GDA0002407844330000072
Calculate the average value of the service rate to be selected
Figure GDA0002407844330000074
According to the formula:
Figure GDA0002407844330000073
It is judged whether the service rate to be selected of the current network is in a declining state.

若判断获知所述当前网络的待选业务速率为下降状态,则判断所述当前网络存在异常行为用户。If it is determined that the service rate to be selected in the current network is in a declining state, it is determined that there are users with abnormal behaviors in the current network.

具体的,装置若判断获知所述当前网络的待选业务速率为下降状态,则判断所述当前网络存在异常行为用户。若判断获知所述当前网络的待选业务速率为未下降状态,则可以认为当前网络不存在异常行为用户。Specifically, if the device determines that the service rate to be selected in the current network is in a declining state, the device determines that there are users with abnormal behaviors in the current network. If it is determined that the service rate to be selected in the current network is in a state of not decreasing, it can be considered that there is no abnormal behavior user in the current network.

本发明实施例提供的异常行为用户识别方法,通过判断当前网络的全网速率、网元速率和待选业务速率是否下降,能够准确的识别出当前网络是否存在异常行为用户。The abnormal behavior user identification method provided by the embodiment of the present invention can accurately identify whether there are abnormal behavior users in the current network by judging whether the current network speed of the entire network, the network element rate and the rate of the service to be selected have decreased.

在上述实施例的基础上,所述根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降,包括:On the basis of the foregoing embodiment, determining whether the entire network rate of the current network has decreased according to the current network-wide rate, the preset time interval t and the observation time i, including:

根据预设时间间隔t和观察时间i,获取在所述预设时间间隔t内的观察次数n,其中,所述观察时间i位于所述预设时间间隔t所对应的起始时间和终止时间之间。According to the preset time interval t and the observation time i, the number of observations n in the preset time interval t is obtained, wherein the observation time i is located at the start time and the end time corresponding to the preset time interval t between.

具体的,装置根据预设时间间隔t和观察时间i,获取在所述预设时间间隔t内的观察次数n,其中,所述观察时间i位于所述预设时间间隔t所对应的起始时间和终止时间之间。已在上述实施例中说明,此处不再赘述。Specifically, the device obtains the number of observations n in the preset time interval t according to the preset time interval t and the observation time i, where the observation time i is located at the start corresponding to the preset time interval t time and the end time. It has been described in the above-mentioned embodiments, and will not be repeated here.

根据所述观察次数n和所述当前网络的全网速率,计算在所述预设时间间隔t内全网速率的平均值。Calculate the average rate of the entire network within the preset time interval t according to the number of observations n and the current network-wide rate of the network.

具体的,装置根据所述观察次数n和所述当前网络的全网速率,计算在所述预设时间间隔t内全网速率的平均值。已在上述实施例中说明,此处不再赘述。Specifically, the apparatus calculates the average rate of the entire network within the preset time interval t according to the number of observations n and the current network-wide rate of the network. It has been described in the above-mentioned embodiments, and will not be repeated here.

根据所述全网速率的平均值和所述当前网络的全网速率,计算所述当前网络的全网速率下降百分比。According to the average rate of the entire network and the overall network rate of the current network, the drop percentage of the overall network rate of the current network is calculated.

具体的,装置根据所述全网速率的平均值和所述当前网络的全网速率,计算所述当前网络的全网速率下降百分比。已在上述实施例中说明,此处不再赘述。Specifically, the apparatus calculates the percentage reduction of the entire network rate of the current network according to the average rate of the entire network rate and the entire network rate of the current network. It has been described in the above-mentioned embodiments, and will not be repeated here.

若所述当前网络的全网速率下降百分比大于等于预设全网速率百分比,则判断所述当前网络的全网速率为下降状态。If the drop percentage of the whole network rate of the current network is greater than or equal to the preset whole network speed percentage, it is determined that the whole network speed of the current network is in a drop state.

具体的,装置若获知所述当前网络的全网速率下降百分比大于等于预设全网速率百分比,则判断所述当前网络的全网速率为下降状态。已在上述实施例中说明,此处不再赘述。Specifically, the apparatus determines that the current network-wide rate of the current network is in a reduced state if the percentage of decrease in the overall network rate of the current network is greater than or equal to a preset rate of the entire network. It has been described in the above-mentioned embodiments, and will not be repeated here.

本发明实施例提供的异常行为用户识别方法,通过计算当前网络的全网速率下降百分比,保证了全网速率下降状态判断的准确性。The method for identifying users with abnormal behavior provided by the embodiment of the present invention ensures the accuracy of judging the state of the entire network rate drop by calculating the current network-wide rate drop percentage.

在上述实施例的基础上,所述则判断所述当前网络的网元速率是否下降,包括:On the basis of the foregoing embodiment, determining whether the network element rate of the current network decreases, including:

根据所述观察次数n和所述当前网络的网元速率,计算在所述预设时间间隔t内网元速率的平均值。According to the number of observations n and the network element rate of the current network, an average value of the network element rate within the preset time interval t is calculated.

具体的,装置根据所述观察次数n和所述当前网络的网元速率,计算在所述预设时间间隔t内网元速率的平均值。已在上述实施例中说明,此处不再赘述。Specifically, the apparatus calculates the average value of the network element rate within the preset time interval t according to the observation times n and the network element rate of the current network. It has been described in the above-mentioned embodiments, and will not be repeated here.

根据所述网元速率的平均值和所述当前网络的网元速率,计算所述当前网络的网元速率下降百分比。According to the average value of the network element rates and the network element rate of the current network, the percentage reduction of the network element rate of the current network is calculated.

具体的,装置根据所述网元速率的平均值和所述当前网络的网元速率,计算所述当前网络的网元速率下降百分比。已在上述实施例中说明,此处不再赘述。Specifically, the apparatus calculates the percentage drop of the network element rate of the current network according to the average value of the network element rate and the network element rate of the current network. It has been described in the above-mentioned embodiments, and will not be repeated here.

若所述当前网络的网元速率下降百分比大于等于预设网元速率百分比,则判断所述当前网络的网元速率为下降状态。If the drop percentage of the network element rate of the current network is greater than or equal to the preset network element rate percentage, it is determined that the network element rate of the current network is in a drop state.

具体的,装置若获知所述当前网络的网元速率下降百分比大于等于预设网元速率百分比,则判断所述当前网络的网元速率为下降状态。已在上述实施例中说明,此处不再赘述。Specifically, the apparatus determines that the network element rate of the current network is in a declining state if the device learns that the network element rate drop percentage of the current network is greater than or equal to a preset network element rate percentage. It has been described in the above-mentioned embodiments, and will not be repeated here.

本发明实施例提供的异常行为用户识别方法,通过计算当前网络的网元速率下降百分比,保证了网元速率下降状态判断的准确性。The abnormal behavior user identification method provided by the embodiment of the present invention ensures the accuracy of judging the state of network element rate reduction by calculating the rate drop percentage of the network element in the current network.

在上述实施例的基础上,所述判断所述当前网络的待选业务速率是否下降,包括:On the basis of the foregoing embodiment, the judging whether the rate of the service to be selected in the current network decreases, including:

根据所述待选业务速率和待选业务流量个数m,计算所述待选业务速率的平均值。According to the service rate to be selected and the number m of traffic of the service to be selected, the average value of the service rate to be selected is calculated.

具体的,装置根据所述待选业务速率和待选业务流量个数m,计算所述待选业务速率的平均值。已在上述实施例中说明,此处不再赘述。Specifically, the apparatus calculates the average value of the service rates to be selected according to the service rate to be selected and the number m of traffic of the service to be selected. It has been described in the above-mentioned embodiments, and will not be repeated here.

根据所述待选业务速率的平均值

Figure GDA0002407844330000091
所述待选业务速率Vij和所述网元速率的平均值
Figure GDA0002407844330000092
若通过公式
Figure GDA0002407844330000093
计算的结果为1,则判断所述当前网络的待选业务速率为下降状态。According to the average value of the candidate service rates
Figure GDA0002407844330000091
The average value of the candidate service rate V ij and the network element rate
Figure GDA0002407844330000092
If by formula
Figure GDA0002407844330000093
If the calculation result is 1, it is judged that the service rate of the current network to be selected is in a declining state.

具体的,装置根据所述待选业务速率的平均值

Figure GDA0002407844330000094
所述待选业务速率Vij和所述网元速率的平均值
Figure GDA0002407844330000095
若通过公式
Figure GDA0002407844330000096
计算的结果为1,则判断所述当前网络的待选业务速率为下降状态。已在上述实施例中说明,此处不再赘述。Specifically, the device according to the average value of the service rate to be selected
Figure GDA0002407844330000094
The average value of the candidate service rate V ij and the network element rate
Figure GDA0002407844330000095
If by formula
Figure GDA0002407844330000096
If the calculation result is 1, it is judged that the service rate of the current network to be selected is in a declining state. It has been described in the above-mentioned embodiments, and will not be repeated here.

本发明实施例提供的异常行为用户识别方法,根据计算出的待选业务速率和网元速率的平均值,保证了待选业务速率为下降状态判断的准确性。The abnormal behavior user identification method provided by the embodiment of the present invention ensures the accuracy of judging that the service rate to be selected is in a declining state according to the calculated average value of the service rate to be selected and the rate of the network element.

在上述实施例的基础上,所述根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别,包括:On the basis of the foregoing embodiment, identifying the user with abnormal behavior according to the session record information and the user terminal information includes:

根据所述会话记录信息中的特定域名访问次数,将所述特定域名访问次数大于第一访问次数阈值的所述待识别用户标识为异常用户。According to the number of visits to the specific domain name in the session record information, the to-be-identified user whose number of visits to the specific domain name is greater than the first threshold of the number of visits is identified as an abnormal user.

具体的,图2为本发明又一实施例异常行为用户识别方法的流程示意图,如图2所示,装置根据所述会话记录信息中的特定域名访问次数,将所述特定域名访问次数大于第一访问次数阈值的所述待识别用户标识为异常用户。第一访问次数阈值可以根据实际情况自主设置,此处不作限定。举例说明如下:待识别用户为1000个,第一访问次数阈值50次,待识别用户中有40个特定域名访问次数大于第一访问次数阈值50次,则将这40个待识别用户标识为异常用户。Specifically, FIG. 2 is a schematic flowchart of a method for identifying a user with abnormal behavior according to another embodiment of the present invention. As shown in FIG. 2 , according to the number of visits to the specific domain name in the session record information, the device determines that the number of visits to the specific domain name is greater than the number of visits to the specific domain name in the session record information. The to-be-identified user with a threshold of access times is identified as an abnormal user. The threshold of the first number of visits can be set independently according to the actual situation, which is not limited here. An example is as follows: the number of users to be identified is 1000, the first access threshold is 50 times, and 40 of the users to be identified have a specific domain name whose access times are greater than the first access threshold of 50 times, the 40 users to be identified are identified as abnormal user.

将所述特定域名访问次数小于第一访问次数阈值的所述待识别用户作为第一待识别用户。The to-be-identified user whose number of visits to the specific domain name is less than the first threshold of the number of visits is taken as the first to-be-identified user.

具体的,装置将所述特定域名访问次数小于第一访问次数阈值的所述待识别用户作为第一待识别用户。继续参照上述实施例,举例说明如下:将上述960(1000-40=960)个待识别用户作为第一待识别用户。Specifically, the device takes the user to be identified whose number of visits to the specific domain name is less than the threshold of the first number of visits as the first user to be identified. Continuing to refer to the above-mentioned embodiment, an example is described as follows: the above-mentioned 960 (1000-40=960) to-be-identified users are taken as the first to-be-identified users.

提取所述第一待识别用户的手机号码,若同一手机号码对所述特定域名访问次数大于第二访问次数阈值,则将所述第一待识别用户标识为异常用户,其中,所述第二访问次数阈值小于所述第一访问次数阈值。Extracting the mobile phone number of the first user to be identified, if the number of visits to the specific domain name by the same mobile phone number is greater than the second threshold of the number of visits, the first user to be identified is identified as an abnormal user, wherein the second The access times threshold is smaller than the first access times threshold.

具体的,装置提取所述第一待识别用户的手机号码,若同一手机号码对所述特定域名访问次数大于第二访问次数阈值,则将所述第一待识别用户标识为异常用户,其中,所述第二访问次数阈值小于所述第一访问次数阈值。第二访问次数阈值可以根据实际情况自主设置,此处不作限定。继续参照上述实施例,举例说明如下:第一待识别用户为960个,第二访问次数阈值为40次,将第一待识别用户中同一手机号码对特定域名访问次数大于第二访问次数阈值40次的60个第一待识别用户标识为异常用户。Specifically, the device extracts the mobile phone number of the first user to be identified, and if the number of visits to the specific domain name by the same mobile phone number is greater than the second threshold of the number of visits, the device identifies the first user to be identified as an abnormal user, wherein, The second access times threshold is smaller than the first access times threshold. The threshold for the second number of visits can be set independently according to the actual situation, which is not limited here. Continuing to refer to the above-mentioned embodiment, an example is described as follows: the number of first users to be identified is 960, the second threshold for the number of visits is 40, and the number of visits to a specific domain name by the same mobile phone number in the first user to be identified is greater than the second threshold of 40 visits The next 60 first users to be identified are identified as abnormal users.

将同一手机号码对所述特定域名访问次数小于第二访问次数阈值的所述第一待识别用户作为第二待识别用户。The first to-be-identified user whose number of visits to the specific domain name by the same mobile phone number is less than the second threshold of the number of visits is taken as the second to-be-identified user.

具体的,装置将同一手机号码对所述特定域名访问次数小于第二访问次数阈值的所述第一待识别用户作为第二待识别用户。举例说明如下:第一待识别用户为960,将900(960-60)个第一待识别用户作为第二待识别用户。Specifically, the device uses the first user to be identified whose number of visits to the specific domain name by the same mobile phone number is less than the second threshold of the number of visits as the second user to be identified. An example is as follows: the first to-be-identified user is 960, and 900 (960-60) first to-be-identified users are used as the second to-be-identified users.

提取所述第二待识别用户的手机终端信息,所述手机终端信息包括:手机终端厂家和型号。The mobile phone terminal information of the second user to be identified is extracted, where the mobile phone terminal information includes: the manufacturer and model of the mobile phone terminal.

具体的,装置提取所述第二待识别用户的手机终端信息,所述手机终端信息可以包括但不限定于:手机终端厂家和型号。Specifically, the apparatus extracts the mobile phone terminal information of the second user to be identified, and the mobile phone terminal information may include but is not limited to: the manufacturer and model of the mobile phone terminal.

若相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值,则将所述第二待识别用户标识为异常用户,其中,所述第三访问次数阈值小于所述第二访问次数阈值。If the number of visits to the specific domain name by the mobile terminal of the same manufacturer and model of the mobile phone terminal is greater than the third threshold of the number of visits, the second to-be-identified user is identified as an abnormal user, wherein the third number of visits The threshold is smaller than the second access times threshold.

具体的,装置若获知相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值,则将所述第二待识别用户标识为异常用户,其中,所述第三访问次数阈值小于所述第二访问次数阈值。第三访问次数阈值可以根据实际情况自主设置,此处不做限定。继续参照上述实施例,举例说明如下:第二待识别用户为900个,第三访问次数阈值为30次,将第二待识别用户中相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值30次的20个第二待识别用户标识为异常用户。Specifically, if the device learns that the number of visits to the specific domain name by the mobile terminal of the same manufacturer and model of the mobile terminal is greater than the third threshold of the number of visits, the device identifies the second to-be-identified user as an abnormal user, wherein the The third access times threshold is smaller than the second access times threshold. The third access times threshold can be set independently according to the actual situation, which is not limited here. Continuing to refer to the above embodiment, an example is described as follows: the number of the second to-be-identified users is 900, and the third threshold of access times is 30 times. The 20 second to-be-identified users whose number of visits to the specific domain name is greater than the third threshold of 30 visits are identified as abnormal users.

将相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数小于第三访问次数阈值的所述第二待识别用户作为第三待识别用户。The second to-be-identified user whose number of visits to the specific domain name by the mobile phone terminal of the same manufacturer and model of the mobile phone terminal is less than the third threshold of the number of visits is taken as the third to-be-identified user.

具体的,装置将相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数小于第三访问次数阈值的所述第二待识别用户作为第三待识别用户。举例说明如下:第二待识别用户为900,将880(900-20)个第二待识别用户作为第三待识别用户。Specifically, the device uses the second user to be identified whose number of visits to the specific domain name by the mobile terminal of the same manufacturer and model of the mobile terminal is less than a third threshold of the number of visits as the third user to be identified. An example is as follows: the number of the second to-be-identified users is 900, and 880 (900-20) second to-be-identified users are used as the third to-be-identified users.

提取所述第三待识别用户手机终端的位置信息,若所述手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值,则将所述第三待识别用户标识为异常用户。Extract the location information of the mobile phone terminal of the third user to be identified, and if the displacement change generated by the position of the mobile phone terminal within the preset time interval t is less than a preset distance threshold, the third user to be identified Identifies as an abnormal user.

具体的,装置提取所述第三待识别用户手机终端的位置信息,若所述手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值,则将所述第三待识别用户标识为异常用户。预设距离阈值可以根据实际情况自主设置,此处不做限定。继续参照上述实施例,举例说明如下:第三待识别用户为880个,预设距离阈值为200米,将第三待识别用户中手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值200米的10个第三待识别用户标识为异常用户。将第三待识别用户中手机终端的位置在所述预设时间间隔t内产生的位移变化量大于等于预设距离阈值200米的870(880-10)个第三待识别用户标识为正常用户。Specifically, the device extracts the position information of the mobile phone terminal of the third user to be identified, and if the displacement change of the position of the mobile phone terminal within the preset time interval t is less than a preset distance threshold, the third 3. The user to be identified is identified as an abnormal user. The preset distance threshold can be set independently according to the actual situation, which is not limited here. Continuing to refer to the above-mentioned embodiment, an example is described as follows: the number of the third to-be-identified users is 880, the preset distance threshold is 200 meters, and the displacement of the position of the mobile phone terminal in the third to-be-identified user within the preset time interval t is calculated. The 10 third to-be-identified users whose variation is less than the preset distance threshold of 200 meters are identified as abnormal users. 870 (880-10) third to-be-identified users whose position of the mobile phone terminal in the third to-be-identified user is generated within the preset time interval t are identified as normal users with an amount of change greater than or equal to the preset distance threshold of 200 meters. .

本发明实施例提供的异常行为用户识别方法,通过逐次识别出异常行为用户,保证了识别效果的准确性。The abnormal behavior user identification method provided by the embodiment of the present invention ensures the accuracy of the identification effect by successively identifying the abnormal behavior users.

如图2所示的异常行为用户识别方法流程图的获取方式可以根据如下步骤:The acquisition method of the flowchart of the abnormal behavior user identification method shown in Figure 2 can be obtained according to the following steps:

R1:待识别的用户会话记录信息,提取关键特征作为样本库因素。对其他特征无影响的独立特征作为一个样本库因素,互相影响且共同作用的多个特征合并为一个样本库因素。由此,建立包含正常用户和异常用户上网行为会话的样本库。R1: User session record information to be identified, and key features are extracted as sample library factors. Independent features that have no effect on other features are regarded as a sample library factor, and multiple features that affect each other and work together are combined into a sample library factor. Thereby, a sample library containing normal users and abnormal user online behavior sessions is established.

R2:基于步骤R1的样本库因素,随机抽取一定数量的对象,构造训练数据集,通过训练和剪枝,生成如图2所示的异常行为用户识别方法流程图。识别异常行为用户识别方法流程图的详细结构和算法如下:R2: Based on the sample library factor in step R1, randomly select a certain number of objects, construct a training data set, and generate the flowchart of the abnormal behavior user identification method shown in Figure 2 through training and pruning. The detailed structure and algorithm of the flowchart of the user identification method for identifying abnormal behaviors are as follows:

决策树算法采用CART(Classification and Regression Trees)算法,即分类回归树算法。The decision tree algorithm adopts the CART (Classification and Regression Trees) algorithm, that is, the classification and regression tree algorithm.

CART算法主要包括两个步骤:(1)将样本递归划分进行建树过程,(2)用验证数据进行剪枝。The CART algorithm mainly includes two steps: (1) recursively divide the samples to build a tree, and (2) use the verification data for pruning.

步骤(1)的递归建立二叉树,设x1,x2,...,xn代表单个样本的n个属性,y表示所属类别。CART算法通过递归的方式将n维的空间划分为不重叠的矩形。划分步骤大致如下:The recursion of step (1) establishes a binary tree, where x 1 , x 2 , . . . , x n represent n attributes of a single sample, and y represents the category to which they belong. The CART algorithm recursively divides the n-dimensional space into non-overlapping rectangles. The division steps are roughly as follows:

(1)选一个自变量xi,再选取xi的一个值vi,vi把n维空间划分为两部分,一部分的所有样本都满足xi≤υi,另一部分的所有样本都满足xi>υi,对离散变量来说属性值的取值只有两个,即等于该值或不等于该值。对于连续变量还需要先进行离散化处理,本提案的异常用户上网行为特征属于连续变量。(1) Select an independent variable x i , and then select a value v i of x i , and v i divides the n-dimensional space into two parts, all samples in one part satisfy x i ≤υ i , and all samples in the other part satisfy x ii , there are only two values of the attribute value for discrete variables, that is, it is equal to the value or not equal to the value. The continuous variables also need to be discretized first. The abnormal user online behavior characteristics of this proposal belong to continuous variables.

(2)递归处理,将上面得到的两部分按步骤(1)重新选取一个属性继续划分,直到把整个n维空间都划分完。(2) Recursive processing, re-select an attribute according to step (1) and continue to divide the two parts obtained above until the entire n-dimensional space is divided.

在划分过程中,对于一个变量属性来说,它的划分点是一对连续变量属性值的中点。假设m个样本的集合一个属性有m个连续的值,那么则会有m-1个分裂点,每个分裂点为相邻两个连续值的均值。每个属性的划分按照能减少的杂质的量来进行排序,而杂质的减少量定义为划分前的杂质减去划分后的每个节点的杂质量划分所占比率之和。而杂质度量方法常用Gini指标,Gini值主要是度量数据划分或训练数据集K的不纯度,在分支节点上进行Gini值的测试,如果满足一定纯度则划分到左子树,否则划分到右子树,最终生成一棵二叉决策树。Gini值越小,表明样本的“纯净度”越高。假设一个样本共有Z类,属于i类的概率为pi,那么一个节点K的Gini不纯度可定义为如下公式:In the dividing process, for a variable attribute, its dividing point is the midpoint of a pair of continuous variable attribute values. Assuming that a set of m samples has m consecutive values for an attribute, then there will be m-1 split points, each split point is the mean of two adjacent consecutive values. The division of each attribute is sorted by the amount of impurity that can be reduced, and the reduction of impurity is defined as the sum of the impurity before division minus the ratio of the impurity division of each node after division. The Gini indicator is commonly used in the impurity measurement method. The Gini value is mainly to measure the impurity of the data division or training data set K. The Gini value is tested on the branch node. If a certain purity is satisfied, it is divided into the left subtree, otherwise it is divided into the right subtree. tree, and finally generate a binary decision tree. The smaller the Gini value, the higher the "purity" of the sample. Assuming that a sample shares class Z, and the probability of belonging to class i is p i , then the Gini impurity of a node K can be defined as the following formula:

Figure GDA0002407844330000131
Figure GDA0002407844330000131

当Gini(K)=0时,所有样本属于同类,所有类在节点中以等概率出现时,Gini(K)最大化,

Figure GDA0002407844330000132
When Gini(K)=0, all samples belong to the same class, and when all classes appear in nodes with equal probability, Gini(K) is maximized,
Figure GDA0002407844330000132

实际的递归划分过程中,如果当前节点的所有样本都不属于同一类或者只剩下一个样本,那么此节点为非叶子节点,因此需要尝试样本的每个属性以及每个属性对应的分裂点,尝试找到杂质变量最大的一个划分,该属性划分的子树即为最优分支。In the actual recursive division process, if all samples of the current node do not belong to the same class or there is only one sample left, then this node is a non-leaf node, so it is necessary to try each attribute of the sample and the corresponding splitting point for each attribute, Try to find a partition with the largest impurity variable, and the subtree divided by this attribute is the optimal branch.

步骤(2)CART算法采用后剪枝,本提案在后剪枝采用代价复杂性剪枝法:r(t)是节点t的误差率,p(t)是节点t上的数据占所有数据的比例,如果该节点被剪枝,R(t)是节点t的误差代价,则Step (2) The CART algorithm adopts post-pruning. This proposal adopts the cost-complexity pruning method for post-pruning: r(t) is the error rate of node t, and p(t) is the proportion of the data on node t to all the data. ratio, if the node is pruned, R(t) is the error cost of node t, then

R(t)=r(t)×p(t) (9)R(t)=r(t)×p(t) (9)

如果该节点不被剪枝,R(Tt)是子树Tt的误差代价,它等于子树Tt上所有叶子节点的误差代价之和;

Figure GDA0002407844330000141
是子树中包含的叶子节点个数,由公式(9),对于分类回归树中的每一个非叶子节点的表面误差率增益值α,有If the node is not pruned, R(T t ) is the error cost of the subtree T t , which is equal to the sum of the error costs of all leaf nodes on the subtree T t ;
Figure GDA0002407844330000141
is the number of leaf nodes contained in the subtree. According to formula (9), for the surface error rate gain value α of each non-leaf node in the classification and regression tree, we have

Figure GDA0002407844330000142
Figure GDA0002407844330000142

图3为本发明实施例异常行为用户识别装置的结构示意图,如图3所示,本实施例提供了一种异常行为用户识别装置,包括网络信息获取单元1、判断单元2、用户信息获取单元3和识别单元4,其中:FIG. 3 is a schematic structural diagram of a user identification device for abnormal behavior according to an embodiment of the present invention. As shown in FIG. 3 , this embodiment provides a user identification device for abnormal behavior, including a network information acquisition unit 1, a judgment unit 2, and a user information acquisition unit 3 and identification unit 4, where:

网络信息获取单元1用于获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值;判断单元2用于根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;用户信息获取单元3用于若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;识别单元4用于根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。The network information acquisition unit 1 is used to acquire the state information of the current network, the state information includes: the whole network rate, the network element rate and the service flow value; the judgment unit 2 is used to obtain the state information of the current network according to the preset time interval. t and observation time i, to judge whether there are users with abnormal behavior in the current network; the user information acquisition unit 3 is used to obtain the user session record information to be identified and the user terminal information to be identified if there are users with abnormal behavior in the current network ; The identification unit 4 is configured to identify the abnormal behavior user according to the session record information and the user terminal information.

具体的,网络信息获取单元1用于获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值,网络信息获取单元1将状态信息发送给判断单元2,判断单元2用于根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户,判断单元2将异常行为用户的判断结果发送给用户信息获取单元3,用户信息获取单元3用于若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息,用户信息获取单元3将会话记录信息和用户终端信息发送给识别单元4,识别单元4用于根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。Specifically, the network information acquisition unit 1 is used to acquire the state information of the current network, the state information includes: the whole network rate, the network element rate and the service flow value. The network information acquisition unit 1 sends the state information to the judgment unit 2, and judges the The unit 2 is used to judge whether there are abnormal users in the current network according to the state information of the current network, the preset time interval t and the observation time i, and the judgment unit 2 sends the judgment result of the abnormal users to the user information acquisition unit 3. The user information acquisition unit 3 is configured to acquire the session record information of the user to be identified and the user terminal information to be identified if there is a user with abnormal behavior in the current network, and the user information acquisition unit 3 sends the session record information and user terminal information. The identification unit 4 is configured to identify the abnormal behavior user according to the session record information and the user terminal information.

本发明实施例提供的异常行为用户识别装置,通过判断当前网络是否存在异常行为用户,并识别出异常行为用户,保证了当前网络速率的稳定性。The abnormal behavior user identification device provided by the embodiment of the present invention ensures the stability of the current network rate by judging whether there are abnormal behavior users in the current network and identifying the abnormal behavior users.

在上述实施例的基础上,所述判断单元2用于:On the basis of the above embodiment, the judging unit 2 is used for:

根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降;若判断获知所述当前网络的全网速率为下降状态,则判断所述当前网络的网元速率是否下降;若判断获知所述当前网络的网元速率为下降状态,则根据所述业务流量值的大小,选择所述业务流量值中前m个业务流量值作为待选业务流量值;根据所述预设时间间隔t和所述待选业务流量值,计算所述待选业务所对应的待选业务速率;判断所述当前网络的待选业务速率是否下降;若判断获知所述当前网络的待选业务速率为下降状态,则判断所述当前网络存在异常行为用户。According to the whole network rate of the current network, the preset time interval t and the observation time i, it is judged whether the whole network rate of the current network has decreased; Whether the network element rate of the current network has declined; if it is judged that the network element rate of the current network is in a declining state, then according to the size of the service flow value, the first m service flow values in the service flow value are selected as the waiting state. selecting a service flow value; according to the preset time interval t and the candidate service flow value, calculate the candidate service rate corresponding to the candidate service; determine whether the candidate service rate of the current network decreases; if It is determined that the service rate to be selected in the current network is in a declining state, and it is determined that there are users with abnormal behaviors in the current network.

具体的,所述判断单元2用于根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降;所述判断单元2用于若判断获知所述当前网络的全网速率为下降状态,则判断所述当前网络的网元速率是否下降;所述判断单元2用于若判断获知所述当前网络的网元速率为下降状态,则根据所述业务流量值的大小,选择所述业务流量值中前m个业务流量值作为待选业务流量值;所述判断单元2用于根据所述预设时间间隔t和所述待选业务流量值,计算所述待选业务所对应的待选业务速率;所述判断单元2用于判断所述当前网络的待选业务速率是否下降;所述判断单元2用于若判断获知所述当前网络的待选业务速率为下降状态,则判断所述当前网络存在异常行为用户。Specifically, the judging unit 2 is used for judging whether the entire network rate of the current network has decreased according to the current network-wide rate, the preset time interval t and the observation time i; the judging unit 2 is used for if Judging that the entire network rate of the current network is in a declining state, then judging whether the network element rate of the current network is declining; the judging unit 2 is configured to determine that the network element rate of the current network is in a declining state, then According to the size of the service flow value, the first m service flow values in the service flow value are selected as the service flow value to be selected; the judging unit 2 is used for selecting the service flow value according to the preset time interval t and the service to be selected flow value, calculate the service rate to be selected corresponding to the service to be selected; the judgment unit 2 is used to judge whether the rate of the service to be selected of the current network has decreased; the judgment unit 2 is used to know the current If the service rate of the network to be selected is in a declining state, it is determined that there are users with abnormal behavior in the current network.

本发明实施例提供的异常行为用户识别装置,通过判断当前网络的全网速率、网元速率和待选业务速率是否下降,能够准确的识别出当前网络是否存在异常行为用户。The abnormal behavior user identification device provided by the embodiment of the present invention can accurately identify whether there are abnormal behavior users in the current network by judging whether the current network speed of the entire network, the network element rate and the rate of the service to be selected have decreased.

在上述实施例的基础上,所述判断单元2还用于:On the basis of the above embodiment, the judging unit 2 is also used for:

根据所述待选业务速率和待选业务流量个数m,计算所述待选业务速率的平均值;根据所述待选业务速率的平均值

Figure GDA0002407844330000161
所述待选业务速率Vij和所述网元速率的平均值
Figure GDA0002407844330000162
若通过公式
Figure GDA0002407844330000163
计算的结果为1,则判断所述当前网络的待选业务速率为下降状态。Calculate the average value of the service rates to be selected according to the service rates to be selected and the number m of service flows to be selected; and calculate the average value of the service rates to be selected according to the average service rates
Figure GDA0002407844330000161
The average value of the service rate V ij to be selected and the rate of the network element
Figure GDA0002407844330000162
If by formula
Figure GDA0002407844330000163
If the calculated result is 1, it is judged that the service rate of the current network to be selected is in a declining state.

具体的,判断单元2还用于根据所述待选业务速率和待选业务流量个数m,计算所述待选业务速率的平均值;判断单元2还用于根据所述待选业务速率的平均值

Figure GDA0002407844330000164
所述待选业务速率Vij和所述网元速率的平均值
Figure GDA0002407844330000165
若通过公式
Figure GDA0002407844330000166
计算的结果为1,则判断所述当前网络的待选业务速率为下降状态。Specifically, the judgment unit 2 is further configured to calculate the average value of the service rates to be selected according to the service rate to be selected and the number m of service flows to be selected; the judgment unit 2 is further configured to calculate the average value of the service rates to be selected according to the service rate to be selected. average value
Figure GDA0002407844330000164
The average value of the candidate service rate V ij and the network element rate
Figure GDA0002407844330000165
If by formula
Figure GDA0002407844330000166
If the calculation result is 1, it is judged that the service rate of the current network to be selected is in a declining state.

本发明实施例提供的异常行为用户识别装置,根据计算出的待选业务速率和网元速率的平均值,保证了待选业务速率为下降状态判断的准确性。The abnormal behavior user identification device provided by the embodiment of the present invention ensures the accuracy of judging that the service rate to be selected is in a declining state according to the calculated average value of the service rate to be selected and the network element rate.

在上述实施例的基础上,所述识别单元4用于:On the basis of the above embodiment, the identification unit 4 is used for:

根据所述会话记录信息中的特定域名访问次数,将所述特定域名访问次数大于第一访问次数阈值的所述待识别用户标识为异常用户;将所述特定域名访问次数小于第一访问次数阈值的所述待识别用户作为第一待识别用户;提取所述第一待识别用户的手机号码,若同一手机号码对所述特定域名访问次数大于第二访问次数阈值,则将所述第一待识别用户标识为异常用户,其中,所述第二访问次数阈值小于所述第一访问次数阈值;将同一手机号码对所述特定域名访问次数小于第二访问次数阈值的所述第一待识别用户作为第二待识别用户;提取所述第二待识别用户的手机终端信息,所述手机终端信息包括:手机终端厂家和型号;若相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值,则将所述第二待识别用户标识为异常用户,其中,所述第三访问次数阈值小于所述第二访问次数阈值;将相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数小于第三访问次数阈值的所述第二待识别用户作为第三待识别用户;提取所述第三待识别用户手机终端的位置信息,若所述手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值,则将所述第三待识别用户标识为异常用户。According to the number of visits to the specific domain name in the session record information, the to-be-identified user whose number of visits to the specific domain name is greater than the first threshold of the number of visits is identified as an abnormal user; the number of visits to the specific domain name is less than the threshold of the first number of visits. The user to be identified is regarded as the first user to be identified; the mobile phone number of the first user to be identified is extracted, and if the number of visits to the specific domain name by the same mobile phone number is greater than the second threshold of the number of visits, the first user to be identified will be Identifying users as abnormal users, wherein the second access times threshold is less than the first access times threshold; the first user to be identified whose access times of the same mobile phone number to the specific domain name is less than the second access times threshold As the second to-be-identified user; extract the mobile terminal information of the second to-be-identified user, the mobile terminal information includes: mobile terminal manufacturer and model; if the mobile terminal of the same mobile terminal manufacturer and model If the number of visits to a specific domain name is greater than the third threshold of the number of visits, the second user to be identified is identified as an abnormal user, wherein the threshold of the third number of visits is less than the threshold of the second number of visits; the same as the mobile phone terminal manufacturer The second to-be-identified user whose number of visits to the specific domain name by the mobile phone terminal of the same model is less than the third threshold of the number of visits is taken as the third to-be-identified user; the location information of the mobile terminal of the third to-be-identified user is extracted, if If the displacement change of the position of the mobile phone terminal within the preset time interval t is smaller than the preset distance threshold, the third user to be identified is identified as an abnormal user.

具体的,识别单元4用于根据所述会话记录信息中的特定域名访问次数,将所述特定域名访问次数大于第一访问次数阈值的所述待识别用户标识为异常用户;识别单元4用于将所述特定域名访问次数小于第一访问次数阈值的所述待识别用户作为第一待识别用户;识别单元4用于提取所述第一待识别用户的手机号码,若同一手机号码对所述特定域名访问次数大于第二访问次数阈值,则将所述第一待识别用户标识为异常用户,其中,所述第二访问次数阈值小于所述第一访问次数阈值;识别单元4用于将同一手机号码对所述特定域名访问次数小于第二访问次数阈值的所述第一待识别用户作为第二待识别用户;识别单元4用于提取所述第二待识别用户的手机终端信息,所述手机终端信息包括:手机终端厂家和型号;识别单元4用于若相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值,则将所述第二待识别用户标识为异常用户,其中,所述第三访问次数阈值小于所述第二访问次数阈值;识别单元4用于将相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数小于第三访问次数阈值的所述第二待识别用户作为第三待识别用户;识别单元4用于提取所述第三待识别用户手机终端的位置信息,若所述手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值,则将所述第三待识别用户标识为异常用户。Specifically, the identifying unit 4 is configured to identify the user to be identified whose number of visits to the specific domain name is greater than the first threshold of the number of visits as an abnormal user according to the number of visits to the specific domain name in the session record information; the identifying unit 4 is configured to The user to be identified whose number of visits to the specific domain name is less than the first number of visits threshold is used as the first user to be identified; the identification unit 4 is used to extract the mobile phone number of the first user to be identified, if the same mobile phone number If the number of visits to a specific domain name is greater than the second threshold of the number of visits, the first user to be identified is identified as an abnormal user, wherein the threshold of the second number of visits is less than the threshold of the first number of visits; the identifying unit 4 is used to identify the same The first to-be-identified user whose number of visits to the specific domain name by the mobile phone number is less than the second threshold of the number of visits is regarded as the second to-be-identified user; the identification unit 4 is used to extract the mobile phone terminal information of the second to-be-identified user, and the The mobile phone terminal information includes: the manufacturer and model of the mobile phone terminal; the identification unit 4 is configured to identify the second domain name if the number of visits to the specific domain name by the mobile terminal of the same mobile terminal manufacturer and model is greater than the third threshold of the number of visits. The user to be identified is identified as an abnormal user, wherein the third access times threshold is less than the second access times threshold; the identifying unit 4 is configured to compare the mobile phone terminals of the same manufacturer and model of the mobile phone terminal to the specific domain name. The second user to be identified whose number of visits is less than the threshold of the third number of visits is regarded as the third user to be identified; the identification unit 4 is used to extract the location information of the mobile phone terminal of the third user to be identified, if the location of the mobile phone terminal is in If the displacement variation generated within the preset time interval t is smaller than the preset distance threshold, the third user to be identified is identified as an abnormal user.

本发明实施例提供的异常行为用户识别装置,通过逐次识别出异常行为用户,保证了识别效果的准确性。The abnormal behavior user identification device provided by the embodiment of the present invention ensures the accuracy of the identification effect by successively identifying the abnormal behavior users.

本实施例提供的异常行为用户识别装置具体可以用于执行上述各方法实施例的处理流程,其功能在此不再赘述,可以参照上述方法实施例的详细描述。The abnormal behavior user identification device provided in this embodiment can be specifically used to execute the processing flow of the above method embodiments, and its functions are not repeated here, and reference may be made to the detailed description of the above method embodiments.

图4为本发明实施例提供的装置实体结构示意图,如图4所示,所述邻区优化处理装置,包括:处理器(processor)401、存储器(memory)402和总线403;FIG. 4 is a schematic diagram of the physical structure of an apparatus provided by an embodiment of the present invention. As shown in FIG. 4 , the adjacent area optimization processing apparatus includes: a processor (processor) 401, a memory (memory) 402, and a bus 403;

其中,所述处理器401、存储器402通过总线403完成相互间的通信;The processor 401 and the memory 402 communicate with each other through the bus 403;

所述处理器401用于调用所述存储器402中的程序指令,以执行上述各方法实施例所提供的方法,例如包括:全网速率、网元速率和业务流量值;根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。The processor 401 is configured to call the program instructions in the memory 402 to execute the methods provided by the above method embodiments, for example, including: the whole network rate, the network element rate and the service flow value; Status information, preset time interval t and observation time i, to determine whether there are users with abnormal behavior in the current network; if there are users with abnormal behavior in the current network, obtain the session record information of the user to be identified and the terminal information of the user to be identified ; Identify the abnormal behavior user according to the session record information and the user terminal information.

本实施例公开一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的方法,例如包括:全网速率、网元速率和业务流量值;根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。This embodiment discloses a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer program The methods provided by the above method embodiments can be implemented, for example, including: the whole network rate, the network element rate and the service flow value; according to the state information of the current network, the preset time interval t and the observation time i, determine the Whether there are users with abnormal behaviors on the network; if there are users with abnormal behaviors in the current network, obtain the session record information of the user to be identified and the user terminal information to be identified; Identify abnormal users.

本实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行上述各方法实施例所提供的方法,例如包括:全网速率、网元速率和业务流量值;根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。This embodiment provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the methods provided by the foregoing method embodiments, for example, including : whole network rate, network element rate and service flow value; according to the state information of the current network, preset time interval t and observation time i, determine whether there are abnormal users in the current network; if the current network has abnormal behavior If the user is a behavior user, the session record information of the user to be identified and the user terminal information to be identified are obtained; the abnormal behavior user is identified according to the session record information and the user terminal information.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiments can be completed by program instructions related to hardware, the aforementioned program can be stored in a computer-readable storage medium, and when the program is executed, execute It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other media that can store program codes.

以上所描述的异常行为用户识别装置等实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The above-described embodiments such as the abnormal behavior user identification device are merely illustrative, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physically separated unit, that is, it can be located in one place, or it can be distributed over multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.

最后应说明的是:以上各实施例仅用以说明本发明的实施例的技术方案,而非对其限制;尽管参照前述各实施例对本发明的实施例进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明的实施例各实施例技术方案的范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the embodiments of the present invention, but not to limit them; although the embodiments of the present invention have been described in detail with reference to the foregoing embodiments, ordinary The skilled person should understand that it is still possible to modify the technical solutions described in the foregoing embodiments, or to perform equivalent replacements on some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the present invention. The scope of the technical solutions of the embodiments of each embodiment.

Claims (2)

1. A method for identifying abnormal behavior users is characterized by comprising the following steps:
acquiring state information of a current network, wherein the state information comprises: the whole network rate, the network element rate and the service flow value;
judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i;
if the user with the abnormal behavior exists in the current network, acquiring session record information of the user to be identified and terminal information of the user to be identified;
according to the session record information and the user terminal information, identifying the abnormal behavior user;
the judging whether the current network has the user with the abnormal behavior according to the state information of the current network, the preset time interval t and the observation time i comprises the following steps:
judging whether the full-network rate of the current network is reduced or not according to the full-network rate of the current network, a preset time interval t and an observation time i;
if the whole network rate of the current network is judged to be in a descending state, judging whether the network element rate of the current network is descending;
if the network element speed of the current network is judged to be in a descending state, selecting the first m service flow values in the service flow values as service flow values to be selected according to the size of the service flow values;
calculating the rate of the service to be selected corresponding to the service to be selected according to the preset time interval t and the value of the traffic of the service to be selected;
judging whether the rate of the service to be selected of the current network is reduced or not;
if the rate of the service to be selected of the current network is judged to be in a descending state, judging that users with abnormal behaviors exist in the current network;
the judging whether the full-network rate of the current network is reduced or not according to the full-network rate of the current network, a preset time interval t and an observation time i comprises the following steps:
acquiring the observation times n in a preset time interval t according to the preset time interval t and observation time i, wherein the observation time i is positioned between the starting time and the ending time corresponding to the preset time interval t;
calculating the average value of the full network speed within the preset time interval t according to the observation times n and the full network speed of the current network;
calculating the whole network rate reduction percentage of the current network according to the average value of the whole network rate and the whole network rate of the current network;
if the whole network rate reduction percentage of the current network is greater than or equal to the preset whole network rate percentage, judging that the whole network rate of the current network is in a reduction state;
the determining whether the network element rate of the current network decreases includes:
calculating the average value of the network element speed in the preset time interval t according to the observation times n and the network element speed of the current network;
calculating the network element rate reduction percentage of the current network according to the average value of the network element rates and the network element rate of the current network;
if the network element rate reduction percentage of the current network is greater than or equal to the preset network element rate percentage, judging that the network element rate of the current network is in a reduction state;
the judging whether the rate of the service to be selected of the current network is reduced includes:
calculating the average value of the service rate to be selected according to the service rate to be selected and the number m of the service flow to be selected;
according to the average value of the service rate to be selected
Figure FDA0002541637310000021
The service rate V to be selectedijAnd an average value of the network element rate
Figure FDA0002541637310000022
If passing through the formula
Figure FDA0002541637310000023
If the calculated result is 1, judging that the rate of the service to be selected of the current network is in a descending state, wherein j is the jth service;
the identifying the abnormal behavior user according to the session record information and the user terminal information comprises:
according to the number of times of specific domain name access in the session record information, identifying the user to be identified, of which the number of times of specific domain name access is greater than a first access number threshold value, as an abnormal user;
taking the user to be identified with the specific domain name access times smaller than a first access time threshold value as a first user to be identified;
extracting the mobile phone number of the first user to be identified, and identifying the first user to be identified as an abnormal user if the number of times of access to the specific domain name by the same mobile phone number is greater than a second access time threshold value, wherein the second access time threshold value is smaller than the first access time threshold value;
taking the first to-be-identified user with the same mobile phone number and the access frequency of the specific domain name smaller than a second access frequency threshold value as a second to-be-identified user;
extracting mobile phone terminal information of the second user to be identified, wherein the mobile phone terminal information comprises: the manufacturer and model of the mobile phone terminal;
if the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are larger than a third access time threshold, identifying the second user to be identified as an abnormal user, wherein the third access time threshold is smaller than the second access time threshold;
taking the second user to be identified, of which the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are smaller than a third access time threshold value, as a third user to be identified;
and extracting the position information of the mobile phone terminal of the third user to be identified, and identifying the third user to be identified as an abnormal user if the displacement variation generated by the position of the mobile phone terminal in the preset time interval t is smaller than a preset distance threshold.
2. An abnormal behavior user recognition apparatus, comprising:
a network information obtaining unit, configured to obtain status information of a current network, where the status information includes: the whole network rate, the network element rate and the service flow value;
the judging unit is used for judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i;
the user information acquisition unit is used for acquiring session record information of a user to be identified and information of the user terminal to be identified if the user with the abnormal behavior exists in the current network;
the identification unit is used for identifying the abnormal behavior user according to the session record information and the user terminal information;
the judgment unit is used for:
judging whether the full-network rate of the current network is reduced or not according to the full-network rate of the current network, a preset time interval t and an observation time i;
if the whole network rate of the current network is judged to be in a descending state, judging whether the network element rate of the current network is descending;
if the network element speed of the current network is judged to be in a descending state, selecting the first m service flow values in the service flow values as service flow values to be selected according to the size of the service flow values;
calculating the rate of the service to be selected corresponding to the service to be selected according to the preset time interval t and the value of the traffic of the service to be selected;
judging whether the rate of the service to be selected of the current network is reduced or not;
if the rate of the service to be selected of the current network is judged to be in a descending state, judging that users with abnormal behaviors exist in the current network;
the judging unit is further configured to:
acquiring the observation times n in a preset time interval t according to the preset time interval t and observation time i, wherein the observation time i is positioned between the starting time and the ending time corresponding to the preset time interval t;
calculating the average value of the full network speed within the preset time interval t according to the observation times n and the full network speed of the current network;
calculating the whole network rate reduction percentage of the current network according to the average value of the whole network rate and the whole network rate of the current network;
if the whole network rate reduction percentage of the current network is greater than or equal to the preset whole network rate percentage, judging that the whole network rate of the current network is in a reduction state;
the judging unit is further configured to:
calculating the average value of the network element speed in the preset time interval t according to the observation times n and the network element speed of the current network;
calculating the network element rate reduction percentage of the current network according to the average value of the network element rates and the network element rate of the current network;
if the network element rate reduction percentage of the current network is greater than or equal to the preset network element rate percentage, judging that the network element rate of the current network is in a reduction state;
the judging unit is further configured to:
calculating the average value of the service rate to be selected according to the service rate to be selected and the number m of the service flow to be selected;
according to the average value of the service rate to be selected
Figure FDA0002541637310000051
The service rate V to be selectedijAnd an average value of the network element rate
Figure FDA0002541637310000052
If passing through the formula
Figure FDA0002541637310000053
If the calculated result is 1, judging that the rate of the service to be selected of the current network is in a descending state, wherein j is the jth service;
the identification unit is used for:
according to the number of times of specific domain name access in the session record information, identifying the user to be identified, of which the number of times of specific domain name access is greater than a first access number threshold value, as an abnormal user;
taking the user to be identified with the specific domain name access times smaller than a first access time threshold value as a first user to be identified;
extracting the mobile phone number of the first user to be identified, and identifying the first user to be identified as an abnormal user if the number of times of access to the specific domain name by the same mobile phone number is greater than a second access time threshold value, wherein the second access time threshold value is smaller than the first access time threshold value;
taking the first to-be-identified user with the same mobile phone number and the access frequency of the specific domain name smaller than a second access frequency threshold value as a second to-be-identified user;
extracting mobile phone terminal information of the second user to be identified, wherein the mobile phone terminal information comprises: the manufacturer and model of the mobile phone terminal;
if the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are larger than a third access time threshold, identifying the second user to be identified as an abnormal user, wherein the third access time threshold is smaller than the second access time threshold;
taking the second user to be identified, of which the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are smaller than a third access time threshold value, as a third user to be identified;
and extracting the position information of the mobile phone terminal of the third user to be identified, and identifying the third user to be identified as an abnormal user if the displacement variation generated by the position of the mobile phone terminal in the preset time interval t is smaller than a preset distance threshold.
CN201611035558.9A 2016-11-15 2016-11-15 Abnormal behavior user identification method and device Active CN108076032B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611035558.9A CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611035558.9A CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Publications (2)

Publication Number Publication Date
CN108076032A CN108076032A (en) 2018-05-25
CN108076032B true CN108076032B (en) 2020-11-06

Family

ID=62161671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611035558.9A Active CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Country Status (1)

Country Link
CN (1) CN108076032B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409902A (en) * 2018-09-04 2019-03-01 平安普惠企业管理有限公司 Risk subscribers recognition methods, device, computer equipment and storage medium
CN111526381B (en) * 2020-04-20 2021-07-09 北京创世云科技股份有限公司 Method and device for optimizing live broadcast resources and electronic equipment
CN113127881A (en) * 2021-04-20 2021-07-16 重庆电子工程职业学院 Data security processing method based on big data
CN113987206A (en) * 2021-10-29 2022-01-28 平安银行股份有限公司 Abnormal user identification method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN102368842A (en) * 2011-10-12 2012-03-07 中国联合网络通信集团有限公司 Detection method of abnormal behavior of mobile terminal and detection system thereof
CN104320297A (en) * 2014-10-15 2015-01-28 中冶长天国际工程有限责任公司 Method and device for network anomaly detection and network communication control
CN105451257A (en) * 2015-12-04 2016-03-30 中国联合网络通信集团有限公司 Data business problem locating method and device
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101761737B1 (en) * 2014-05-20 2017-07-26 한국전자통신연구원 System and Method for Detecting Abnormal Behavior of Control System

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN102368842A (en) * 2011-10-12 2012-03-07 中国联合网络通信集团有限公司 Detection method of abnormal behavior of mobile terminal and detection system thereof
CN104320297A (en) * 2014-10-15 2015-01-28 中冶长天国际工程有限责任公司 Method and device for network anomaly detection and network communication control
CN105451257A (en) * 2015-12-04 2016-03-30 中国联合网络通信集团有限公司 Data business problem locating method and device
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device

Also Published As

Publication number Publication date
CN108076032A (en) 2018-05-25

Similar Documents

Publication Publication Date Title
CN104281882B (en) The method and system of prediction social network information stream row degree based on user characteristics
CN107404408B (en) Virtual identity association identification method and device
CN103605791B (en) Information transmission system and information-pushing method
CN105824813B (en) A kind of method and device for excavating core customer
CN111339436B (en) Data identification method, device, equipment and readable storage medium
CN109640312B (en) &#39;Black card&#39; identification method, electronic equipment and computer readable storage medium
CN107895038B (en) Link prediction relation recommendation method and device
CN108076032B (en) Abnormal behavior user identification method and device
CN107240029B (en) Data processing method and device
CN107896153B (en) A method and device for recommending a data package based on the online behavior of a mobile user
CN104408640B (en) Application software recommends method and device
CN113992340B (en) User abnormal behavior identification method, device, equipment and storage medium
KR102086936B1 (en) User data sharing method and device
CN111738785A (en) Product selection method, system and storage medium
CN113412607A (en) Content pushing method and device, mobile terminal and storage medium
CN110166344A (en) A kind of identity recognition methods, device and relevant device
CN106843941A (en) Information processing method, device and computer equipment
CN110781410A (en) Community detection method and device
US8700756B2 (en) Systems, methods and devices for extracting and visualizing user-centric communities from emails
WO2024244398A1 (en) Method and apparatus for detecting malicious dos traffic, and electronic device and storage medium
CN110222790A (en) Method for identifying ID, device and server
CN110677269B (en) Method and device for determining communication user relationship and computer readable storage medium
CN104902498A (en) Identification method and device for subscriber re-networking
CN111931035A (en) Business recommendation method, device and equipment
CN108711073B (en) User analysis method, device and terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: Guangdong global building, No.11 Zhujiang West Road, Zhujiang New Town, Tianhe District, Guangzhou, Guangdong 510630

Patentee after: China Mobile Group Guangdong Co.,Ltd.

Patentee after: CHINA MOBILE COMMUNICATIONS GROUP Co.,Ltd.

Address before: 510623 Guangdong global building, 11 Zhujiang West Road, Zhujiang New Town, Guangzhou City, Guangdong Province

Patentee before: China Mobile Group Guangdong Co.,Ltd.

Patentee before: China Mobile Communications Corp.