CN108076032B - Abnormal behavior user identification method and device - Google Patents

Abnormal behavior user identification method and device Download PDF

Info

Publication number
CN108076032B
CN108076032B CN201611035558.9A CN201611035558A CN108076032B CN 108076032 B CN108076032 B CN 108076032B CN 201611035558 A CN201611035558 A CN 201611035558A CN 108076032 B CN108076032 B CN 108076032B
Authority
CN
China
Prior art keywords
user
rate
network
current network
identified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611035558.9A
Other languages
Chinese (zh)
Other versions
CN108076032A (en
Inventor
罗骁茜
吴栩欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Guangdong Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611035558.9A priority Critical patent/CN108076032B/en
Publication of CN108076032A publication Critical patent/CN108076032A/en
Application granted granted Critical
Publication of CN108076032B publication Critical patent/CN108076032B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/067Generation of reports using time frame reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a method and a device for identifying users with abnormal behaviors, wherein the method comprises the following steps: acquiring state information of a current network, wherein the state information comprises: the whole network rate, the network element rate and the service flow value; judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i; if the user with the abnormal behavior exists in the current network, acquiring session record information of the user to be identified and terminal information of the user to be identified; and identifying the abnormal behavior user according to the session record information and the user terminal information. The device performs the above method. According to the method and the device for identifying the users with the abnormal behaviors, provided by the embodiment of the invention, the stability of the current network rate is ensured by judging whether the users with the abnormal behaviors exist in the current network or not and identifying the users with the abnormal behaviors.

Description

Abnormal behavior user identification method and device
Technical Field
The embodiment of the invention relates to the technical field of mobile communication, in particular to a method and a device for identifying users with abnormal behaviors.
Background
With the development of mobile communication technology, people increasingly acquire information through internet access to meet the requirements of daily learning and working.
However, some actions related to internet information security, such as number stealing and advertisement sending, malicious link publishing, internet user money and money cheating, are also generated, and these actions are collectively called "user abnormal actions", which occupy limited network resources for a long time and in large quantities, greatly affect the internet experience of normal users, and result in slow internet surfing speed or incapability of surfing the internet for the users.
Therefore, how to effectively identify the users with abnormal behaviors becomes an urgent problem to be solved.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a method and a device for identifying an abnormal behavior user.
In one aspect, an embodiment of the present invention provides a method for identifying an abnormal-behavior user, including:
acquiring state information of a current network, wherein the state information comprises: the whole network rate, the network element rate and the service flow value;
judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i;
if the user with the abnormal behavior exists in the current network, acquiring session record information of the user to be identified and terminal information of the user to be identified;
and identifying the abnormal behavior user according to the session record information and the user terminal information.
In another aspect, an embodiment of the present invention provides an abnormal behavior user identification apparatus, including:
a network information obtaining unit, configured to obtain status information of a current network, where the status information includes: the whole network rate, the network element rate and the service flow value;
the judging unit is used for judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i;
the user information acquisition unit is used for acquiring session record information of a user to be identified and information of the user terminal to be identified if the user with the abnormal behavior exists in the current network;
and the identification unit is used for identifying the abnormal behavior user according to the session record information and the user terminal information.
According to the method and the device for identifying the users with the abnormal behaviors, provided by the embodiment of the invention, the stability of the current network rate is ensured by judging whether the users with the abnormal behaviors exist in the current network or not and identifying the users with the abnormal behaviors.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for identifying a user with abnormal behavior according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for identifying a user with abnormal behavior according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram of an abnormal behavior user identification apparatus according to an embodiment of the present invention;
fig. 4 is a schematic physical structure diagram of an apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow diagram of a method for identifying a user with abnormal behavior according to an embodiment of the present invention, and as shown in fig. 1, the method for identifying a user with abnormal behavior according to the embodiment includes the following steps:
s1: acquiring state information of a current network, wherein the state information comprises: the network speed, the network element speed and the traffic flow value.
Specifically, the device acquires state information of a current network, where the state information includes: the network speed, the network element speed and the traffic flow value. It should be noted that: the current network state information may include, but is not limited to, a full network rate, a network element rate, and a traffic flow value.
S2: and judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i.
Specifically, the device judges whether the current network has the abnormal behavior user according to the state information of the current network, a preset time interval t and an observation time i. It should be noted that: the preset time interval t and the observation time i can be set independently according to actual conditions, for example: the preset time interval t may be set to 1 hour, which may be understood as: the device executes the abnormal behavior user identification method once every 1 hour, and identifies the user behaviors to be selected; the smaller the value set by the preset time interval t is, the higher the frequency of identifying the user behavior is, the larger the value set by the preset time interval t is, the lower the frequency of identifying the user behavior is, and the observation time i can be arbitrarily set to one or more times between the start time and the end time corresponding to the preset time interval t, for example: when the preset time interval t is set to be 1 hour, if the current time for executing the method is 17:00, the starting time corresponds to 17:00, the ending time corresponds to 18:00, and the observation time i can be the acquisition time of the whole network rate or the network element rate or the service flow value corresponding to any one time or several times of 17: 00-18: 00.
S3: and if the user with the abnormal behavior exists in the current network, acquiring session record information of the user to be identified and terminal information of the user to be identified.
Specifically, if the device knows that the user with the abnormal behavior exists in the current network, the device acquires session record information of the user to be identified and terminal information of the user to be identified. It should be noted that: the user session record information may include, but is not limited to: access record information for network domain name, session duration, source TCP/UDP port, target TCP/UDP port, etc., and the user terminal information may include but is not limited to: the brand and model of the mobile phone terminal used by the user, and the like.
S4: and identifying the abnormal behavior user according to the session record information and the user terminal information.
Specifically, the device identifies the abnormal behavior user according to the session record information and the user terminal information. It should be noted that: the identification of the abnormal behavior user can be realized according to the access times of the specific domain name in the session record information, the mobile phone terminal brand and model of the user terminal information, the used mobile phone number and the position of the mobile phone terminal.
The abnormal behavior user identification method provided by the embodiment of the invention ensures the stability of the current network rate by judging whether the abnormal behavior user exists in the current network or not and identifying the abnormal behavior user.
On the basis of the above embodiment, the determining whether the current network has the user with the abnormal behavior according to the state information of the current network, the preset time interval t, and the observation time i includes:
and judging whether the full-network rate of the current network is reduced or not according to the full-network rate of the current network, a preset time interval t and an observation time i.
Specifically, the device judges whether the full-network rate of the current network is reduced or not according to the full-network rate of the current network, a preset time interval t and an observation time i. It should be noted that: whether the overall network rate is decreased or not is determined according to the overall network rate decrease percentage of the current network, which is described as follows with reference to the above embodiment: when the preset time interval t is set to 1 hour, if the current time for performing the method is 17:00, the start time corresponds to 17:00, the end time corresponds to 18:00, and the number of observations n is 3 assuming observation times i are 17:10, 17:25, and 17:50, according to the formula:
Figure GDA0002407844330000051
calculating the average value of the whole network speed within 1 hour of the preset time interval
Figure GDA0002407844330000052
Wherein VAiIs whenThe full network rate in the state information of the former network is calculated according to the formula:
Figure GDA0002407844330000053
calculating the whole network rate reduction percentage P of the current networkAThen according to the formula:
Figure GDA0002407844330000054
judging whether the whole network rate of the current network is in a descending state (namely when P is the current network rate)AMore than or equal to 5 percent, which means that the speed of the whole network is reduced; when P is presentALess than 5%, indicating that the overall network rate is not decreased), where 5% is a preset overall network rate percentage, and may be set autonomously according to an actual situation, where 5% is an optional scheme, and this is not specifically limited in the embodiment of the present invention.
And if the whole network rate of the current network is judged to be in a descending state, judging whether the network element rate of the current network is descending.
Specifically, if the device determines that the overall network rate of the current network is in a decreasing state, it determines whether the network element rate of the current network decreases. If the whole network rate of the current network is judged to be in an unreduced state, the current network can be considered to have no abnormal behavior user. It should be noted that: the judgment of whether the network element rate is decreased is based on the network element rate decrease percentage of the current network, and the following description is continued with reference to the above embodiment: the number of observations n is 3, which can be according to the formula:
Figure GDA0002407844330000055
calculating the average value of the network element speed within 1 hour of the preset time interval
Figure GDA0002407844330000056
Wherein VBiThe network element rate in the state information of the current network is determined according to the formula:
Figure GDA0002407844330000057
calculating the network element rate reduction percentage P of the current networkBThen according toThe formula:
Figure GDA0002407844330000058
judging whether the network element rate of the current network is in a decreasing state, wherein 10% is a preset network element rate percentage, and the network element rate can be set autonomously according to an actual situation, wherein 10% is an optional scheme, and the embodiment of the present invention is not specifically limited to this.
And if the network element speed of the current network is judged to be in a descending state, selecting the first m service flow values in the service flow values as the service flow values to be selected according to the size of the service flow values.
Specifically, if the device determines that the network element rate of the current network is in a decreasing state, the device selects the first m traffic values in the traffic values as the traffic values to be selected according to the size of the traffic values. If the device judges that the network element speed of the current network is in the non-reduction state, the device can consider that no abnormal behavior user exists in the current network. The value of m may be set autonomously according to an actual situation, and is not specifically limited here, and the candidate traffic flow value obtained by enumerating m as 10 in this embodiment is shown in table 1:
table 1 shows the first 10 traffic flow values that can be used as candidate traffic flow values table 1
Business Flow (MB) Ratio of occupation of Rate (kbps)
360 safety guard 3687 14% 283
Flying letter 1090 4% 198
Network book 570 2% 108
CHINA IND AND COMMERCIAL BANK 553 2% 93
QQ space 370 1% 479
Tencent network 284 1% 591
UC browsing 151 1% 480
Wave of new sea 148 1% 503
Hundredth degree 110 0% 397
Apple official website 77 0% 470
RNC entity 25598 100% 278
And calculating the rate of the service to be selected corresponding to the service to be selected according to the preset time interval t and the value of the traffic of the service to be selected.
Specifically, the device calculates the rate of the service to be selected corresponding to the service to be selected according to the preset time interval t and the value of the traffic of the service to be selected. Examples are as follows: can be determined according to the formula:
Figure GDA0002407844330000071
calculating the rate V of the service to be selectedijWherein i is the observation time, j is the jth service, MijIs the traffic flow value to be selected.
And judging whether the rate of the service to be selected of the current network is reduced or not.
Specifically, the device determines whether the rate of the service to be selected of the current network decreases. Can be determined according to the formula:
Figure GDA0002407844330000072
calculating the average value of the service rate to be selected
Figure GDA0002407844330000074
Can be further according to the formula:
Figure GDA0002407844330000073
and judging whether the service rate to be selected of the current network is in a descending state or not and judging whether the service rate to be selected of the current network is in the descending state or not.
And if the rate of the service to be selected of the current network is judged to be in a descending state, judging that the user with abnormal behavior exists in the current network.
Specifically, if the device determines that the rate of the service to be selected of the current network is in a decreasing state, it determines that the user with abnormal behavior exists in the current network. If the rate of the service to be selected of the current network is judged and known to be in a non-descending state, the current network can be considered to have no abnormal behavior user.
The method for identifying the users with the abnormal behaviors, provided by the embodiment of the invention, can accurately identify whether the users with the abnormal behaviors exist in the current network or not by judging whether the whole network rate, the network element rate and the to-be-selected service rate of the current network are reduced or not.
On the basis of the above embodiment, the determining whether the full network rate of the current network decreases according to the full network rate of the current network, a preset time interval t, and an observation time i includes:
acquiring the observation times n in a preset time interval t according to the preset time interval t and observation time i, wherein the observation time i is positioned between the starting time and the ending time corresponding to the preset time interval t.
Specifically, the device acquires the observation times n in a preset time interval t according to the preset time interval t and observation time i, wherein the observation time i is located between the starting time and the ending time corresponding to the preset time interval t. The description of the above embodiments is omitted here for brevity.
And calculating the average value of the full network speed within the preset time interval t according to the observation times n and the full network speed of the current network.
Specifically, the device calculates the average value of the total network rate within the preset time interval t according to the observation times n and the total network rate of the current network. The description of the above embodiments is omitted here for brevity.
And calculating the whole network rate reduction percentage of the current network according to the average value of the whole network rate and the whole network rate of the current network.
Specifically, the device calculates the percentage of decrease in the total network rate of the current network according to the average value of the total network rate and the total network rate of the current network. The description of the above embodiments is omitted here for brevity.
And if the whole network rate reduction percentage of the current network is greater than or equal to the preset whole network rate percentage, judging that the whole network rate of the current network is in a reduction state.
Specifically, if the device knows that the rate reduction percentage of the current network is greater than or equal to the preset rate reduction percentage of the current network, the device determines that the rate of the current network is in a reduction state. The description of the above embodiments is omitted here for brevity.
According to the method for identifying the abnormal behavior user, the accuracy of judging the rate reduction state of the whole network is ensured by calculating the rate reduction percentage of the whole network of the current network.
On the basis of the foregoing embodiment, the determining whether the network element rate of the current network decreases includes:
and calculating the average value of the network element speed in the preset time interval t according to the observation times n and the network element speed of the current network.
Specifically, the device calculates the average value of the network element rate within the preset time interval t according to the observation times n and the network element rate of the current network. The description of the above embodiments is omitted here for brevity.
And calculating the network element rate reduction percentage of the current network according to the average value of the network element rates and the network element rate of the current network.
Specifically, the device calculates the percentage of decrease in the network element rate of the current network according to the average value of the network element rate and the network element rate of the current network. The description of the above embodiments is omitted here for brevity.
And if the network element rate reduction percentage of the current network is greater than or equal to the preset network element rate percentage, judging that the network element rate of the current network is in a reduction state.
Specifically, if the device knows that the network element rate reduction percentage of the current network is greater than or equal to the preset network element rate percentage, the device determines that the network element rate of the current network is in a reduction state. The description of the above embodiments is omitted here for brevity.
The method for identifying the abnormal behavior user, provided by the embodiment of the invention, can ensure the accuracy of judging the rate reduction state of the network element by calculating the rate reduction percentage of the network element of the current network.
On the basis of the foregoing embodiment, the determining whether the candidate service rate of the current network decreases includes:
and calculating the average value of the service rate to be selected according to the service rate to be selected and the number m of the service flow to be selected.
Specifically, the device calculates the average value of the service rate to be selected according to the service rate to be selected and the number m of the service flow to be selected. The description of the above embodiments is omitted here for brevity.
According to the average value of the service rate to be selected
Figure GDA0002407844330000091
The service rate V to be selectedijAnd an average value of the network element rate
Figure GDA0002407844330000092
If passing through the formula
Figure GDA0002407844330000093
And if the calculation result is 1, judging that the rate of the service to be selected of the current network is in a descending state.
Specifically, the device averages the service rates to be selected according to
Figure GDA0002407844330000094
The service rate V to be selectedijAnd an average value of the network element rate
Figure GDA0002407844330000095
If passing through the formula
Figure GDA0002407844330000096
And if the calculation result is 1, judging that the rate of the service to be selected of the current network is in a descending state. The description of the above embodiments is omitted here for brevity.
The method for identifying the abnormal behavior user, provided by the embodiment of the invention, ensures the accuracy of judging whether the rate of the service to be selected is a descending state according to the calculated average value of the rate of the service to be selected and the network element rate.
On the basis of the above embodiment, the identifying the abnormal behavior user according to the session record information and the user terminal information includes:
and according to the access times of the specific domain name in the session record information, identifying the user to be identified, of which the access times of the specific domain name are greater than a first access time threshold value, as an abnormal user.
Specifically, fig. 2 is a schematic flowchart of a method for identifying a user with abnormal behavior according to another embodiment of the present invention, and as shown in fig. 2, the device identifies, as an abnormal user, the user to be identified whose specific domain name access times are greater than a first access time threshold value, according to the specific domain name access times in the session record information. The first access number threshold may be set autonomously according to the actual situation, and is not limited herein. Examples are as follows: and identifying the 40 users to be identified as abnormal users if the number of the users to be identified is 1000, the first access times threshold value is 50 times, and the number of the access times of 40 specific domain names in the users to be identified is greater than the first access times threshold value by 50 times.
And taking the user to be identified with the specific domain name access times smaller than a first access time threshold value as a first user to be identified.
Specifically, the device takes the user to be identified, for which the access frequency of the specific domain name is smaller than the first access frequency threshold, as the first user to be identified. With continued reference to the above embodiments, the following are illustrated: the 960 (1000-40: 960) users to be identified are used as the first users to be identified.
And extracting the mobile phone number of the first user to be identified, and identifying the first user to be identified as an abnormal user if the access times of the same mobile phone number to the specific domain name are greater than a second access time threshold, wherein the second access time threshold is less than the first access time threshold.
Specifically, the device extracts the mobile phone number of the first to-be-identified user, and if the number of times of access to the specific domain name by the same mobile phone number is greater than a second access time threshold, identifies the first to-be-identified user as an abnormal user, where the second access time threshold is smaller than the first access time threshold. The second access number threshold may be set autonomously according to the actual situation, and is not limited herein. With continued reference to the above embodiments, the following are illustrated: 960 first users to be identified are identified as abnormal users, 40 second access times threshold values are identified as 40 first users to be identified, and 60 first users to be identified are identified as abnormal users, wherein the access times of the same mobile phone number to the specific domain name in the first users to be identified are greater than the second access times threshold value by 40 times.
And taking the first to-be-identified user with the same mobile phone number and the specific domain name with the access frequency smaller than a second access frequency threshold value as a second to-be-identified user.
Specifically, the device takes the first to-be-identified user with the same mobile phone number and the specific domain name with the access frequency smaller than the second access frequency threshold value as the second to-be-identified user. Examples are as follows: the first user to be identified is 960, and 900(960-60) first users to be identified are taken as second users to be identified.
Extracting mobile phone terminal information of the second user to be identified, wherein the mobile phone terminal information comprises: the manufacturer and the model of the mobile phone terminal.
Specifically, the apparatus extracts the mobile phone terminal information of the second user to be identified, where the mobile phone terminal information may include, but is not limited to: the manufacturer and the model of the mobile phone terminal.
And if the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are larger than a third access time threshold, identifying the second user to be identified as an abnormal user, wherein the third access time threshold is smaller than the second access time threshold.
Specifically, if the device learns that the number of times of access to the specific domain name by the mobile phone terminal of the same manufacturer and model of the mobile phone terminal is greater than a third access time threshold, the device identifies the second user to be identified as an abnormal user, wherein the third access time threshold is smaller than the second access time threshold. The third access time threshold may be set autonomously according to the actual situation, and is not limited herein. With continued reference to the above embodiments, the following are illustrated: and identifying 20 second users to be identified as abnormal users, wherein the number of the second users to be identified is 900, the third access time threshold is 30 times, and the number of the access times of the mobile phone terminal with the same mobile phone terminal manufacturer and model to the specific domain name is more than 30 times of the third access time threshold.
And taking the second user to be identified, of which the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are smaller than a third access time threshold value, as a third user to be identified.
Specifically, the device takes the second to-be-identified user, as a third to-be-identified user, of which the number of times of access to the specific domain name by the mobile phone terminal of the same mobile phone terminal manufacturer and model is smaller than a third access time threshold value. Examples are as follows: the second user to be identified is 900, and 880(900-20) second users to be identified are taken as third users to be identified.
And extracting the position information of the mobile phone terminal of the third user to be identified, and identifying the third user to be identified as an abnormal user if the displacement variation generated by the position of the mobile phone terminal in the preset time interval t is smaller than a preset distance threshold.
Specifically, the device extracts the position information of the mobile phone terminal of the third user to be identified, and if the displacement variation generated by the position of the mobile phone terminal within the preset time interval t is smaller than a preset distance threshold, identifies the third user to be identified as an abnormal user. The preset distance threshold may be set autonomously according to actual conditions, and is not limited herein. With continued reference to the above embodiments, the following are illustrated: and identifying 10 third users to be identified as abnormal users, wherein the third users to be identified are 880, the preset distance threshold is 200 meters, and the displacement variation generated by the position of the mobile phone terminal in the third users to be identified in the preset time interval t is smaller than the preset distance threshold by 200 meters. And identifying 870(880-10) third users to be identified as normal users, wherein the displacement variation quantity generated by the position of the mobile phone terminal in the third users to be identified in the preset time interval t is greater than or equal to a preset distance threshold value of 200 meters.
According to the abnormal behavior user identification method provided by the embodiment of the invention, the accuracy of the identification effect is ensured by successively identifying the abnormal behavior users.
The obtaining manner of the abnormal behavior user identification method flowchart shown in fig. 2 may be according to the following steps:
r1: and (4) recording information of the user session to be identified, and extracting key features as sample library factors. Independent features having no influence on other features serve as a sample library factor, and a plurality of features which influence each other and act together are combined into one sample library factor. Therefore, a sample library containing the online behavior sessions of the normal user and the abnormal user is established.
R2: based on the sample library factor of step R1, a certain number of objects are randomly extracted, a training data set is constructed, and a flowchart of the abnormal behavior user identification method shown in fig. 2 is generated through training and pruning. The detailed structure and algorithm of the flow chart of the user identification method for identifying the abnormal behavior are as follows:
the decision tree algorithm adopts a CART (classification and Regression Trees) algorithm, namely a classification Regression tree algorithm.
The CART algorithm mainly comprises two steps: (1) performing a tree building process on the sample recursive partitioning, and (2) pruning by using the verification data.
Recursively building a binary tree in step (1), and setting x1,x2,...,xnRepresenting n attributes of a single sample, and y represents a category to which it belongs. The CART algorithm partitions an n-dimensional space into non-overlapping rectangles in a recursive manner. The dividing steps are roughly as follows:
(1) selecting an independent variable xiThen select xiA value v ofi,viDividing the n-dimensional space into two parts, all samples of one part satisfying xi≤υiAll samples of the other part satisfy xi>υiFor discrete variables, the attribute values take only two values, i.e., equal to or not equal to the value. The continuous variable also needs to be discretized, and the abnormal user internet behavior characteristics of the proposal belong to the continuous variable.
(2) And (4) performing recursive processing, namely reselecting an attribute from the two parts obtained in the step (1) to continue dividing until the whole n-dimensional space is divided.
In the dividing process, for a variable attribute, its dividing point is the middle point of a pair of continuous variable attribute values. Assuming that a set of m samples has m consecutive values for an attribute, there will be m-1 split points, each split point being the mean of two consecutive values. The divisions of each attribute are sorted by the amount of impurity that can be reduced, and the amount of reduction of the impurity is defined as the sum of the impurity before division minus the ratio of the impurity amount divisions of each node after division. And the impurity measurement method commonly uses Gini indexes, the Gini value is mainly used for measuring the impurity degree of data division or a training data set K, the Gini value is tested on branch nodes, if certain purity is met, the Gini value is divided into a left sub-tree, otherwise, the Gini value is divided into a right sub-tree, and finally, a binary decision tree is generated. The smaller the Gini value, the higher the "purity" of the sample. Assuming that a sample has Z class, the probability of belonging to i class is piThen Gini's purity of a node K can be defined as the following equation:
Figure GDA0002407844330000131
when Gini (K) is 0, all samples belong to the same class, all classesWhen appearing with equal probability in a node, Gini (K) is maximized,
Figure GDA0002407844330000132
in an actual recursive partitioning process, if all samples of a current node belong to the same class or only one sample is left, the node is a non-leaf node, and therefore each attribute of the sample and a split point corresponding to each attribute need to be tried, and a partition with the largest impurity variable is tried to be found, and a sub-tree of the attribute partition is an optimal branch.
Step (2) the CART algorithm adopts post-pruning, and the proposal adopts a cost complexity pruning method in the post-pruning: r (t) is the error rate of node t, p (t) is the proportion of data on node t to all data, if the node is pruned, and R (t) is the error cost of node t, then
R(t)=r(t)×p(t) (9)
If the node is not pruned, R (T)t) Is a subtree TtIs equal to the subtree TtThe sum of the error costs of all the leaf nodes;
Figure GDA0002407844330000141
is the number of leaf nodes contained in the sub-tree, and for each non-leaf node in the classification regression tree, the gain value of surface error rate, α, is given by equation (9)
Figure GDA0002407844330000142
Fig. 3 is a schematic structural diagram of an abnormal behavior user identification apparatus according to an embodiment of the present invention, and as shown in fig. 3, the embodiment provides an abnormal behavior user identification apparatus, which includes a network information obtaining unit 1, a determining unit 2, a user information obtaining unit 3, and an identifying unit 4, where:
the network information acquiring unit 1 is configured to acquire status information of a current network, where the status information includes: the whole network rate, the network element rate and the service flow value; the judging unit 2 is configured to judge whether the current network has a user with an abnormal behavior according to the state information of the current network, a preset time interval t and an observation time i; the user information obtaining unit 3 is configured to obtain session record information of a user to be identified and information of the user terminal to be identified if the current network has a user with an abnormal behavior; the identification unit 4 is configured to identify the abnormal behavior user according to the session record information and the user terminal information.
Specifically, the network information obtaining unit 1 is configured to obtain status information of a current network, where the status information includes: the network management method comprises the steps that a whole network rate, a network element rate and a service flow value are obtained, a network information obtaining unit 1 sends state information to a judging unit 2, the judging unit 2 is used for judging whether a user with abnormal behavior exists in a current network or not according to the state information of the current network, a preset time interval t and an observation time i, the judging unit 2 sends a judgment result of the user with abnormal behavior to a user information obtaining unit 3, the user information obtaining unit 3 is used for obtaining session record information and user terminal information of a user to be identified if the user with abnormal behavior exists in the current network, the user information obtaining unit 3 sends the session record information and the user terminal information to an identifying unit 4, and the identifying unit 4 is used for identifying the user with abnormal behavior according to the session record information and the user terminal information.
The abnormal behavior user identification device provided by the embodiment of the invention ensures the stability of the current network rate by judging whether the abnormal behavior user exists in the current network or not and identifying the abnormal behavior user.
On the basis of the above embodiment, the judging unit 2 is configured to:
judging whether the full-network rate of the current network is reduced or not according to the full-network rate of the current network, a preset time interval t and an observation time i; if the whole network rate of the current network is judged to be in a descending state, judging whether the network element rate of the current network is descending; if the network element speed of the current network is judged to be in a descending state, selecting the first m service flow values in the service flow values as service flow values to be selected according to the size of the service flow values; calculating the rate of the service to be selected corresponding to the service to be selected according to the preset time interval t and the value of the traffic of the service to be selected; judging whether the rate of the service to be selected of the current network is reduced or not; and if the rate of the service to be selected of the current network is judged to be in a descending state, judging that the user with abnormal behavior exists in the current network.
Specifically, the judging unit 2 is configured to judge whether the full network rate of the current network decreases according to the full network rate of the current network, a preset time interval t, and an observation time i; the judging unit 2 is configured to judge whether the network element rate of the current network is decreased if it is judged that the total network rate of the current network is in a decreased state; the judging unit 2 is configured to select, according to the size of the traffic flow value, the first m traffic flow values in the traffic flow values as traffic flow values to be selected if it is judged that the network element rate of the current network is in a decreasing state; the judging unit 2 is configured to calculate a service rate to be selected corresponding to the service to be selected according to the preset time interval t and the traffic value of the service to be selected; the judging unit 2 is configured to judge whether the rate of the service to be selected of the current network decreases; the judging unit 2 is configured to judge that the user with the abnormal behavior exists in the current network if it is judged and known that the rate of the service to be selected of the current network is in a decreasing state.
The abnormal behavior user identification device provided by the embodiment of the invention can accurately identify whether the abnormal behavior user exists in the current network or not by judging whether the whole network rate, the network element rate and the to-be-selected service rate of the current network are reduced or not.
On the basis of the above embodiment, the judging unit 2 is further configured to:
calculating the average value of the service rate to be selected according to the service rate to be selected and the number m of the service flow to be selected; according to the average value of the service rate to be selected
Figure GDA0002407844330000161
The service rate V to be selectedijAnd an average value of the network element rate
Figure GDA0002407844330000162
If passing through the formula
Figure GDA0002407844330000163
And if the calculation result is 1, judging that the rate of the service to be selected of the current network is in a descending state.
Specifically, the judging unit 2 is further configured to calculate an average value of the service rates to be selected according to the service rate to be selected and the number m of the service flows to be selected; the judging unit 2 is further configured to determine an average value of the to-be-selected service rates according to the average value
Figure GDA0002407844330000164
The service rate V to be selectedijAnd an average value of the network element rate
Figure GDA0002407844330000165
If passing through the formula
Figure GDA0002407844330000166
And if the calculation result is 1, judging that the rate of the service to be selected of the current network is in a descending state.
The abnormal behavior user identification device provided by the embodiment of the invention ensures the accuracy of judging whether the rate of the service to be selected is a descending state according to the calculated average value of the rate of the service to be selected and the network element rate.
On the basis of the above embodiment, the identification unit 4 is configured to:
according to the number of times of specific domain name access in the session record information, identifying the user to be identified, of which the number of times of specific domain name access is greater than a first access number threshold value, as an abnormal user; taking the user to be identified with the specific domain name access times smaller than a first access time threshold value as a first user to be identified; extracting the mobile phone number of the first user to be identified, and identifying the first user to be identified as an abnormal user if the number of times of access to the specific domain name by the same mobile phone number is greater than a second access time threshold value, wherein the second access time threshold value is smaller than the first access time threshold value; taking the first to-be-identified user with the same mobile phone number and the access frequency of the specific domain name smaller than a second access frequency threshold value as a second to-be-identified user; extracting mobile phone terminal information of the second user to be identified, wherein the mobile phone terminal information comprises: the manufacturer and model of the mobile phone terminal; if the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are larger than a third access time threshold, identifying the second user to be identified as an abnormal user, wherein the third access time threshold is smaller than the second access time threshold; taking the second user to be identified, of which the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are smaller than a third access time threshold value, as a third user to be identified; and extracting the position information of the mobile phone terminal of the third user to be identified, and identifying the third user to be identified as an abnormal user if the displacement variation generated by the position of the mobile phone terminal in the preset time interval t is smaller than a preset distance threshold.
Specifically, the identifying unit 4 is configured to identify, according to the number of times of accessing a specific domain name in the session record information, the user to be identified whose number of times of accessing the specific domain name is greater than a first threshold of the number of times of accessing the specific domain name as an abnormal user; the identifying unit 4 is configured to use the user to be identified whose access time of the specific domain name is smaller than a first access time threshold value as a first user to be identified; the identification unit 4 is configured to extract a mobile phone number of the first to-be-identified user, and identify the first to-be-identified user as an abnormal user if the number of times of access to the specific domain name by the same mobile phone number is greater than a second access time threshold, where the second access time threshold is smaller than the first access time threshold; the identification unit 4 is configured to use the first to-be-identified user whose number of times of access to the specific domain name by the same mobile phone number is smaller than a second access number threshold value as a second to-be-identified user; the identification unit 4 is configured to extract mobile phone terminal information of the second user to be identified, where the mobile phone terminal information includes: the manufacturer and model of the mobile phone terminal; the identification unit 4 is configured to identify the second user to be identified as an abnormal user if the number of times of access to the specific domain name by the mobile phone terminal of the same manufacturer and model of the mobile phone terminal is greater than a third access number threshold, where the third access number threshold is smaller than the second access number threshold; the identification unit 4 is configured to use the second user to be identified, as a third user to be identified, of which the number of times of access to the specific domain name by the mobile phone terminal of the same manufacturer and model of the mobile phone terminal is smaller than a third access number threshold; the identification unit 4 is configured to extract location information of the mobile phone terminal of the third user to be identified, and identify the third user to be identified as an abnormal user if a displacement variation generated by the location of the mobile phone terminal within the preset time interval t is smaller than a preset distance threshold.
The abnormal behavior user identification device provided by the embodiment of the invention ensures the accuracy of the identification effect by successively identifying the abnormal behavior users.
The abnormal behavior user identification apparatus provided in this embodiment may be specifically configured to execute the processing flows of the above method embodiments, and the functions of the apparatus are not described herein again, and refer to the detailed description of the above method embodiments.
Fig. 4 is a schematic entity structure diagram of an apparatus provided in an embodiment of the present invention, and as shown in fig. 4, the neighboring cell optimization processing apparatus includes: a processor (processor)401, a memory (memory)402, and a bus 403;
the processor 401 and the memory 402 complete communication with each other through a bus 403;
the processor 401 is configured to call the program instructions in the memory 402 to execute the methods provided by the above-mentioned method embodiments, for example, including: the whole network rate, the network element rate and the service flow value; judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i; if the user with the abnormal behavior exists in the current network, acquiring session record information of the user to be identified and terminal information of the user to be identified; and identifying the abnormal behavior user according to the session record information and the user terminal information.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the above-mentioned method embodiments, for example, comprising: the whole network rate, the network element rate and the service flow value; judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i; if the user with the abnormal behavior exists in the current network, acquiring session record information of the user to be identified and terminal information of the user to be identified; and identifying the abnormal behavior user according to the session record information and the user terminal information.
The present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided by the above method embodiments, for example, including: the whole network rate, the network element rate and the service flow value; judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i; if the user with the abnormal behavior exists in the current network, acquiring session record information of the user to be identified and terminal information of the user to be identified; and identifying the abnormal behavior user according to the session record information and the user terminal information.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above-described embodiments of the abnormal behavior user recognition apparatus and the like are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (2)

1. A method for identifying abnormal behavior users is characterized by comprising the following steps:
acquiring state information of a current network, wherein the state information comprises: the whole network rate, the network element rate and the service flow value;
judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i;
if the user with the abnormal behavior exists in the current network, acquiring session record information of the user to be identified and terminal information of the user to be identified;
according to the session record information and the user terminal information, identifying the abnormal behavior user;
the judging whether the current network has the user with the abnormal behavior according to the state information of the current network, the preset time interval t and the observation time i comprises the following steps:
judging whether the full-network rate of the current network is reduced or not according to the full-network rate of the current network, a preset time interval t and an observation time i;
if the whole network rate of the current network is judged to be in a descending state, judging whether the network element rate of the current network is descending;
if the network element speed of the current network is judged to be in a descending state, selecting the first m service flow values in the service flow values as service flow values to be selected according to the size of the service flow values;
calculating the rate of the service to be selected corresponding to the service to be selected according to the preset time interval t and the value of the traffic of the service to be selected;
judging whether the rate of the service to be selected of the current network is reduced or not;
if the rate of the service to be selected of the current network is judged to be in a descending state, judging that users with abnormal behaviors exist in the current network;
the judging whether the full-network rate of the current network is reduced or not according to the full-network rate of the current network, a preset time interval t and an observation time i comprises the following steps:
acquiring the observation times n in a preset time interval t according to the preset time interval t and observation time i, wherein the observation time i is positioned between the starting time and the ending time corresponding to the preset time interval t;
calculating the average value of the full network speed within the preset time interval t according to the observation times n and the full network speed of the current network;
calculating the whole network rate reduction percentage of the current network according to the average value of the whole network rate and the whole network rate of the current network;
if the whole network rate reduction percentage of the current network is greater than or equal to the preset whole network rate percentage, judging that the whole network rate of the current network is in a reduction state;
the determining whether the network element rate of the current network decreases includes:
calculating the average value of the network element speed in the preset time interval t according to the observation times n and the network element speed of the current network;
calculating the network element rate reduction percentage of the current network according to the average value of the network element rates and the network element rate of the current network;
if the network element rate reduction percentage of the current network is greater than or equal to the preset network element rate percentage, judging that the network element rate of the current network is in a reduction state;
the judging whether the rate of the service to be selected of the current network is reduced includes:
calculating the average value of the service rate to be selected according to the service rate to be selected and the number m of the service flow to be selected;
according to the average value of the service rate to be selected
Figure FDA0002541637310000021
The service rate V to be selectedijAnd an average value of the network element rate
Figure FDA0002541637310000022
If passing through the formula
Figure FDA0002541637310000023
If the calculated result is 1, judging that the rate of the service to be selected of the current network is in a descending state, wherein j is the jth service;
the identifying the abnormal behavior user according to the session record information and the user terminal information comprises:
according to the number of times of specific domain name access in the session record information, identifying the user to be identified, of which the number of times of specific domain name access is greater than a first access number threshold value, as an abnormal user;
taking the user to be identified with the specific domain name access times smaller than a first access time threshold value as a first user to be identified;
extracting the mobile phone number of the first user to be identified, and identifying the first user to be identified as an abnormal user if the number of times of access to the specific domain name by the same mobile phone number is greater than a second access time threshold value, wherein the second access time threshold value is smaller than the first access time threshold value;
taking the first to-be-identified user with the same mobile phone number and the access frequency of the specific domain name smaller than a second access frequency threshold value as a second to-be-identified user;
extracting mobile phone terminal information of the second user to be identified, wherein the mobile phone terminal information comprises: the manufacturer and model of the mobile phone terminal;
if the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are larger than a third access time threshold, identifying the second user to be identified as an abnormal user, wherein the third access time threshold is smaller than the second access time threshold;
taking the second user to be identified, of which the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are smaller than a third access time threshold value, as a third user to be identified;
and extracting the position information of the mobile phone terminal of the third user to be identified, and identifying the third user to be identified as an abnormal user if the displacement variation generated by the position of the mobile phone terminal in the preset time interval t is smaller than a preset distance threshold.
2. An abnormal behavior user recognition apparatus, comprising:
a network information obtaining unit, configured to obtain status information of a current network, where the status information includes: the whole network rate, the network element rate and the service flow value;
the judging unit is used for judging whether the current network has abnormal behavior users or not according to the state information of the current network, a preset time interval t and an observation time i;
the user information acquisition unit is used for acquiring session record information of a user to be identified and information of the user terminal to be identified if the user with the abnormal behavior exists in the current network;
the identification unit is used for identifying the abnormal behavior user according to the session record information and the user terminal information;
the judgment unit is used for:
judging whether the full-network rate of the current network is reduced or not according to the full-network rate of the current network, a preset time interval t and an observation time i;
if the whole network rate of the current network is judged to be in a descending state, judging whether the network element rate of the current network is descending;
if the network element speed of the current network is judged to be in a descending state, selecting the first m service flow values in the service flow values as service flow values to be selected according to the size of the service flow values;
calculating the rate of the service to be selected corresponding to the service to be selected according to the preset time interval t and the value of the traffic of the service to be selected;
judging whether the rate of the service to be selected of the current network is reduced or not;
if the rate of the service to be selected of the current network is judged to be in a descending state, judging that users with abnormal behaviors exist in the current network;
the judging unit is further configured to:
acquiring the observation times n in a preset time interval t according to the preset time interval t and observation time i, wherein the observation time i is positioned between the starting time and the ending time corresponding to the preset time interval t;
calculating the average value of the full network speed within the preset time interval t according to the observation times n and the full network speed of the current network;
calculating the whole network rate reduction percentage of the current network according to the average value of the whole network rate and the whole network rate of the current network;
if the whole network rate reduction percentage of the current network is greater than or equal to the preset whole network rate percentage, judging that the whole network rate of the current network is in a reduction state;
the judging unit is further configured to:
calculating the average value of the network element speed in the preset time interval t according to the observation times n and the network element speed of the current network;
calculating the network element rate reduction percentage of the current network according to the average value of the network element rates and the network element rate of the current network;
if the network element rate reduction percentage of the current network is greater than or equal to the preset network element rate percentage, judging that the network element rate of the current network is in a reduction state;
the judging unit is further configured to:
calculating the average value of the service rate to be selected according to the service rate to be selected and the number m of the service flow to be selected;
according to the average value of the service rate to be selected
Figure FDA0002541637310000051
The service rate V to be selectedijAnd an average value of the network element rate
Figure FDA0002541637310000052
If passing through the formula
Figure FDA0002541637310000053
If the calculated result is 1, judging that the rate of the service to be selected of the current network is in a descending state, wherein j is the jth service;
the identification unit is used for:
according to the number of times of specific domain name access in the session record information, identifying the user to be identified, of which the number of times of specific domain name access is greater than a first access number threshold value, as an abnormal user;
taking the user to be identified with the specific domain name access times smaller than a first access time threshold value as a first user to be identified;
extracting the mobile phone number of the first user to be identified, and identifying the first user to be identified as an abnormal user if the number of times of access to the specific domain name by the same mobile phone number is greater than a second access time threshold value, wherein the second access time threshold value is smaller than the first access time threshold value;
taking the first to-be-identified user with the same mobile phone number and the access frequency of the specific domain name smaller than a second access frequency threshold value as a second to-be-identified user;
extracting mobile phone terminal information of the second user to be identified, wherein the mobile phone terminal information comprises: the manufacturer and model of the mobile phone terminal;
if the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are larger than a third access time threshold, identifying the second user to be identified as an abnormal user, wherein the third access time threshold is smaller than the second access time threshold;
taking the second user to be identified, of which the access times of the mobile phone terminal with the same manufacturer and model of the mobile phone terminal to the specific domain name are smaller than a third access time threshold value, as a third user to be identified;
and extracting the position information of the mobile phone terminal of the third user to be identified, and identifying the third user to be identified as an abnormal user if the displacement variation generated by the position of the mobile phone terminal in the preset time interval t is smaller than a preset distance threshold.
CN201611035558.9A 2016-11-15 2016-11-15 Abnormal behavior user identification method and device Active CN108076032B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611035558.9A CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611035558.9A CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Publications (2)

Publication Number Publication Date
CN108076032A CN108076032A (en) 2018-05-25
CN108076032B true CN108076032B (en) 2020-11-06

Family

ID=62161671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611035558.9A Active CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Country Status (1)

Country Link
CN (1) CN108076032B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409902A (en) * 2018-09-04 2019-03-01 平安普惠企业管理有限公司 Risk subscribers recognition methods, device, computer equipment and storage medium
CN111526381B (en) * 2020-04-20 2021-07-09 北京创世云科技股份有限公司 Method and device for optimizing live broadcast resources and electronic equipment
CN113127881A (en) * 2021-04-20 2021-07-16 重庆电子工程职业学院 Data security processing method based on big data
CN113987206A (en) * 2021-10-29 2022-01-28 平安银行股份有限公司 Abnormal user identification method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN102368842A (en) * 2011-10-12 2012-03-07 中国联合网络通信集团有限公司 Detection method of abnormal behavior of mobile terminal and detection system thereof
CN104320297A (en) * 2014-10-15 2015-01-28 中冶长天国际工程有限责任公司 Method and device for network anomaly detection and network communication control
CN105451257A (en) * 2015-12-04 2016-03-30 中国联合网络通信集团有限公司 Data business problem locating method and device
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101761737B1 (en) * 2014-05-20 2017-07-26 한국전자통신연구원 System and Method for Detecting Abnormal Behavior of Control System

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN102368842A (en) * 2011-10-12 2012-03-07 中国联合网络通信集团有限公司 Detection method of abnormal behavior of mobile terminal and detection system thereof
CN104320297A (en) * 2014-10-15 2015-01-28 中冶长天国际工程有限责任公司 Method and device for network anomaly detection and network communication control
CN105451257A (en) * 2015-12-04 2016-03-30 中国联合网络通信集团有限公司 Data business problem locating method and device
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device

Also Published As

Publication number Publication date
CN108076032A (en) 2018-05-25

Similar Documents

Publication Publication Date Title
CN108737406B (en) Method and system for detecting abnormal flow data
CN109063966B (en) Risk account identification method and device
CN108076032B (en) Abnormal behavior user identification method and device
CN110166344B (en) Identity identification method, device and related equipment
CN111090807B (en) Knowledge graph-based user identification method and device
CN109255000B (en) Dimension management method and device for label data
CN110929525B (en) Network loan risk behavior analysis and detection method, device, equipment and storage medium
KR20190128246A (en) Searching methods and apparatus and non-transitory computer-readable storage media
CN113992340B (en) User abnormal behavior identification method, device, equipment and storage medium
CN109783805B (en) Network community user identification method and device and readable storage medium
CN112435137A (en) Cheating information detection method and system based on community mining
CN112488716A (en) Abnormal event detection system
CN114329455B (en) User abnormal behavior detection method and device based on heterogeneous graph embedding
CN110598126A (en) Cross-social network user identity recognition method based on behavior habits
CN110929285B (en) Method and device for processing private data
CN106874286B (en) Method and device for screening user characteristics
CN112199388A (en) Strange call identification method and device, electronic equipment and storage medium
CN108711073B (en) User analysis method, device and terminal
CN111325255A (en) Specific crowd delineating method and device, electronic equipment and storage medium
CN115375494A (en) Financial product recommendation method, device, storage medium and equipment
CN112463964B (en) Text classification and model training method, device, equipment and storage medium
CN113946717A (en) Sub-map index feature obtaining method, device, equipment and storage medium
CN104484329B (en) Consumption hot spot method for tracing and device based on comment centre word timing variations analysis
CN112348094A (en) Data processing method and device
CN113591922A (en) Behavior recognition method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: Guangdong global building, No.11 Zhujiang West Road, Zhujiang New Town, Tianhe District, Guangzhou, Guangdong 510630

Patentee after: China Mobile Group Guangdong Co.,Ltd.

Patentee after: CHINA MOBILE COMMUNICATIONS GROUP Co.,Ltd.

Address before: 510623 Guangdong global building, 11 Zhujiang West Road, Zhujiang New Town, Guangzhou City, Guangdong Province

Patentee before: China Mobile Group Guangdong Co.,Ltd.

Patentee before: China Mobile Communications Corp.

CP03 Change of name, title or address