CN108156146A

CN108156146A - A kind of method and apparatus for being used to identify abnormal user operation

Info

Publication number: CN108156146A
Application number: CN201711377442.8A
Authority: CN
Inventors: 杨磊; 焦洋
Original assignee: Beijing Gaia Mutual Entertainment Network Polytron Technologies Inc
Current assignee: Beijing Gaia Mutual Entertainment Network Polytron Technologies Inc
Priority date: 2017-12-19
Filing date: 2017-12-19
Publication date: 2018-06-12
Anticipated expiration: 2037-12-19
Also published as: CN108156146B

Abstract

The object of the present invention is to provide a kind of for identifying the method and apparatus of abnormal user operation.The present invention is parsed by the discrepancy data on flows of application server, to restore one or more user's operation sequence, then, by the way that the user's operation sequence is compared with abnormal operation data and/or normal operational data, to identify that abnormal user operates, and then judge whether user is abnormal.Compared with prior art, the present invention is under the premise of without high recorded amounts and high opening amount, using complete user data, efficiently, the user behavior of detailed, high complexity is analyzed accurately and in time, abnormal user operation and abnormal user in being applied with identification.

Description

A kind of method and apparatus for being used to identify abnormal user operation

Technical field

The present invention relates to network technique field more particularly to a kind of technologies for being used to identify abnormal user operation.

Background technology

Currently, whether the types of applications at PC ends or the types of applications of mobile terminal, abnormal user always perplex all kinds of answer With a problem of service provider.Abnormal user controls user's operation using the improper mode such as on-hook script, thus from application Unjustified enrichment in service provider influences the usage experience of other users.

By taking game industry as an example, on-hook script is exactly using certain programs, and player's virtual image in control game passes through Designed route or set pattern are taken action.There are many kinds of the purposes of on-hook, for example is obtained at most within the shortest time Empirical value reach a very high grade, for example obtain by ceaselessly participating in certain activities specific stage property reward, For example new hand's task is automatically performed by program, reach certain grade publication swindle message etc. in chat channel later.

When certain user routinely, on a large scale use on-hook script after, be formed Da Jin operating rooms.Usually, Da Jin operating rooms, by using a large amount of terminal or simulator, are operating above specific program, are carrying out mould as a clique Intend tens or even hundreds of false players.Continue to obtain the stage property of high value, high-grade by these false players Game account seeks income economically eventually by these virtual objects are merchandised.

On the one hand these behaviors have upset normal game environment, i.e., the presence of false player and participate in moving obstacle just The game experiencing of normal player, on the one hand they are on line with abnormal price trade virtual stage property, it is online under with unreasonable Ratio trade virtual coin has all seriously affected the normal business revenue of game company.

In the prior art, strike on-hook script is substantially to carry out manual identified by the operation personnel of application service provider, By taking game as an example, whether the price that can auction stage property on line by them belongs to reasonable, by role's title, it is online when Long, participation activity condition etc. is combined together carry out manual examination and verification.This method is time-consuming and laborious, and is difficult to constantly administer extension The presence of under-chassis sheet

With the arriving in big data epoch, many application service providers are also begun to by way of machine learning data mining To identify these abnormal users.One typical mode is a series of basic informations by counting each user, such as Title, online hours, login times, using IP number, using number of devices, with how many role etc. information under equipment, Using the mode of machine learning, the abnormal user of automatic program identification is allowed using different machine learning algorithms.This mode The work of operation personnel is saved to a certain extent, but since this is a kind of statistics based on macroscopical (basic information of such as user) Data, therefore there is also many shortcomings：

First：It identifies by the statistics of these macroscopic views or has certain risk, such as always have situation about slipping through the net And wrongheaded situation.

Second：Due to each judge index (the different basic informations of such as user) be it is independent, each index Convincingness is not very strong, and plug-in user can allow extension after the macro-indicators that application service provider is monitored substantially have been understood The user of machine Script controlling, in these indexs and real user is without too big difference, for example, Virtual User is allowed to be used with true Title, online hours, the login times at family etc. are similar.

Third：Due to the hysteresis quality of machine learning in itself, i.e., the on-hook identification model each applied is required for expert to carry out Fine adjustment, and with the lengthening of application service time, it will appear more and more on-hook scripts on the market, therefore model needs It will constantly re -training.And because it is found that new on-hook script just needs the regular hour, then teach model just need it is longer Time, so as to leverage the timely positioning to abnormal user.

4th：If on-hook script is too similar to true man's, the operation personnel of application service provider may be difficult only according to people Work mode finds the on-hook script, thus also just can not guidance machine model study, and then can not to this kind of plug-in user into Row positioning.

Invention content

The object of the present invention is to provide a kind of for identifying the method and apparatus of abnormal user operation.

According to one embodiment of present invention, a kind of method for being used to identify abnormal user operation is provided, wherein, the party Method includes the following steps：

Obtain the discrepancy data on flows of application server；

The discrepancy data on flows is parsed, to generate one or more user's operation sequence；

The user's operation sequence is compared with abnormal operation data and/or normal operational data, to identify exception User's operation.

Optionally, the step of generating one or more user's operation sequence includes：

The discrepancy data on flows is parsed, to generate one or more user's operation informations；

According to the sequence corresponding to the user's operation information and the user's operation information, generation one or more is used The family sequence of operation.

Optionally, the discrepancy data on flows is parsed, is included the step of one or more user's operation information with generating：

Based on Data Transport Protocol, the data transmission phase of each data on flows packet in the discrepancy data on flows is parsed Close information；

Based on the data transmission relevant information, the data on flows packet is grouped, and to the institute in each grouping It states data on flows packet to be ranked up, to generate one or more sessions；

According to corresponding application protocol is applied, the session is parsed, to generate one or more user's operation Information, wherein, the application corresponds to the application server.

Optionally, the step of data on flows packet being grouped includes：

Based on the IP and port information of transmission/reception corresponding to the data on flows packet, to the data on flows packet into Row grouping.

Optionally, the data on flows packet in each grouping is ranked up, with the step of the one or more sessions of generation Suddenly include：

According to the Data Transport Protocol corresponding to the data on flows packet, with reference to the data transmission relevant information, judge Serial relation between the data on flows packet；

Based on the serial relation, the data on flows packet in each grouping is ranked up, with generation one or more A session.

Optionally, this method further includes：

According to the key corresponding to the session, the data on flows packet in the session is decrypted；

Wherein, the session is parsed, is included the step of one or more user's operation information with generating：

According to the application protocol corresponding to the application, the session decrypted is parsed, with generation one or A plurality of user's operation information.

Optionally, the step of identification abnormal user operation includes：

According to scheduled Exception Model, one or more user's operations to be analyzed are determined from the user's operation sequence Sequence, wherein, included at least one parameter and the Exception Model in the user's operation sequence to be analyzed extremely A few abnormal operation data match；

According to the user's operation sequence to be analyzed and the matching relationship of the Exception Model, identification abnormal user behaviour Make.

Optionally, this method further includes：

Determine multiple abnormal users；

According to the historical operating data corresponding to the abnormal user, determine one corresponding with the abnormal user or A plurality of historical operation sequence；

According to the statistical result to the historical operation sequence, determined from the historical operation sequence one or more different Normal operation data；

According to the abnormal operation data, scheduled Exception Model is generated.

Optionally, this method further includes：

According to the corresponding user of the abnormal user operation identified, the abnormal user is updated.

Optionally, the step of discrepancy data on flows for obtaining application server, includes：

By the discrepancy data on flows mirror image of application server and store into mirror storage device；

The discrepancy data on flows is read from the mirror storage device.

According to another embodiment of the invention, a kind of identification equipment for being used to identify abnormal user operation is additionally provided, Wherein, which includes：

First device, for obtaining the discrepancy data on flows of application server；

Second device, for parsing the discrepancy data on flows, to generate one or more user's operation sequence；

3rd device, for the user's operation sequence to be compared with abnormal operation data and/or normal operational data Compared with to identify that abnormal user operates.

Optionally, the second device includes：

Unit 21, for parsing the discrepancy data on flows, to generate one or more user's operation informations；

Unit two or two, it is raw for the sequence according to corresponding to the user's operation information and the user's operation information Into one or more user's operation sequence.

Optionally, Unit 21 is used for：

Optionally, when the data on flows packet is grouped, Unit 21 is used for：

Optionally, it is ranked up when to the data on flows packet in each grouping, during session one or more with generation, Unit 21 is used for：

Optionally, the 3rd device is used for：

Optionally, which further includes：

4th device, for determining multiple abnormal users；

5th device for the historical operating data according to corresponding to the abnormal user, determines and the abnormal user Corresponding one or more historical operation sequence；

6th device, it is true from the historical operation sequence for basis to the statistical result of the historical operation sequence Fixed one or more abnormal operation data；

7th device, for according to the abnormal operation data, generating scheduled Exception Model.

Optionally, which further includes：

8th device, for according to the corresponding user of the abnormal user operation identified, updating the abnormal user.

According to another embodiment of the invention, a kind of computer readable storage medium is additionally provided, which is characterized in that institute It states computer storage media and is stored with computer-readable instruction, when the computer-readable instruction is performed by one or more equipment When so that the equipment performs such as method described in any one of the above embodiments.

According to another embodiment of the invention, a kind of computer equipment is additionally provided, the computer equipment includes：

One or more processors；

Memory, for storing one or more computer programs；

When one or more of computer programs are performed by one or more of processors so that it is one or Multiple processors realize such as method described in any one of the above embodiments.

Compared with prior art, the present invention is parsed by the discrepancy data on flows of application server, to restore One or more user's operation sequence, then, by by the user's operation sequence and abnormal operation data and/or normal operating Data are compared, and to identify that abnormal user operates, and then judge whether user is abnormal.So as to which the present invention is without high record Under the premise of amount and high opening amount, using complete user data, efficiently, accurately and in time to the use of detailed, high complexity Family behavior is analyzed, abnormal user operation and abnormal user in being applied with identification.

Description of the drawings

By reading the detailed description made to non-limiting example made with reference to the following drawings, of the invention is other Feature, objects and advantages will become more apparent upon：

Fig. 1 shows a kind of system architecture for being used to identify abnormal user operation according to a preferred embodiment of the present invention Figure；

Fig. 2 shows a kind of identification equipment schematic diagrames for being used to identify that abnormal user operates according to one aspect of the invention；

Fig. 3 shows a kind of identification equipment for being used to identify abnormal user operation according to a preferred embodiment of the present invention Schematic diagram；

Fig. 4 shows a kind of method flow diagram for being used to identify abnormal user operation according to a further aspect of the present invention；

Fig. 5 shows a kind of method flow for being used to identify abnormal user operation according to a preferred embodiment of the present invention Figure.

The same or similar reference numeral represents the same or similar component in attached drawing.

Specific embodiment

It should be mentioned that some exemplary embodiments are described as before exemplary embodiment is discussed in greater detail The processing described as flow chart or method.Although operations are described as the processing of sequence by flow chart, therein to be permitted Multioperation can be implemented concurrently, concomitantly or simultaneously.In addition, the sequence of operations can be rearranged.When it The processing can be terminated when operation is completed, it is also possible to have the additional step being not included in attached drawing.The processing It can correspond to method, function, regulation, subroutine, subprogram etc..

So-called within a context " identification equipment ", as " computer equipment ", also referred to as " computer " refer to pass through Preset program or instruction are run to perform the intelligent electronic device of the predetermined process process such as numerical computations and/or logical calculated, It can include processor and memory, the survival to be prestored in memory by processor execution instructs to perform predetermined process mistake Journey or predetermined process process is performed by hardware such as ASIC, FPGA, DSP or is realized by said two devices combination.

The computer equipment includes user equipment and/or the network equipment.Wherein, the user equipment includes but not limited to Computer, smart mobile phone, PDA etc.；The network equipment includes but not limited to single network server, multiple network servers composition Server group or the cloud being made of a large amount of computers or network server based on cloud computing (Cloud Computing), In, cloud computing is one kind of Distributed Calculation, a super virtual computer being made of the computer collection of a group loose couplings. Wherein, the computer equipment can isolated operation realize the present invention, also can access network and by with other meters in network The interactive operation of machine equipment is calculated to realize the present invention.Wherein, the network residing for the computer equipment includes but not limited to interconnect Net, wide area network, Metropolitan Area Network (MAN), LAN, VPN network etc..

Those skilled in the art will be understood that under normal circumstances heretofore described " identification equipment " can only be net Network equipment is performed corresponding operation by the network equipment；Under special circumstances or by user equipment and the network equipment Or server is integrated to form, i.e., matches with the network equipment to perform corresponding operation by user equipment, for example, by user Equipment sends to the network equipment and instructs, to indicate that the network equipment starts the corresponding operating of execution " operation of identification abnormal user ".

It should be noted that the user equipment, the network equipment and network etc. are only for example, other are existing or from now on may be used The computer equipment or network that can occur such as are applicable to the present invention, should also be included within the scope of the present invention, and to draw It is incorporated herein with mode.

Those skilled in the art will be understood that the present invention can be used for the abnormal user operation identification of arbitrary application；Preferably, It present invention can be suitably applied to perform the application of a large amount of different operations in a short time, for example, the abnormal user behaviour of game application It identifies.In game application, it is related to a large amount of different behaviors, user (player) can carry out a large amount of different in a short time Operation forms complicated user's operation sequence；And in other application scene, since the user's operation behavior included is more simple It is single, it is likely that can not to form apparent discrimination since behavior type is relatively simple.

The application includes mobile application and non-moving application.

Specific structure and function details disclosed herein are only representative, and are for describing showing for the present invention The purpose of example property embodiment.But the present invention can be implemented, and be not interpreted as by many alternative forms It is limited only by the embodiments set forth herein.

Although it should be understood that may have been used term " first ", " second " etc. herein to describe each unit, But these units should not be limited by these terms.The use of these items is only for by a unit and another unit It distinguishes.For example, in the case of the range without departing substantially from exemplary embodiment, it is single that first unit can be referred to as second Member, and similarly second unit can be referred to as first unit.Term "and/or" used herein above include one of them or The arbitrary and all combination of more listed associated items.

Term used herein above is not intended to limit exemplary embodiment just for the sake of description specific embodiment.Unless Context clearly refers else, otherwise singulative used herein above "one", " one " also attempt to include plural number.Should also When understanding, term " comprising " and/or "comprising" used herein above provide stated feature, integer, step, operation, The presence of unit and/or component, and do not preclude the presence or addition of other one or more features, integer, step, operation, unit, Component and/or a combination thereof.

It should further be mentioned that in some replaces realization modes, the function/action being previously mentioned can be according to different from attached The sequence indicated in figure occurs.For example, depending on involved function/action, the two width figures shown in succession actually may be used Substantially simultaneously to perform or can perform in a reverse order sometimes.

The present invention is described in further detail below in conjunction with the accompanying drawings.

Fig. 1 shows a kind of system architecture for being used to identify abnormal user operation according to a preferred embodiment of the present invention Figure.

User is interacted with application server by network, and the application provided with obtaining the application server takes Business.In above-mentioned interactive process, a large amount of data on flows that comes in and goes out is produced between the client of user and the application server, Mirror storage device to the discrepancy data on flows by any point in a network, carrying out mirror image, to obtain the discrepancy Data on flows.Preferably, the mirror storage device can be according to instruction, with specific one or the multiple applications for needing to obtain Server interacts, to obtain the discrepancy data on flows between the application server and user.

Identification equipment with the mirror storage device by interacting, to obtain the discrepancy data on flows and be solved Analysis, to identify that abnormal user operates.So as to which, the identification equipment with the application server without interact, entire parsing with Generating process is transparent for the application server, any influence will not be generated to the application server, thus also Normal application service is not interfered with.

Fig. 2 shows a kind of identification equipment schematic diagrames for being used to identify that abnormal user operates according to one aspect of the invention； Wherein, the identification equipment includes first device 1, second device 2 and 3rd device 3.

Specifically, the first device 1 obtains the discrepancy data on flows of application server；The second device 2 parses institute Discrepancy data on flows is stated, to generate one or more user's operation sequence；The 3rd device 3 by the user's operation sequence with Abnormal operation data and/or normal operational data are compared, to identify that abnormal user operates.

The first device 1 obtains the discrepancy data on flows of application server.

Specifically, the first device 1 is interacted by direct with the application server, is taken with obtaining the application The discrepancy data on flows being engaged between device and user, alternatively, the first device 1 with other by being capable of providing the discrepancy flow number According to equipment interact, to obtain the discrepancy data on flows of application server that the other equipment is provided, described.

Preferably, the first device 1 sets the discrepancy data on flows mirror image of application server and storing to mirrored storage In standby, then, the discrepancy data on flows is read from the mirror storage device.

Specifically, on any point of the first device 1 in a network, to the discrepancy data on flows of the application server Mirror image is carried out, to obtain in the discrepancy data on flows and the mirror storage device that is stored；Then, the first device 1 The discrepancy data on flows is read from the mirror storage device.

Preferably, the first device 1 can be the set of multiple devices, with perform respectively mirror image come in and go out data on flows with And read the discrepancy data on flows；Wherein, for perform the device of mirror image can be light-dividing device or other can be with Perform the device of mirror image operation.Preferably, the storage mode of the mirror storage device includes but not limited to distributed field system System or message queue, the first device 1 can have spy based on the process demand to the data on flows that comes in and goes out with selection The mirror storage device of storage mode is determined, to perform the storage to the data on flows that comes in and goes out.

The second device 2 parses the discrepancy data on flows, to generate one or more user's operation sequence.

Specifically, the discrepancy data on flows is grouped by the second device 2, then to the discrepancy in each grouping Data on flows is parsed, and the user's operation information so as to which every group be parsed is as user's operation sequence.

Alternatively, the application protocol of the second device 2 based on data transmission related protocol and the application passes through to institute The each data on flows packet for stating the data on flows that comes in and goes out is parsed, to determine the application protocol corresponding to each data on flows packet, Then, the data on flows packet of same protocol is parsed, to obtain the user's operation information of the application；Then, based on each Incidence relation between sequential relationship between data on flows packet and the user's operation information corresponding to it determines and the discrepancy One or more user's operation sequence corresponding to data on flows.

Alternatively, the second device 2 is based on Data Transport Protocol, each flow in the discrepancy data on flows is parsed The data transmission relevant information of data packet；Then, based on the data transmission relevant information, the data on flows packet is divided Group, and the data on flows packet in each grouping is ranked up, to generate one or more sessions；Finally, according to application Corresponding application protocol parses the session, to generate one or more user's operation informations of the application；So Afterwards, based on the incidence relation between the sequential relationship between each data on flows packet and the user's operation information corresponding to it, really Fixed one or more user's operation sequence corresponding to the discrepancy data on flows.

Here, the application protocol, which is this, applies specific agreement, such as the Game Protocol of game application, shopping application Shopping application agreement etc..One application can correspond to one or more application protocols, by taking a game application as an example, can wrap The application protocol of application protocol, " performing interactive task " containing " player send flower to others ", the application protocol of " purchase stage property " etc..

Those skilled in the art will be understood that the second device 2 can correspond to multiple devices, these devices, which are formed, to be divided Cloth cluster, by by being parsed to the discrepancy data on flows in a manner of distributed.

The 3rd device 3 compares the user's operation sequence with abnormal operation data and/or normal operational data Compared with to identify that abnormal user operates.

Specifically, the user's operation sequence that the 3rd device 3 will be generated, with the abnormal operation data in Exception Model It is compared, to judge whether the user's operation sequence meets the abnormal operation data；If meeting, illustrate the user behaviour Contribute a foreword and be classified as abnormal user operation.

Alternatively, the user's operation sequence that the 3rd device 3 will be generated, with the normal operational data in normal model into Row compares, if the user's operation sequence meets the feature of the normal operational data, then it is assumed that the user's operation sequence is Normal users operate, conversely, being then considered that abnormal user operates.

It is obtained here, the normal model can be based on the modes such as artificial mark, machine learning with the Exception Model Take, one or more normal operational data can be included in the normal model, can include in the Exception Model one or A plurality of abnormal operation data.

The abnormal operation data and/or the normal operational data include but not limited to individual user's operation or by one The serial sequence of operation that individually user's operation is formed.If some operation in the user's operation sequence meets described independent User's operation or whole user's operations in the user's operation sequence or certain customers' operation meet the sequence of operation, Then think that the user's operation sequence belongs to abnormal operation data or normal operational data.

Preferably, the abnormal operation data and/or the normal operational data only include by multiple user's operation institutes group Into the sequence of operation.

Here, the mode manually marked, such as：According to craft of the application operation personnel to a large number of users behavioral data Suspicious operation behavior sequence, is also served as an abnormal operation information in Exception Model by analysis.

The mode of the machine learning, such as：

1. all user behaviors are analyzed, to filter out often appearance and the unconspicuous a collection of network association of discrimination View, for example move a series of relevant procotols；

2. carrying out piecemeal using Ngram algorithms, continuously N number of behavior (N is variable, such as N=4) row will be cut into For block；

3. the quantity of all behavior blocks of all users of statistics；

4. combine identification of the machine learning for the basic information (also referred to as macro-indicators) of user, automatic marking a batch user As abnormal user；

5. in the above-mentioned all behavior blocks of statistics, the occurrence number of each Ngram behaviors block, by the most behavior of occurrence number Block is as high suspicious actions block；

6. according to the high suspicious actions block, generation abnormal user operation.

So as to which the present invention can generate the Exception Model operated comprising abnormal user.

Preferably, the 3rd device 3 is according to scheduled Exception Model, determined from the user's operation sequence one or Multiple user's operation sequences to be analyzed, wherein, in the user's operation sequence to be analyzed at least one of parameter with it is described At least one abnormal operation data match included in Exception Model；According to the user's operation sequence to be analyzed and institute State the matching relationship of Exception Model, identification abnormal user operation.

Specifically, the 3rd device 3 is according to scheduled Exception Model, to the parameter corresponding to the user's operation sequence Analysis extraction is carried out, to determine that one or more parameter meets the parameter of abnormal operation data from the user's operation sequence User's operation sequence, using as user's operation sequence to be analyzed.

Wherein, the parameter includes but not limited to time parameter (such as described abnormal operation data corresponds to sometime , then the user's operation sequence for extracting the corresponding time is analyzed), preamble operating parameter (such as register is operated as preamble, Thereafter the one or more followed operates the user's operation sequence to be analyzed as one), subsequent operation parameter (will such as be published Operation will then publish preoperative one or more operations user's operation sequence to be analyzed as one as subsequent operation), Certain operational parameters are (as the abnormal operation data in Exception Model and user's operation sequence to be analyzed are all included to certain API Specific call), location parameter (such as coordinate, i.e., it is a certain area triggering abnormal operation, wherein, the coordinate include user should With the coordinate (such as map coordinate) of interior map or user in the actual geographic position coordinates (seat as corresponding to GPS location Mark)) etc..

After the user's operation sequence to be analyzed is determined, using the Exception Model to the user to be analyzed The sequence of operation is matched, if the user's operation sequence to be analyzed can match the user behaviour in the Exception Model Make, then operate the user's operation recognition sequence to be analyzed for abnormal user.

Preferably, the identification equipment further includes the 4th device (not shown), the 5th device (not shown), the 6th device (not shown), the 7th device (not shown)；Wherein, the 4th device determines multiple abnormal users；5th device according to Historical operating data corresponding to the abnormal user determines and corresponding one or more historical operation of the abnormal user Sequence；6th device determines one according to the statistical result to the historical operation sequence from the historical operation sequence A or multiple abnormal operation data；7th device generates scheduled Exception Model according to the abnormal operation data.

Specifically, the 4th device is determined more by obtaining artificial labeled data or the mode according to machine learning A abnormal user.Here, the abnormal user includes but not limited to the user using system vulnerability, utilizes script or plug-in use Family and other utilize improper means, the user have a negative impact to application system or other users etc..

Mode based on artificial mark and machine learning individually below, for open-birth into Exception Model process.

The mode manually marked, such as：

It, will be with suspicious operation behavior sequence using operation personnel by the Manual analysis to a large number of users behavioral data User annotation for abnormal user, the 4th device obtain determined by abnormal user.

Historical operating data of 5th device according to corresponding to the abnormal user, in the historical operating data Multiple historical operations carry out piecemeal, N number of historical operation is such as divided into an operating block, and each operating block is determined as and institute State the corresponding one or more historical operation sequence of abnormal user.

6th device is determined according to the statistical result to the historical operation sequence from the historical operation sequence One or more abnormal operation data, if for example, the statistical result of certain historical operation sequence is higher, and is abnormal operation sequence Row, then can be as abnormal operation data；7th device generates scheduled exception according to the abnormal operation data Model.

The mode of the machine learning, such as：

3. the quantity of all behavior blocks of all users of statistics；

4. combine identification of the machine learning for the basic information (also referred to as macro-indicators) of user, automatic marking a batch user As abnormal user.

Historical operating data of 5th device according to corresponding to the abnormal user determines and the abnormal user phase Corresponding one or more historical operation sequence that is, by the behavior block corresponding to the abnormal user, is grasped as the history Make sequence.

6th device is counted according to the historical operation sequence, such as counts each Ngram behaviors block Occurrence number, using the most historical operation sequence of occurrence number as high suspicious actions block；Then according to the high suspicious actions Block generates abnormal operation data.

Then, the 7th device generates scheduled Exception Model according to the abnormal operation data.So as to the present invention The abnormal behaviour database (i.e. Exception Model) of abnormal operation data can be generated.

Preferably, the identification equipment further includes the 8th device (not shown), wherein, the 8th device is according to being identified The corresponding user of abnormal user operation, update the abnormal user.

Specifically, the 8th device can operate corresponding user to the abnormal user and count, should User updates the abnormal user as abnormal user.

For example, if many a behavior blocks of some user can be matched as suspicious actions block, then it is assumed that the user is different Common family；And then by paying close attention to the abnormal user, the follow-up behavior of this abnormal user is also served as into machine learning Whether the training data of model, other behaviors so as to analyze the abnormal user belong to high suspicious actions.It is thus, it is possible to real Now abnormal user is determined with the cycle of abnormal operation data.

Below using game application as example, illustrate to identify the detailed process of abnormal user operation and abnormal user：

In gaming, the user's operation sequence is, for example, a string of following information：

" player clicks and logs in game button, player enters game home court scape, player has checked mail, deleted mail, beats Opened system configuration, have changed volume, have changed the number of person that can be shown in scene, player opens knapsack, play Family has upgraded his pet, player is moved to the A points of road and B points, player along a path and enters fight interface, player Technical ability A " etc. is used.

User from log in game to close game it is primary during, it is possible to create hundreds and thousands of kinds of game behavior is sent To game server.The identification equipment is by parsing the discrepancy data on flows, to generate one or more user Then the sequence of operation is analyzed the user's operation sequence.

It is divided here, the division of the user's operation sequence can be based on the time, as the user's operation in every five minutes is made For a user's operation sequence；It can also be divided based on the quantity of user's operation, such as using every 10 user's operations as one A user's operation sequence；Alternatively, based on specific operation, such as switching map, user's operation is split, it will be specific The operation after operation and specific operation before operation is respectively formed user's operation sequence.

Then, the identification equipment is detected in the one or more user's operation sequence, if has specific behavior Behavior string, as whether user has the operation of " opening game configuration, change display effect " after logging in.If some user is each Comprising " opening game configuration, change display effect " when logging in game, then the user may belong to abnormal user.This is Due to if it is fixed and endless with normal users to include some by Script controlling in operation mode by some user Complete the same operation.Normal users will not be configured configuration first after each opening game, it is often the case that only One is operated twice to be adjusted；And only script user can just be performed both by identical operation every time.

In addition, certain abnormal operations are the operations that normal users will not carry out.For example, when adding good friend, it is just common Family is the role by clicking another user on map, and " addition good friend " is selected to complete in the action pane of pop-up；But certain A little scripts can directly invoke " the procotol API of addition good friend ", the role ID of another user is inputted in the API to carry out Addition.Therefore, " the procotol API for calling addition good friend " this operation then belongs to abnormal operation, for performing this operation User, then belong to suspicious abnormal user.

After the activity that " portrait task " is proposed in upper example, game, which " it is specific to find some in big map The user of condition clicks its virtual image, selects to give user portrait " to complete task.Since most of script does not have figure As the ability of identification, therefore, the user of mission requirements is met on script user's None- identified big map；In this case, foot Mode is used by this：A large amount of good friend user is added to oneself first, each good friend meets a spy in portrait task Different condition, can be according to the requirement of task, with oneself corresponding buddy group after this script connects lower portrait task Team, by forming a team, they can then be transmitted to same position on big map, then draw a portrait to complete task to this good friend.

For this script operation, if by the simple daily record in macro-indicators or game, it is difficult to.It is but logical The user's operation sequence of analysis user is crossed, if some user has " largely adding good friend " and " portrait task connect, with buddy group The user's operation sequence of team's --- transmission big map --- portrait " can then identify such suspicious operative combination, go forward side by side one Identify abnormal user to step.

Fig. 3 shows a kind of identification equipment for being used to identify abnormal user operation according to a preferred embodiment of the present invention Schematic diagram；Wherein, the identification equipment includes first device 1, second device 2 and 3rd device 3, wherein, second dress It puts 2 and includes 21 units 21 and two or two units 22.

Specifically, the first device 1 obtains the discrepancy data on flows of application server；The 21 of the second device 2 Unit 21 parses the discrepancy data on flows, to generate one or more user's operation informations；The two or two of the second device 2 are single First 22 sequence according to corresponding to the user's operation information and the user's operation information, generation one or more user behaviour Make sequence；The 3rd device 3 compares the user's operation sequence with abnormal operation data and/or normal operational data Compared with to identify that abnormal user operates.

Wherein, the first device 1 and the corresponding intrument described in described 3rd device 3 and Fig. 2 are same or similar, therefore herein It repeats no more, and is incorporated herein by reference.

21 units 21 of the second device 2 parse the discrepancy data on flows, with the one or more user behaviour of generation Make information.

Specifically, the application protocol of the Unit 21 21 based on data transmission related protocol and the application passes through right The each data on flows packet for coming in and going out data on flows is parsed, to determine that the application corresponding to each data on flows packet is assisted View；Then, the data on flows packet of same protocol is parsed, to obtain the user's operation information of the application.

Alternatively, Unit 21 21 is based on Data Transport Protocol, each stream in the discrepancy data on flows is parsed Measure the data transmission relevant information of data packet；Then, based on the data transmission relevant information, the data on flows packet is carried out Grouping, and the data on flows packet in each grouping is ranked up, to generate one or more sessions；Finally, according to should With corresponding application protocol, the session is parsed, to generate one or more user's operation informations of the application.

Two or two units 22 of the second device 2 are right according to the user's operation information and user's operation information institute The sequence answered generates one or more user's operation sequence.

Specifically, Unit two or two 22 is based on the sequential relationship between each data on flows packet and the use corresponding to it Incidence relation between the operation information of family determines one or more user's operation sequence corresponding to the discrepancy data on flows； Alternatively, Unit two or two 22 is based on the sequential relationship between each data on flows packet and the user's operation information corresponding to it Between incidence relation, determine with it is described discrepancy data on flows corresponding to one or more user's operation sequence.

Preferably, Unit 21 21 is used for based on Data Transport Protocol, is parsed in the discrepancy data on flows The data transmission relevant information of each data on flows packet；Based on the data transmission relevant information, by the data on flows packet into Row grouping, and the data on flows packet in each grouping is ranked up, to generate one or more sessions；According to using institute Corresponding application protocol parses the session, to generate one or more user's operation information, wherein, the application Corresponding to the application server.

Specifically, Unit 21 21 by with the first device 1 or directly with the mirror storage device phase Interaction, to read the discrepancy data on flows in the first device 1 or the mirror storage device；Then, described 21 is single Member 21 is according to Data Transport Protocol used by the application server, to each data on flows in the discrepancy data on flows Packet is parsed, to obtain data transmission relevant information.

When Unit 21 21 reads every discrepancy data on flows, the every data on flows that comes in and goes out all is binary number According to array；Then, Unit 21 21 parses these binary arrays, is restored first according to Data Transport Protocol, example Data portion such as Ethernet, IP, TCP/UDP and after above-mentioned head, being transmitted.Then, described 21 Above- mentioned information is further analyzed in unit 21, to obtain data transmission relevant information.

Wherein, the data transmission relevant information includes but not limited to the transmission IP corresponding to each data on flows packet and end Mouth, reception IP and port, SEQ, ACK, data package size, flags, the disconnected data portion for deviating, being transmitted (need follow-up divide The concrete application content of analysis) etc..Here, those skilled in the art will be understood that according to the inhomogeneity corresponding to data on flows packet Type, such as TCP packets or UDP packets, corresponding to data transmission relevant information it is different.For example, the data transmission of TCP flow amount data packet Relevant information can include sending IP and port, reception IP and port, SEQ, ACK, data package size, the data portion transmitted Deng；The data transmission relevant information of UDP flow amount data packet can include sending IP and port, reception IP and port, flags, section Offset, the data portion transmitted are graded.

Then, Unit 21 21 is based on one or more in the data transmission relevant information, to the flow Data packet is grouped；Here, the group technology includes but not limited to：

Mode 1. is grouped based on the transmission IP corresponding to the data on flows packet with receiving IP.If for example, two streams The transmission IP for measuring data packet is consistent with receiving IP, then the two data on flows packets is divided into one group；If alternatively, first flow The reception IP for sending IP and second flow data packet of data packet is consistent and the transmission IP and first flow of second flow data packet The reception IP of data packet is consistent, then the first flow data packet and the second flow data packet is divided into one group.It is above-mentioned Operation can recycle progress, if for example, the transmission IP of second flow data packet it is consistent with the reception IP of third data on flows packet and The transmission IP of third data on flows packet is consistent with the reception IP of second flow data packet, then divides the third data on flows packet Into the grouping corresponding to first data packet and second data packet, so as to until will have multiple streams of corresponding IP Until measuring data packet division completion.

Mode 2. is preferably based on the IP and port information of transmission/reception corresponding to the data on flows packet, to described Data on flows packet is grouped, and the IP of transmission/reception of even two data on flows packets is corresponding with port information, then by the two Data on flows packet is divided into one group.For example, if the transmission IP/ sending ports of two data on flows packets are with receiving IP/ receiving ports It is consistent, then the two data on flows packets are divided into one group；If the alternatively, transmission IP/ sending ports of first flow data packet Transmission IP/ sending ports and first consistent and second flow data packet with the reception IP/ receiving ports of second flow data packet The reception IP/ receiving ports of data on flows packet are consistent, then draw the first flow data packet and the second flow data packet It is divided into one group.Similarly, aforesaid operations can recycle execution.

Mode 3. is grouped based on the continuity corresponding to the data on flows packet.If for example, two TCP flow amount data The continuity of packet, SEQ, ACK that can be based on data on flows packet and data package size is grouped, i.e. the SEQ+ numbers of sender It is equal to the SEQ of recipient according to the ACK of ACK and sender that packet size is equal to recipient, then proves above-mentioned two data on flows packet Meet continuity, the two data on flows packets can be divided into one group；Similarly, if two UDP flow amount data packets, then may be used With the flags and field offset (fragment in the packet header (header) based on default sort or based on data on flows packet ) etc. offset it is grouped.

Those skilled in the art will be understood that above-mentioned group technology can be individually performed, can also be by above-mentioned three kinds of modes Combine execution, to advanced optimize the efficiency of grouping and effect.For example, can only isolated execution mode 1, mode 2 or side Formula 3, so as to only perform grouping；Alternatively, mode 1 with mode 3 can be combined or tie mode 1 and mode 2 It closes, to optimize grouping efficiency, while completes grouping+continuity and determine, so as to further complete sequence.

After the completion of the grouping to the data on flows packet, Unit 21 21 is to all flow numbers in each grouping It is ranked up sequentially in time according to packet, so as to according to the data on flows packet after sequence, generate one or more sessions.Wherein, The session can be short session or long reply, if for example, game application, then the session is mostly long reply, i.e., Comprising a large amount of message back and forth in one message session stream, more than ten minutes even dozens of minutes can be continued；If being normally applied, Such as shopping application, then the session is mostly short session, i.e., message amount is less back and forth included in message session stream.

If here, including temporal information in the data on flows packet, sorted successively according to the temporal information.

It, can be according to the data corresponding to the data on flows packet if not containing temporal information in the data on flows packet Transport protocol with reference to the data transmission relevant information, judges the serial relation between the data on flows packet；Based on the company Continuous relationship, is ranked up the data on flows packet in each grouping, to generate one or more sessions.

If for example, the data on flows packet be TCP packets, can be according to SEQ, ACK and data packet of data on flows packet Size judges serial relation, i.e., the ACK of ACK and sender that the SEQ+ data package sizes of sender are equal to recipient are equal to connects The SEQ of debit then proves that above-mentioned two data on flows packet meets continuity；If the data on flows packet is UDP packets, can root It is directly parsed according to the flags in the packet header (header) of data on flows packet and field offset (fragment offset) relationship.

Even if those skilled in the art, which will be understood that in the data on flows packet, contains temporal information, can also be based on upper The method of stating is ranked up, without using the temporal information in data on flows packet.

One section described below continuous data on flows packet example：

Table 1：The data transmission relevant information of continuous flow data packet

Note：Size represents data package size

Next, application protocol of the Unit 21 21 according to corresponding to the application, for the session that is generated into Row parsing, wherein, the application protocol is that this applies specific agreement, such as the Game Protocol of game application, shopping application Shopping application agreement etc..

According to the application protocol, the session content of the session is subjected to parsing reduction, it is right so as to generate session institute The application content answered using the application data as the application, and therefrom extracts user's operation information.Wherein, the application Data are the data convert on application value, for example, the game operation data in game, purchase data in shopping etc..

If those skilled in the art will be understood that the data on flows packet and unencryption, can directly to the session into Row parsing, it is described using data to generate；It, can be to the data on flows packet in the session if the data on flows packet has been encrypted After being decrypted, then common parsing operation is performed, it is described using data to generate.

Preferably, the identification equipment further includes the 9th device (not shown), wherein, the 9th device is according to the meeting The corresponding key of words, is decrypted the data on flows packet in the session；Unit 21 21 applies institute according to described Corresponding application protocol parses the session decrypted, to generate one or more user's operation information.

Specifically, the 9th device determines the key and decryption method according to the cipher mode of the application； This, the key can be fixed key or dynamic key, and the acquisition methods of the key include but not limited to directly acquire Key corresponding to the application or by before to the session either the discrepancy data on flows of the application server Several frame data are analyzed, to determine the key and/or cipher mode.

Those skilled in the art will be understood that the method that can arbitrarily decrypt the data on flows packet is suitable for this hair It is bright.

When the 9th device be based on data on flows packet is decrypted described in the key pair after, Unit 21 21 The session after the decryption, and the application protocol corresponding to based on the application are got, the session decrypted is carried out Parsing, it is described using data to generate, and therefrom extract user's operation information.Here, believed based on the corresponding compiling of application The difference of breath, corresponding analytic method are also different.

For example, if the application protocol (or Game Protocol) of game application is Protobuf, and cipher mode is uses one A fixed key is encrypted, then the 9th device is first decrypted based on corresponding key pair data on flows packet, so The form based on Protobuf parses session afterwards.

Fig. 4 shows a kind of method flow diagram for being used to identify abnormal user operation according to a further aspect of the present invention.

Specifically, in step sl, the identification equipment obtains the discrepancy data on flows of application server；In step S2 In, the identification equipment parses the discrepancy data on flows, to generate one or more user's operation sequence；In step s3, The user's operation sequence is compared by the identification equipment with abnormal operation data and/or normal operational data, with identification Abnormal user operates.

In step sl, the identification equipment obtains the discrepancy data on flows of application server.

Specifically, in step sl, the identification equipment is interacted by direct with the application server, to obtain Discrepancy data on flows between the application server and user, alternatively, in step sl, the identification equipment by with other energy It enough provides the equipment for coming in and going out data on flows to interact, to obtain application server that the other equipment is provided, described Discrepancy data on flows.

Preferably, in step sl, the identification equipment by the discrepancy data on flows mirror image of application server and store to In mirror storage device, then, the discrepancy data on flows is read from the mirror storage device.

Specifically, in step sl, on any point of the identification equipment in a network, the application server is gone out Inbound traffics data carry out mirror image, to obtain in the discrepancy data on flows and the mirror storage device that is stored；Then, it is described Identification equipment reads the discrepancy data on flows from the mirror storage device.

Preferably, the storage mode of the mirror storage device includes but not limited to distributed file system or message team Row, the identification equipment can be based on the process demands to the data on flows that comes in and goes out, in a manner that selection has particular memory Mirror storage device, to perform the storage to the data on flows that comes in and goes out.

In step s 2, the identification equipment parses the discrepancy data on flows, to generate one or more user's operation Sequence.

Specifically, in step s 2, the discrepancy data on flows is grouped by the identification equipment, then to each point Discrepancy data on flows in group is parsed, and the user's operation information so as to which every group be parsed is as user's operation sequence.

Alternatively, in step s 2, application association of the identification equipment based on data transmission related protocol and the application View is by parsing each data on flows packet for coming in and going out data on flows, to determine corresponding to each data on flows packet Then application protocol, the data on flows packet of same protocol is parsed, to obtain the user's operation information of the application；Then, Based on the incidence relation between the sequential relationship between each data on flows packet and the user's operation information corresponding to it, determine with One or more user's operation sequence corresponding to the discrepancy data on flows.

Alternatively, in step s 2, the identification equipment is based on Data Transport Protocol, parse in the discrepancy data on flows Each data on flows packet data transmission relevant information；Then, based on the data transmission relevant information, by the flow number It is grouped according to packet, and the data on flows packet in each grouping is ranked up, to generate one or more sessions；Most Afterwards, according to corresponding application protocol is applied, the session is parsed, to generate one or more users of the application Operation information；Then, based between the sequential relationship between each data on flows packet and the user's operation information corresponding to it Incidence relation determines one or more user's operation sequence corresponding to the discrepancy data on flows.

In step s3, the identification equipment is by the user's operation sequence and abnormal operation data and/or normal operating Data are compared, to identify that abnormal user operates.

Specifically, in step s3, the user's operation sequence that the identification equipment will be generated, it is and different in Exception Model Normal operation data is compared, to judge whether the user's operation sequence meets the abnormal operation data；If meeting, illustrate The user's operation sequence is operated for abnormal user.

Alternatively, in step s3, the user's operation sequence that the identification equipment will be generated is and normal in normal model Operation data is compared, if the user's operation sequence meets the feature of the normal operational data, then it is assumed that the user The sequence of operation is operated for normal users, conversely, being then considered that abnormal user operates.

The mode of the machine learning, such as：

3. the quantity of all behavior blocks of all users of statistics；

Preferably, in step s3, the identification equipment is according to scheduled Exception Model, from the user's operation sequence At least one of determine one or more user's operation sequences to be analyzed, wherein, in the user's operation sequence to be analyzed Parameter and at least one abnormal operation data match included in the Exception Model；It is grasped according to the user to be analyzed Make the matching relationship of sequence and the Exception Model, identification abnormal user operation.

Specifically, in step s3, the identification equipment is according to scheduled Exception Model, to the user's operation sequence institute Corresponding parameter carries out analysis extraction, to determine that one or more parameter meets abnormal operation number from the user's operation sequence According to parameter user's operation sequence, using as user's operation sequence to be analyzed.

Preferably, the method further includes step S4 (not shown), step S5 (not shown), step S6 (not shown), step Rapid S7 (not shown)；Wherein, in step s 4, the identification equipment determines multiple abnormal users；In step s 5, the identification Historical operating data of the equipment according to corresponding to the abnormal user determines and the abnormal user corresponding one or more Historical operation sequence；In step s 6, the identification equipment is gone through according to the statistical result to the historical operation sequence from described One or more abnormal operation data are determined in the history sequence of operation；In the step s 7, the identification equipment is according to the abnormal behaviour Make data, generate scheduled Exception Model.

Specifically, in step s 4, the identification equipment is by obtaining artificial labeled data or according to machine learning Mode determines multiple abnormal users.Here, the abnormal user includes but not limited to the user using system vulnerability, utilizes foot This or plug-in user and other using improper means, the user having a negative impact to application system or other users Deng.

The mode manually marked, such as：

It, will be with suspicious operation behavior sequence using operation personnel by the Manual analysis to a large number of users behavioral data User annotation for abnormal user, the identification equipment obtain determined by abnormal user.

In step s 5, historical operating data of the identification equipment according to corresponding to the abnormal user is gone through to described Multiple historical operations in history operation data carry out piecemeal, N number of historical operation such as are divided into an operating block, and will each operate Block is determined as and the corresponding one or more historical operation sequence of the abnormal user.

In step s 6, the identification equipment is grasped according to the statistical result to the historical operation sequence from the history Make to determine one or more abnormal operation data in sequence, if for example, the statistical result of certain historical operation sequence is higher, and is Abnormal operation sequence, then can be as abnormal operation data；In the step s 7, the identification equipment is according to the exception Operation data generates scheduled Exception Model.

The mode of the machine learning, such as：

3. the quantity of all behavior blocks of all users of statistics；

In step s 5, historical operating data of the identification equipment according to corresponding to the abnormal user, determining and institute The corresponding one or more historical operation sequence of abnormal user is stated, that is, by the behavior block corresponding to the abnormal user, is made For the historical operation sequence.

In step s 6, the identification equipment is counted according to the historical operation sequence, such as statistics is each The occurrence number of Ngram behavior blocks, using the most historical operation sequence of occurrence number as high suspicious actions block；Then according to institute High suspicious actions block is stated, generates abnormal operation data.

Then, in the step s 7, the identification equipment generates scheduled Exception Model according to the abnormal operation data. So as to which the present invention can generate the abnormal behaviour database (i.e. Exception Model) of abnormal operation data.

Preferably, the method further includes step S8 (not shown), wherein, in step s 8, the identification equipment according to The user corresponding to abnormal user operation identified, updates the abnormal user.

Specifically, in step s 8, the identification equipment can operate corresponding user to the abnormal user and carry out Statistics, using the user as abnormal user, and updates the abnormal user.

Specifically, in step sl, the identification equipment obtains the discrepancy data on flows of application server；In step S21 In, the identification equipment parses the discrepancy data on flows, to generate one or more user's operation informations；In step S22, Sequence of the identification equipment according to corresponding to the user's operation information and the user's operation information generates one or more User's operation sequence；In step s3, the identification equipment is being by the user's operation sequence and abnormal operation data and/or just Normal operation data is compared, to identify that abnormal user operates.

Wherein, the step S1 and the corresponding step described in described step S3 and Fig. 4 are same or similar, therefore no longer superfluous herein It states, and is incorporated herein by reference.

In the step s 21, the identification equipment parses the discrepancy data on flows, to generate one or more user's operations Information.

Specifically, in the step s 21, application of the identification equipment based on data transmission related protocol and the application Agreement is by parsing each data on flows packet for coming in and going out data on flows, to determine corresponding to each data on flows packet Application protocol；Then, the data on flows packet of same protocol is parsed, to obtain the user's operation information of the application.

Alternatively, in the step s 21, the identification equipment is based on Data Transport Protocol, parses the discrepancy data on flows In each data on flows packet data transmission relevant information；Then, based on the data transmission relevant information, by the flow Data packet is grouped, and the data on flows packet in each grouping is ranked up, to generate one or more sessions；Most Afterwards, according to corresponding application protocol is applied, the session is parsed, to generate one or more users of the application Operation information.

In step S22, the identification equipment is right according to the user's operation information and user's operation information institute The sequence answered generates one or more user's operation sequence.

Specifically, in step S22, the identification equipment based on the sequential relationship between each data on flows packet and its Incidence relation between corresponding user's operation information determines one or more user corresponding to the discrepancy data on flows The sequence of operation；Alternatively, in step S22, the identification equipment based on the sequential relationship between each data on flows packet and its Incidence relation between corresponding user's operation information determines one or more user corresponding to the discrepancy data on flows The sequence of operation.

Preferably, in the step s 21, the identification equipment is used for based on Data Transport Protocol, parses described to go out to become a mandarin Measure the data transmission relevant information of each data on flows packet in data；Based on the data transmission relevant information, by the stream Amount data packet is grouped, and the data on flows packet in each grouping is ranked up, to generate one or more sessions； According to corresponding application protocol is applied, the session is parsed, to generate one or more user's operation information, In, the application corresponds to the application server.

Specifically, in the step s 21, the identification equipment is by being directly based upon acquired discrepancy flow number in step S1 It interacts according to or with the mirror storage device, to read the discrepancy data on flows in the mirror storage device；Then, The identification equipment is according to Data Transport Protocol used by the application server, to each in the discrepancy data on flows Data on flows packet is parsed, to obtain data transmission relevant information.

When the identification equipment reads every discrepancy data on flows, the every data on flows that comes in and goes out all is binary data Array；Then, the identification equipment parses these binary arrays, is restored first according to Data Transport Protocol, such as Ethernet, IP, TCP/UDP and after above-mentioned head, the data portion that is transmitted.Then, the identification is set It is standby that above- mentioned information is further analyzed, to obtain data transmission relevant information.

Then, institute's identification equipment is based on one or more in the data transmission relevant information, to the data on flows Packet is grouped；Here, the group technology includes but not limited to：

After the completion of the grouping to the data on flows packet, the identification equipment is to all datas on flows in each grouping Packet is ranked up sequentially in time, so as to according to the data on flows packet after sequence, generate one or more sessions.Wherein, institute It can be short session or long reply to state session, if for example, game application, then the session is mostly long reply, i.e., one Comprising a large amount of message back and forth in a message session stream, more than ten minutes even dozens of minutes can be continued；If being normally applied, such as Shopping application, then the session is mostly short session, i.e., message amount is less back and forth included in message session stream.

One section described below continuous data on flows packet example：

Sender IP：Port	Recipient IP：Port	SEQ	ACK	Size
					116.62.173.112:23	210.12.118.194:2648	-1401430175	-660031943	28
210.12.118.194:2648	116.62.173.112:23	-660031943	-1401430147	11
					116.62.173.112:23	210.12.118.194:2648	-1401430147	-660031943	13
116.62.173.112:23	210.12.118.194:2648	-1401430134	-660031932	8

Note：Size represents data package size

Next, application protocol of the identification equipment according to corresponding to the application, carries out the session generated Parsing, wherein, the application protocol is this using specific agreement, such as the Game Protocol of game application, shopping application Shopping application agreement etc..

Preferably, the method further includes step S9 (not shown), wherein, in step s 9, the identification equipment according to The data on flows packet in the session is decrypted in key corresponding to the session；In the step s 21, the identification is set The standby application protocol according to corresponding to the application parses the session decrypted, and is used with generation one or more Family operation information.

Specifically, in step s 9, the identification equipment is according to the cipher mode of the application, determine the key and Decryption method；Here, the key can be fixed key or dynamic key, the acquisition methods of the key include but unlimited In directly acquiring key corresponding to the application or by going out to become a mandarin to the session either application server Former frame data of amount data are analyzed, to determine the key and/or cipher mode.

When the identification equipment be based on data on flows packet is decrypted described in the key pair after, in the step s 21, institute It states identification equipment and gets the session after the decryption, and the application protocol corresponding to based on the application, to the institute decrypted Session is stated to be parsed, it is described using data to generate, and therefrom extract user's operation information.It is here, right based on application institute The difference of compiling information answered, corresponding analytic method are also different.

For example, if the application protocol (or Game Protocol) of game application is Protobuf, and cipher mode is uses one A fixed key is encrypted, then the identification equipment is first decrypted based on corresponding key pair data on flows packet, so The form based on Protobuf parses session afterwards.

It should be noted that the present invention can be carried out in the assembly of software and/or software and hardware, for example, can adopt With application-specific integrated circuit (ASIC), general purpose computer or any other realized similar to hardware device.In one embodiment In, software program of the invention can perform to realize steps described above or function by processor.Similarly, it is of the invention Software program can be stored in computer readable recording medium storing program for performing (including relevant data structure), for example, RAM memory, Magnetic or optical driver or floppy disc and similar devices.In addition, hardware can be used to realize in some steps or function of the present invention, example Such as, as coordinating with processor so as to perform the circuit of each step or function.

In addition, the part of the present invention can be applied to computer program product, such as computer program instructions, when its quilt When computer performs, by the operation of the computer, it can call or provide according to the method for the present invention and/or technical solution. And the program instruction of the method for the present invention is called, it is possibly stored in fixed or moveable recording medium and/or passes through Broadcast or the data flow in other signal loaded mediums and be transmitted and/or be stored according to described program instruction operation In the working storage of computer equipment.Here, including a device according to one embodiment of present invention, which includes using Memory in storage computer program instructions and processor for executing program instructions, wherein, when the computer program refers to When order is performed by the processor, method and/or skill of the device operation based on aforementioned multiple embodiments according to the present invention are triggered Art scheme.

It is obvious to a person skilled in the art that the present invention is not limited to the details of above-mentioned exemplary embodiment, Er Qie In the case of without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power Profit requirement rather than above description limit, it is intended that all by what is fallen within the meaning and scope of the equivalent requirements of the claims Variation includes within the present invention.Any reference numeral in claim should not be considered as to the involved claim of limitation.This Outside, it is clear that one word of " comprising " is not excluded for other units or step, and odd number is not excluded for plural number.That is stated in device claim is multiple Unit or device can also be realized by a unit or device by software or hardware.The first, the second grade words are used for table Show title, and do not represent any particular order.

Claims

1. it is a kind of for identifying the method for abnormal user operation, wherein, this method includes the following steps：

Obtain the discrepancy data on flows of application server；

The user's operation sequence is compared with abnormal operation data and/or normal operational data, to identify abnormal user Operation.

2. according to the method described in claim 1, wherein, the step of generating one or more user's operation sequence, includes：

According to the sequence corresponding to the user's operation information and the user's operation information, generation one or more user behaviour Make sequence.

3. according to the method described in claim 2, wherein, the discrepancy data on flows is parsed, to generate one or more user The step of operation information, includes：

Based on Data Transport Protocol, the data transmission correlation letter of each data on flows packet in the discrepancy data on flows is parsed Breath；

Based on the data transmission relevant information, the data on flows packet is grouped, and to the stream in each grouping Amount data packet is ranked up, to generate one or more sessions；

4. according to the method described in claim 3, wherein, the step of data on flows packet is grouped, includes：

Based on the IP and port information of transmission/reception corresponding to the data on flows packet, the data on flows packet is divided Group.

5. method according to claim 3 or 4, wherein, the data on flows packet in each grouping is ranked up, with The step of generation one or more session, includes：

According to the Data Transport Protocol corresponding to the data on flows packet, with reference to the data transmission relevant information, described in judgement Serial relation between data on flows packet；

Based on the serial relation, the data on flows packet in each grouping is ranked up, with the one or more meetings of generation Words.

6. method according to any one of claim 3 to 5, wherein, this method further includes：

According to the application protocol corresponding to the application, the session decrypted is parsed, to generate one or more User's operation information.

7. method according to any one of claim 1 to 6, wherein, identify that the step of abnormal user operates includes：

According to scheduled Exception Model, one or more user's operation sequences to be analyzed are determined from the user's operation sequence Row, wherein, included at least one parameter and the Exception Model in the user's operation sequence to be analyzed at least One abnormal operation data match；

According to the user's operation sequence to be analyzed and the matching relationship of the Exception Model, identification abnormal user operation.

8. according to the method described in claim 7, wherein, this method further includes：

Determine multiple abnormal users；

According to the historical operating data corresponding to the abnormal user, determine and the abnormal user corresponding one or more Historical operation sequence；

According to the statistical result to the historical operation sequence, one or more abnormal behaviour are determined from the historical operation sequence Make data；

9. according to the method described in claim 8, wherein, this method further includes：

10. method according to any one of claim 1 to 9, wherein, obtain the discrepancy data on flows of application server Step includes：

The discrepancy data on flows is read from the mirror storage device.

11. it is a kind of for identifying the identification equipment of abnormal user operation, wherein, which includes：

3rd device, for the user's operation sequence to be compared with abnormal operation data and/or normal operational data, with Identify abnormal user operation.

12. identification equipment according to claim 11, wherein, the second device includes：

Unit two or two, for the sequence according to corresponding to the user's operation information and the user's operation information, generation one Item or a plurality of user's operation sequence.

13. identification equipment according to claim 12, wherein, Unit 21 is used for：

14. identification equipment according to claim 13, wherein, when the data on flows packet is grouped, described two Unit one is used for：

15. the identification equipment according to claim 13 or 14, wherein, when to the data on flows packet in each grouping into Row sequence, during session one or more with generation, Unit 21 is used for：

16. the identification equipment according to any one of claim 11 to 15, wherein, the 3rd device is used for：

17. identification equipment according to claim 16, wherein, which further includes：

4th device, for determining multiple abnormal users；

5th device for the historical operating data according to corresponding to the abnormal user, determines opposite with the abnormal user The one or more historical operation sequence answered；

6th device, for according to the statistical result to the historical operation sequence, one to be determined from the historical operation sequence A or multiple abnormal operation data；

18. identification equipment according to claim 17, wherein, which further includes：

19. a kind of computer readable storage medium, which is characterized in that the computer storage media is stored with computer-readable finger It enables, when the computer-readable instruction is performed by one or more equipment so that the equipment performs such as claims 1 to 10 Any one of described in method.

20. a kind of computer equipment, the computer equipment includes：

One or more processors；

Memory, for storing one or more computer programs；

When one or more of computer programs are performed by one or more of processors so that one or more of Processor realizes the method as described in any one of claims 1 to 10.