CN108156146B

CN108156146B - Method and device for identifying abnormal user operation

Info

Publication number: CN108156146B
Application number: CN201711377442.8A
Authority: CN
Inventors: 杨磊; 焦洋
Original assignee: Gaeamobile Co ltd
Current assignee: Gaeamobile Co ltd
Priority date: 2017-12-19
Filing date: 2017-12-19
Publication date: 2021-07-30
Anticipated expiration: 2037-12-19
Also published as: CN108156146A

Abstract

The invention aims to provide a method and equipment for identifying abnormal user operation. The method and the device have the advantages that the flow data of the incoming and outgoing flow of the application server are analyzed to restore one or more user operation sequences, and then the user operation sequences are compared with the abnormal operation data and/or the normal operation data to identify the abnormal user operation, so that whether the user is abnormal or not is judged. Compared with the prior art, the method and the device have the advantages that on the premise of no need of high record quantity and high open quantity, the comprehensive user data is utilized, and detailed and high-complexity user behaviors are analyzed efficiently, timely and accurately to identify abnormal user operation and abnormal users in application.

Description

Method and device for identifying abnormal user operation

Technical Field

The invention relates to the technical field of networks, in particular to a technology for identifying abnormal user operation.

Background

Currently, no matter various applications at the PC end or various applications at the mobile end, an abnormal user always troubles various application service providers. Abnormal users control user operation by using abnormal modes such as an on-hook script and the like, so that the application service providers do not obtain profits and the use experience of other users is influenced.

Taking the game industry as an example, the on-hook script uses certain programs to control the player's avatar in the game to act through a designed route or set of routes. The purpose of hanging up is various, such as obtaining the most experience value in the shortest time to reach a very high level, such as obtaining specific property awards by continuously participating in certain activities, such as automatically completing novice tasks by programs, issuing fraud messages in chat channels after reaching a certain level, and the like.

When some users use the on-hook script continuously and massively, a gold-making studio is formed. Typically, a gold studio acts as a group, simulating tens or even hundreds of fake players by using a large number of terminals or simulators on which specific programs are run. High value items, high-grade game account numbers are continuously obtained through the false players, and economic benefits are finally obtained through trading the virtual items.

These behaviors disturb the normal gaming environment on the one hand, i.e. the presence and participation of false players interferes with the gaming experience of normal players, and on the other hand, they trade virtual items at an abnormal price on line and trade virtual coins at an unreasonable rate on line all seriously affect the normal revenue of the gaming establishment.

In the prior art, the attack on-hook script is manually identified by operators of application service providers, for example, games can be manually checked by determining whether the price of an on-line auction property is reasonable or not and combining the role name, the on-line time length, the participation situation and the like. This method is time consuming, labor intensive, and difficult to continuously manage the presence of on-hook scripts

With the advent of the big data age, many application servers have also begun to identify these unhealthy users by way of machine learning data mining. A typical method is to use machine learning method to make program automatically identify abnormal users by counting a series of basic information of each user, such as name, online time, login times, number of used IP, number of used devices, and how many roles there are under the same device. This approach saves operators to some extent, but since it is a statistical data based on macroscopics (e.g. basic information of users), there are many disadvantages:

firstly, the method comprises the following steps: the macroscopic statistics identify that there is still a certain risk, for example, there are always network leakage situations and misjudgment situations.

Secondly, the method comprises the following steps: because each judgment index (such as different basic information of the user) is independent, the persuasion of each index is not very strong, and the plug-in user can enable the user controlled by the plug-in script after generally knowing the macro index monitored by the application service provider, and the indexes are not greatly different from those of the real user, for example, the name, the online time length, the login times and the like of the virtual user and the real user are similar.

Thirdly, the method comprises the following steps: because of the hysteresis of machine learning itself, i.e., the on-hook recognition model of each application requires a specialist to make fine adjustments, and as the application operating time increases, more and more on-hook scripts are present on the market, the model needs to be continuously retrained. And because a certain time is needed for finding a new on-hook script and a longer time is needed for teaching the model, the timely positioning of the abnormal user is greatly influenced.

Fourthly: if the hang-up script is too similar to that of a real person, the operator of the application service provider may have difficulty finding the hang-up script in a manual manner, so that the operator cannot guide the learning of the machine model and cannot position the plug-in user.

Disclosure of Invention

The invention aims to provide a method and equipment for identifying abnormal user operation.

According to an embodiment of the present invention, a method for identifying an abnormal user operation is provided, wherein the method comprises the steps of:

acquiring flow data of an application server;

analyzing the input and output flow data to generate one or more user operation sequences;

comparing the sequence of user operations with abnormal operation data and/or normal operation data to identify abnormal user operations.

Optionally, the step of generating one or more sequences of user operations comprises:

analyzing the incoming and outgoing flow data to generate one or more user operation information;

and generating one or more user operation sequences according to the user operation information and the sequence corresponding to the user operation information.

Optionally, the step of parsing the ingress and egress traffic data to generate one or more pieces of user operation information includes:

analyzing data transmission related information of each flow data packet in the input and output flow data based on a data transmission protocol;

grouping the traffic data packets based on the data transmission related information and ordering the traffic data packets in each group to generate one or more sessions;

and analyzing the session according to an application protocol corresponding to an application to generate one or more pieces of user operation information, wherein the application corresponds to the application server.

Optionally, the step of grouping the traffic data packets includes:

and grouping the traffic data packet based on the transmitted/received IP and the port information corresponding to the traffic data packet.

Optionally, the step of ordering the traffic data packets in each packet to generate one or more sessions comprises:

according to a data transmission protocol corresponding to the traffic data packet, determining a continuous relation between the traffic data packets by combining the data transmission related information;

ordering the traffic packets in each packet based on the continuity relation to generate one or more sessions.

Optionally, the method further comprises:

decrypting the flow data packet in the session according to the key corresponding to the session;

wherein the step of parsing the session to generate one or more pieces of user operation information comprises:

and analyzing the decrypted session according to the application protocol corresponding to the application to generate one or more pieces of user operation information.

Optionally, the step of identifying abnormal user operation comprises:

determining one or more user operation sequences to be analyzed from the user operation sequences according to a preset abnormal model, wherein at least one parameter in the user operation sequences to be analyzed is matched with at least one piece of abnormal operation data contained in the abnormal model;

and identifying abnormal user operation according to the matching relation between the user operation sequence to be analyzed and the abnormal model.

Optionally, the method further comprises:

determining a plurality of abnormal users;

determining one or more historical operation sequences corresponding to the abnormal user according to the historical operation data corresponding to the abnormal user;

determining one or more abnormal operation data from the historical operation sequence according to the statistical result of the historical operation sequence;

and generating a preset abnormal model according to the abnormal operation data.

Optionally, the method further comprises:

and updating the abnormal user according to the user corresponding to the identified abnormal user operation.

Optionally, the step of acquiring the ingress and egress traffic data of the application server includes:

mirroring the incoming and outgoing flow data of the application server and storing the mirrored data in a mirrored storage device;

and reading the input and output flow data from the mirror image storage device.

According to another embodiment of the present invention, there is also provided an identification apparatus for identifying an abnormal user operation, wherein the apparatus includes:

the first device is used for acquiring the flow data of the application server;

the second device is used for analyzing the input and output flow data to generate one or more user operation sequences;

third means for comparing the sequence of user operations with abnormal operation data and/or normal operation data to identify abnormal user operations.

Optionally, the second apparatus comprises:

the first unit is used for analyzing the input and output flow data to generate one or more user operation information;

and the second unit is used for generating one or more user operation sequences according to the user operation information and the sequence corresponding to the user operation information.

Optionally, the two-in-one unit is configured to:

Optionally, when the traffic data packet is grouped, the two-in-one unit is configured to:

Optionally, when the traffic data packets in each packet are ordered to generate one or more sessions, the first unit is configured to:

Optionally, the third means is for:

Optionally, the apparatus further comprises:

fourth means for determining a plurality of anomalous users;

the fifth device is used for determining one or more historical operation sequences corresponding to the abnormal user according to the historical operation data corresponding to the abnormal user;

sixth means for determining one or more abnormal operation data from the historical sequence of operations based on the statistical result for the historical sequence of operations;

seventh means for generating a predetermined abnormal model based on the abnormal operation data.

Optionally, the apparatus further comprises:

and the eighth device is used for updating the abnormal user according to the user corresponding to the identified abnormal user operation.

According to another embodiment of the present invention, there is also provided a computer-readable storage medium, characterized in that the computer-readable storage medium stores computer-readable instructions which, when executed by one or more devices, cause the devices to perform the method as described in any one of the above.

There is also provided, in accordance with another embodiment of the present invention, computer apparatus including:

one or more processors;

a memory for storing one or more computer programs;

the one or more computer programs, when executed by the one or more processors, cause the one or more processors to implement the method of any one of the above.

Compared with the prior art, the method and the device have the advantages that the flow data of the application server is analyzed to restore one or more user operation sequences, and then the user operation sequences are compared with the abnormal operation data and/or the normal operation data to identify the abnormal user operation, so that whether the user is abnormal or not is judged. Therefore, the invention utilizes the complete user data to efficiently, timely and accurately analyze the detailed and high-complexity user behaviors on the premise of no need of high record quantity and high open quantity so as to identify the abnormal user operation and the abnormal user in the application.

Drawings

Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:

FIG. 1 illustrates a system architecture diagram for identifying abnormal user operation in accordance with a preferred embodiment of the present invention;

FIG. 2 illustrates a schematic diagram of an identification device for identifying abnormal user operation in accordance with an aspect of the present invention;

FIG. 3 is a schematic diagram of an identification device for identifying abnormal user operation in accordance with a preferred embodiment of the present invention;

FIG. 4 illustrates a flow diagram of a method for identifying abnormal user operation in accordance with another aspect of the present invention;

FIG. 5 illustrates a flow diagram of a method for identifying abnormal user operation in accordance with a preferred embodiment of the present invention.

The same or similar reference numbers in the drawings identify the same or similar elements.

Detailed Description

Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel, concurrently, or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.

The "identification device" referred to in the present context as "computer device", also referred to as "computer", refers to an intelligent electronic device capable of executing predetermined processing procedures such as numerical calculation and/or logic calculation by running a predetermined program or instruction, and may include a processor and a memory, wherein the processor executes a pre-stored instruction stored in the memory to execute the predetermined processing procedure, or the processor executes the predetermined processing procedure by hardware such as ASIC, FPGA, DSP, or a combination thereof.

The computer device comprises user equipment and/or network equipment. Wherein the user equipment includes but is not limited to computers, smart phones, PDAs, etc.; the network device includes, but is not limited to, a single network server, a server group consisting of a plurality of network servers, or a Cloud Computing (Cloud Computing) based Cloud consisting of a large number of computers or network servers, wherein Cloud Computing is one of distributed Computing, a super virtual computer consisting of a collection of loosely coupled computers. Wherein the computer device can be operated alone to implement the invention, or can be accessed to a network and implement the invention through interoperation with other computer devices in the network. The network in which the computer device is located includes, but is not limited to, the internet, a wide area network, a metropolitan area network, a local area network, a VPN network, and the like.

Those skilled in the art should understand that, in general, the "identification device" described in the present invention may be only a network device, that is, the network device performs corresponding operations; in a special case, it may also be formed by integrating the user equipment with the network device or the server, that is, the user equipment and the network device cooperate to perform the corresponding operation, for example, the user equipment sends an instruction to the network device to instruct the network device to start to perform the corresponding operation of "identify abnormal user operation".

It should be noted that the user equipment, the network device, the network, etc. are only examples, and other existing or future computer devices or networks may also be included in the scope of the present invention, and are included by reference.

Those skilled in the art will appreciate that the present invention may be used for abnormal user operation identification for any application; preferably, the present invention is applicable to an application capable of performing a large number of different operations in a short time, for example, abnormal user operation recognition of a game application. In game application, a large number of different behaviors are involved, and a user (player) can perform a large number of different operations in a short time to form a complex user operation sequence; in other application scenarios, because the included user operation behavior is simple, it is likely that an obvious distinction degree cannot be formed due to a single behavior type.

The applications include mobile applications as well as non-mobile applications.

Specific structural and functional details disclosed herein are merely representative and are provided for purposes of describing example embodiments of the present invention. The present invention may, however, be embodied in many alternate forms and should not be construed as limited to only the embodiments set forth herein.

It will be understood that, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element may be termed a second element, and, similarly, a second element may be termed a first element, without departing from the scope of example embodiments. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It should also be noted that, in some alternative implementations, the functions/acts noted may occur out of the order noted in the figures. For example, two figures shown in succession may, in fact, be executed substantially concurrently, or the figures may sometimes be executed in the reverse order, depending upon the functionality/acts involved.

The present invention is described in further detail below with reference to the attached drawing figures.

Fig. 1 illustrates a system architecture diagram for identifying abnormal user operation in accordance with a preferred embodiment of the present invention.

The user interacts with the application server through the network to obtain the application service provided by the application server. In the interaction process, a large amount of access flow data is generated between the client of the user and the application server, and the mirror image storage device mirrors the access flow data at any point in the network to acquire the access flow data. Preferably, the mirror storage device can interact with one or more specific application servers needing to be acquired according to instructions to acquire traffic data between the application servers and users.

And the identification equipment acquires the flow data and analyzes the flow data by interacting with the mirror image storage equipment so as to identify abnormal user operation. Therefore, the identification device does not need to interact with the application server, the whole analysis and generation process is transparent to the application server, and the application server is not influenced, so that the normal application service is not influenced.

FIG. 2 illustrates a schematic diagram of an identification device for identifying abnormal user operation in accordance with an aspect of the present invention; wherein the identification device comprises a first apparatus 1, a second apparatus 2 and a third apparatus 3.

Specifically, the first device 1 obtains the ingress and egress traffic data of the application server; the second device 2 analyzes the incoming and outgoing flow data to generate one or more user operation sequences; the third means 3 compares the sequence of user operations with abnormal operation data and/or normal operation data to identify abnormal user operations.

The first device 1 obtains the ingress and egress traffic data of the application server.

Specifically, the first apparatus 1 directly interacts with the application server to obtain the ingress and egress traffic data between the application server and the user, or the first apparatus 1 interacts with other devices capable of providing the ingress and egress traffic data to obtain the ingress and egress traffic data of the application server provided by the other devices.

Preferably, the first apparatus 1 mirrors and stores the ingress and egress traffic data of the application server into a mirror storage device, and then reads the ingress and egress traffic data from the mirror storage device.

Specifically, the first device 1 mirrors incoming and outgoing traffic data of the application server at any point in the network to obtain the incoming and outgoing traffic data and store the incoming and outgoing traffic data in a mirrored storage device; then, the first apparatus 1 reads the ingress and egress traffic data from the mirror storage device.

Preferably, the first device 1 may be a set of a plurality of devices to respectively perform mirroring of incoming and outgoing flow data and reading of the incoming and outgoing flow data; the device for performing mirroring may be a light splitting device, or may be another device that can perform mirroring. Preferably, the storage mode of the mirror storage device includes, but is not limited to, a distributed file system or a message queue, and the first apparatus 1 may select a mirror storage device with a specific storage mode based on a processing requirement for the incoming and outgoing traffic data, so as to perform storage of the incoming and outgoing traffic data.

The second device 2 parses the incoming and outgoing flow data to generate one or more user operation sequences.

Specifically, the second device 2 groups the ingress and egress traffic data, and then parses the ingress and egress traffic data in each group, thereby using each group of parsed user operation information as a user operation sequence.

Or, the second device 2 determines the application protocol corresponding to each traffic data packet by analyzing each traffic data packet of the ingress and egress traffic data based on the data transmission related protocol and the application protocol of the application, and then analyzes the traffic data packet of the same protocol to obtain the user operation information of the application; and then, determining one or more user operation sequences corresponding to the input and output flow data based on the time sequence relation between each flow data packet and the incidence relation between the corresponding user operation information.

Or, the second device 2 analyzes data transmission related information of each traffic data packet in the ingress and egress traffic data based on a data transmission protocol; then, grouping the traffic data packets based on the data transmission related information, and sequencing the traffic data packets in each group to generate one or more sessions; finally, analyzing the session according to an application protocol corresponding to the application to generate one or more pieces of user operation information of the application; and then, determining one or more user operation sequences corresponding to the input and output flow data based on the time sequence relation between each flow data packet and the incidence relation between the corresponding user operation information.

Here, the application protocol is a protocol specific to the application, such as a game protocol of a game application, a shopping application protocol of a shopping application, and the like. An application may correspond to one or more application protocols, and for example, a game application may include an application protocol "a player sends a flower to another", an application protocol "performs an interactive task", an application protocol "purchases props", and the like.

It will be appreciated by those skilled in the art that the second device 2 may correspond to a plurality of devices forming a distributed cluster for parsing the incoming and outgoing traffic data in a distributed manner.

The third means 3 compares the sequence of user operations with abnormal operation data and/or normal operation data to identify abnormal user operations.

Specifically, the third device 3 compares the generated user operation sequence with abnormal operation data in an abnormal model to determine whether the user operation sequence conforms to the abnormal operation data; if yes, the user operation sequence is judged to be abnormal user operation.

Or, the third device 3 compares the generated user operation sequence with normal operation data in a normal model, and if the user operation sequence conforms to the characteristics of the normal operation data, the user operation sequence is considered to be normal user operation, otherwise, the user operation sequence is considered to be abnormal user operation.

Here, the normal model and the abnormal model may be obtained based on manual labeling, machine learning, and the like, the normal model may include one or more pieces of normal operation data, and the abnormal model may include one or more pieces of abnormal operation data.

The abnormal operation data and/or the normal operation data include, but are not limited to, a single user operation or a sequence of operations consisting of a series of single user operations. And if a certain operation in the user operation sequence conforms to the single user operation or all or part of the user operations in the user operation sequence conforms to the operation sequence, determining that the user operation sequence belongs to abnormal operation data or normal operation data.

Preferably, the abnormal operation data and/or the normal operation data only include an operation sequence composed of a plurality of user operations.

Here, the manual labeling is, for example: according to the manual analysis of a large amount of user behavior data by application operators, a suspicious operation behavior sequence is also used as abnormal operation information in an abnormal model.

The machine learning manner, for example:

1. analyzing all user behaviors to filter out a batch of frequently occurring network protocols with unobvious distinction, such as a series of mobile-related network protocols;

2. partitioning by using a Ngram algorithm, namely, cutting continuous N behaviors (N is variable, for example, N is 4) into one behavior block;

3. counting the number of all behavior blocks of all users;

4. automatically marking a batch of users as abnormal users by combining the identification of machine learning on the basic information (also called macroscopic index) of the users;

5. counting the occurrence frequency of each Ngram behavior block in all the behavior blocks, and taking the behavior block with the maximum occurrence frequency as a highly suspicious behavior block;

6. and generating abnormal user operation according to the high suspicious behavior block.

Therefore, the invention can generate the abnormal model containing the abnormal user operation.

Preferably, the third device 3 determines one or more user operation sequences to be analyzed from the user operation sequences according to a predetermined abnormal model, wherein at least one parameter in the user operation sequences to be analyzed is matched with at least one abnormal operation data contained in the abnormal model; and identifying abnormal user operation according to the matching relation between the user operation sequence to be analyzed and the abnormal model.

Specifically, the third device 3 analyzes and extracts parameters corresponding to the user operation sequence according to a predetermined abnormal model, so as to determine, from the user operation sequence, a user operation sequence in which one or more parameters conform to parameters of abnormal operation data, as the user operation sequence to be analyzed.

Wherein the parameters include, but are not limited to, time parameters (for example, if the abnormal operation data corresponds to a certain time, a user operation sequence of the corresponding time is extracted for analysis), pre-order operation parameters (for example, a login operation is used as a pre-order operation, and one or more operations followed by the login operation are used as a user operation sequence to be analyzed), subsequent operation parameters (for example, if a logout operation is used as a subsequent operation, one or more operations before the logout operation are used as a user operation sequence to be analyzed), specific operation parameters (for example, both the abnormal operation data in the abnormal model and the user operation sequence to be analyzed include a specific call to an API), location parameters (e.g., coordinates that trigger abnormal operation in a certain area, wherein the coordinates include coordinates of a user's map within an application (e.g., game map coordinates) or coordinates of the user's actual geographic location (e.g., coordinates corresponding to a GPS location)), etc.

And after the user operation sequence to be analyzed is determined, matching the user operation sequence to be analyzed by using the abnormal model, and if the user operation sequence to be analyzed can be matched with the user operation in the abnormal model, identifying the user operation sequence to be analyzed as the abnormal user operation.

Preferably, the identification apparatus further comprises a fourth means (not shown), a fifth means (not shown), a sixth means (not shown), a seventh means (not shown); wherein the fourth means determines a plurality of anomalous users; the fifth device determines one or more historical operation sequences corresponding to the abnormal user according to the historical operation data corresponding to the abnormal user; the sixth device determines one or more abnormal operation data from the historical operation sequence according to the statistical result of the historical operation sequence; the seventh means generates a predetermined abnormal model based on the abnormal operation data.

Specifically, the fourth device determines a plurality of abnormal users by acquiring manual labeling data or according to a machine learning manner. Here, the abnormal user includes, but is not limited to, a user who utilizes a system bug, a user who utilizes a script or a plug-in, and other users who utilize abnormal means, and the like, which negatively affect the application system or other users.

The process of generating the anomaly model will be described below based on the manual labeling and machine learning methods.

The manual labeling method includes, for example:

and the application operator marks the users with suspicious operation behavior sequences as abnormal users through manual analysis of a large amount of user behavior data, and the fourth device acquires the determined abnormal users.

The fifth device partitions a plurality of historical operations in the historical operation data according to the historical operation data corresponding to the abnormal user, for example, partitions N historical operations into one operation block, and determines each operation block as one or more historical operation sequences corresponding to the abnormal user.

The sixth device determines one or more abnormal operation data from the historical operation sequences according to the statistical result of the historical operation sequences, for example, if the statistical result of a certain historical operation sequence is higher and is an abnormal operation sequence, the abnormal operation data can be used as the abnormal operation data; the seventh means generates a predetermined abnormal model based on the abnormal operation data.

The machine learning manner, for example:

3. counting the number of all behavior blocks of all users;

4. and automatically labeling a batch of users as abnormal users by combining machine learning identification of basic information (also called macro indexes) of the users.

And the fifth device determines one or more historical operation sequences corresponding to the abnormal user according to the historical operation data corresponding to the abnormal user, namely, the behavior block corresponding to the abnormal user is used as the historical operation sequence.

The sixth device performs statistics on the historical operation sequence, for example, statistics on the occurrence frequency of each Ngram behavior block, and takes the historical operation sequence with the largest occurrence frequency as a highly suspicious behavior block; and then generating abnormal operation data according to the high suspicious behavior block.

Then, the seventh means generates a predetermined abnormal model based on the abnormal operation data. Thus, the present invention is able to generate an abnormal behavior database (i.e., an abnormal model) of abnormal operation data.

Preferably, the identification device further includes an eighth device (not shown), where the eighth device updates the abnormal user according to the user corresponding to the identified abnormal user operation.

Specifically, the eighth device may count a user corresponding to the abnormal user operation, so as to use the user as an abnormal user, and update the abnormal user.

For example, if many behavior blocks of a certain user can be matched as suspicious behavior blocks, the user is considered to be an abnormal user; furthermore, by paying attention to the abnormal user and taking the subsequent behavior of the abnormal user as the training data of the machine learning model, whether other behaviors of the abnormal user belong to highly suspicious behaviors or not can be analyzed. Thus, the loop determination of the abnormal user with abnormal operation data can be realized.

The following describes a specific process for identifying abnormal user operation and abnormal users by taking a game application as an example:

in the game, the user operation sequence is, for example, a string of information as follows:

"player clicks login game button, player enters main scene of game, player views mail, deletes mail, opens system configuration, changes volume, changes number of characters that can be displayed in scene, player opens backpack, player upgrades his pet, player moves to point a and point B on the road along a path, player enters fighting interface, player uses skill a", etc.

In one process from the login of the game to the closing of the game, hundreds of game behaviors can be generated and sent to the game server. The identification device analyzes the flow data to generate one or more user operation sequences, and then analyzes the user operation sequences.

Here, the division of the user operation sequence may be based on time division, such as every five minutes of user operation as one user operation sequence; the division may also be performed based on the number of user operations, for example, taking every 10 user operations as a user operation sequence; alternatively, the user operation is divided based on a specific operation, such as switching a map, so that an operation before the specific operation and an operation after the specific operation form a user operation sequence, respectively.

Then, the identification device detects whether a behavior string of a specific behavior exists in the one or more user operation sequences, for example, whether the user has an operation of opening a game configuration and changing a display effect after logging in. If a user logs in a game each time, the user includes "open game configuration, change display effect", then the user may belong to an abnormal user. This is because if a user is scripted, it will include some fixed and not exactly the same operations as a normal user in the operational mode. A normal user does not first perform setting configuration after opening a game each time, and generally only operates twice to perform adjustment; and only the script user will perform the same operation each time.

Further, some abnormal operations are operations that a normal user does not perform. For example, when adding a friend, a normal user selects "add friend" in a pop-up operation window by clicking the role of another user on a map, and the process is completed; some scripts may directly call "add buddy's network protocol API" in which another user's role ID is entered to add. Therefore, the operation of calling the network protocol API of adding friends belongs to abnormal operation, and for the user executing the operation, the operation belongs to suspicious abnormal user.

Continuing with the above example, the game has been launched with a "portrait task" activity that requires "finding a user in a large map for a particular condition, clicking on his avatar, selecting the portrait for the user" to complete the task. Because most scripts do not have the capability of image recognition, users of the scripts cannot recognize users meeting task requirements on the large map; in this case, the script takes the form of: a large number of friend users are added to the user, each friend meets a special condition in the portrait task, when the script receives the portrait task, the script can form a friend group corresponding to the user according to the requirement of the task, the friend group can transmit the friend group to the same position on the map through the group, and then the friend group is imaged to complete the task.

For such script operations, it is difficult to recognize them by macro indicators or simple logs in the game. However, by analyzing the user operation sequence of the user, if a certain user has a user operation sequence of "add a large number of friends" and "receive a portrait task, and" group of friends, "transmit a large map," and "portrait," such suspicious operation combinations can be identified, and further, an abnormal user can be identified.

FIG. 3 is a schematic diagram of an identification device for identifying abnormal user operation in accordance with a preferred embodiment of the present invention; wherein the identification device comprises a first apparatus 1, a second apparatus 2 and a third apparatus 3, wherein the second apparatus 2 comprises a two-in-one unit 21 and a two-in-two unit 22.

Specifically, the first device 1 obtains the ingress and egress traffic data of the application server; the first-second unit 21 of the second device 2 analyzes the incoming and outgoing flow data to generate one or more pieces of user operation information; the second unit 22 of the second device 2 generates one or more user operation sequences according to the user operation information and the sequence corresponding to the user operation information; the third means 3 compares the sequence of user operations with abnormal operation data and/or normal operation data to identify abnormal user operations.

The first device 1 and the third device 3 are the same as or similar to the corresponding devices described in fig. 2, and therefore are not described herein again and are included herein by reference.

The first-second unit 21 of the second device 2 parses the incoming and outgoing traffic data to generate one or more pieces of user operation information.

Specifically, the second-in-first unit 21 analyzes each traffic data packet of the ingress and egress traffic data based on a data transmission related protocol and the application protocol of the application to determine an application protocol corresponding to each traffic data packet; then, the traffic data packet of the same protocol is analyzed to obtain the user operation information of the application.

Or, the second-first unit 21 analyzes data transmission related information of each traffic data packet in the ingress and egress traffic data based on a data transmission protocol; then, grouping the traffic data packets based on the data transmission related information, and sequencing the traffic data packets in each group to generate one or more sessions; and finally, analyzing the session according to an application protocol corresponding to the application to generate one or more pieces of user operation information of the application.

The second unit 22 of the second device 2 generates one or more user operation sequences according to the user operation information and the sequence corresponding to the user operation information.

Specifically, the second unit 22 determines one or more user operation sequences corresponding to the ingress and egress traffic data based on a time sequence relationship between each traffic data packet and an association relationship between user operation information corresponding to each traffic data packet; alternatively, the two-in-two unit 22 determines one or more user operation sequences corresponding to the ingress and egress traffic data based on the time sequence relationship between each traffic data packet and the association relationship between the user operation information corresponding to each traffic data packet.

Preferably, the two-in-one unit 21 is configured to parse out data transmission related information of each traffic data packet in the ingress and egress traffic data based on a data transmission protocol; grouping the traffic data packets based on the data transmission related information and ordering the traffic data packets in each group to generate one or more sessions; and analyzing the session according to an application protocol corresponding to an application to generate one or more pieces of user operation information, wherein the application corresponds to the application server.

Specifically, the first-second unit 21 reads the ingress/egress traffic data in the first apparatus 1 or the mirror storage device by interacting with the first apparatus 1 or directly interacting with the mirror storage device; then, the two-in-one unit 21 analyzes each traffic data packet in the ingress and egress traffic data according to the data transmission protocol adopted by the application server to obtain data transmission related information.

When the two-in unit 21 reads each piece of ingress and egress traffic data, each piece of ingress and egress traffic data is a binary data array; the binary array is then parsed by the binary unit 21, first of all according to the data transfer protocol to recover, for example, the Ethernet header, the IP header, the TCP/UDP header and the transmitted data portion following the header. Then, the two-in-one unit 21 further analyzes the information to obtain data transmission related information.

The data transmission related information includes, but is not limited to, a sending IP and a port corresponding to each traffic packet, a receiving IP and a port, SEQ, ACK, packet size, flags, offset, a transmitted data portion (i.e., specific application content that needs to be analyzed later), and the like. Here, as will be understood by those skilled in the art, the data transmission related information is different according to different types of traffic packets, such as TCP packets or UDP packets. For example, data transmission related information of a TCP traffic packet may include a sending IP and port, a receiving IP and port, SEQ, ACK, packet size, transmitted data portion, etc.; the data transmission related information of the UDP traffic packet may include a sending IP and port, a receiving IP and port, flags, a segment offset, a transmitted data portion, and the like.

Then, the two-in-one unit 21 groups the traffic data packets based on one or more of the data transmission related information; here, the grouping method includes, but is not limited to:

mode 1. grouping is performed based on the sending IP and the receiving IP corresponding to the traffic data packet. For example, if the sending IP and the receiving IP of two traffic data packets are consistent, the two traffic data packets are divided into a group; or, if the sending IP of the first traffic data packet is consistent with the receiving IP of the second traffic data packet and the sending IP of the second traffic data packet is consistent with the receiving IP of the first traffic data packet, dividing the first traffic data packet and the second traffic data packet into a group. The above operations may be performed in a looping manner, for example, if the transmission IP of the second traffic packet is consistent with the reception IP of the third traffic packet and the transmission IP of the third traffic packet is consistent with the reception IP of the second traffic packet, the third traffic packet is divided into the packets corresponding to the first and second packets, so that the division of the multiple traffic packets having the corresponding IPs is completed.

Mode 2. preferably, the traffic data packets are grouped based on the transmitted/received IP and port information corresponding to the traffic data packets, that is, if the transmitted/received IP and port information of two traffic data packets correspond to each other, the two traffic data packets are divided into one group. For example, if the sending IP/sending port and the receiving IP/receiving port of two traffic data packets are consistent, the two traffic data packets are divided into a group; or, if the transmitting IP/transmitting port of the first traffic data packet is consistent with the receiving IP/receiving port of the second traffic data packet and the transmitting IP/transmitting port of the second traffic data packet is consistent with the receiving IP/receiving port of the first traffic data packet, dividing the first traffic data packet and the second traffic data packet into a group. Likewise, the above operations may be performed in a loop.

And 3, grouping based on the continuity corresponding to the flow data packet. For example, if two TCP traffic packets may be grouped based on the SEQ of the traffic packets, the ACK of the traffic packets and the continuity of the sizes of the packets, that is, the size of the SEQ + packet of the sender is equal to the ACK of the receiver and the ACK of the sender is equal to the SEQ of the receiver, it is proved that the two traffic packets satisfy the continuity, and the two traffic packets may be divided into a group; similarly, in the case of two UDP traffic packets, the packets may be grouped based on a default ordering or based on flags and segment offsets (fragment offsets) in the header (header) of the traffic packet, etc.

Those skilled in the art will appreciate that the above grouping method can be performed alone or in combination to further optimize the efficiency and effect of grouping. For example, only mode 1, mode 2, or mode 3 may be performed alone, thereby performing only grouping; alternatively, mode 1 may be combined with mode 3, or mode 1 may be combined with mode 2, to optimize the efficiency of the grouping while completing the grouping + continuity determination, thereby further completing the ordering.

After the grouping of the traffic data packets is completed, the two-in-one unit 21 sorts all the traffic data packets in each group in time order, so as to generate one or more sessions according to the sorted traffic data packets. The session may be a short session or a long-back session, for example, if the session is a game application, the session is mostly a long-back session, that is, one message session stream contains a large number of back-and-forth messages, and can last for tens of minutes or even tens of minutes; if the application is a general application, such as a shopping application, the session is mostly a short session, that is, the number of the back-and-forth messages included in the message session flow is small.

Here, if the traffic data packet includes time information, the traffic data packet may be sequentially sorted according to the time information.

If the traffic data packet does not contain time information, the continuous relationship between the traffic data packets can be judged according to a data transmission protocol corresponding to the traffic data packet and by combining the data transmission related information; ordering the traffic packets in each packet based on the continuity relation to generate one or more sessions.

For example, if the traffic data packet is a TCP packet, the continuity relationship may be determined according to the SEQ, ACK, and the size of the traffic data packet, that is, the size of the SEQ + data packet of the sender is equal to the ACK of the receiver and the ACK of the sender is equal to the SEQ of the receiver, which proves that the two traffic data packets satisfy continuity; if the traffic data packet is a UDP packet, the analysis may be directly performed according to a relationship between a flag and a segment offset (fragment offset) in a header (header) of the traffic data packet.

It will be appreciated by those skilled in the art that the ordering may be based on the above method even if the traffic packets contain time information, so that the time information in the traffic packets need not be used.

An example of a segment of consecutive traffic packets is shown below:

table 1: data transmission related information of continuous flow data packet

Note: size means packet Size

Next, the second-in-one unit 21 analyzes the generated session according to an application protocol corresponding to the application, where the application protocol is a protocol specific to the application, such as a game protocol of a game application, a shopping application protocol of a shopping application, and the like.

And analyzing and restoring the session content of the session according to the application protocol so as to generate application content corresponding to the session, wherein the application content is used as application data of the application, and user operation information is extracted from the application content. The application data is data restoration in the application sense, for example, game operation data in a game, shopping data in shopping, and the like.

Those skilled in the art will appreciate that if the traffic packet is not encrypted, the session may be parsed directly to generate the application data; if the traffic data packet is encrypted, the traffic data packet in the session can be decrypted and then a common analysis operation is performed to generate the application data.

Preferably, the identification device further includes a ninth device (not shown), where the ninth device decrypts the traffic data packet in the session according to the key corresponding to the session; the two-in-one unit 21 analyzes the decrypted session according to the application protocol corresponding to the application to generate one or more pieces of user operation information.

Specifically, the ninth apparatus determines the key and the decryption method according to the applied encryption mode; here, the key may be a fixed key or a dynamic key, and the key may be obtained by, but not limited to, directly obtaining a key corresponding to the application, or determining the key and/or encryption manner by analyzing the first several frames of data of the session or the traffic data of the application server.

It will be appreciated by those skilled in the art that any method capable of decrypting the traffic packets is suitable for use with the present invention.

After the ninth device decrypts the traffic data packet based on the key, the two-in-one unit 21 obtains the decrypted session, and analyzes the decrypted session based on an application protocol corresponding to the application to generate the application data, and extracts user operation information from the application data. Here, the corresponding analysis method is different depending on the compiling information corresponding to the application.

For example, if the application protocol (or game protocol) of the game application is Protobuf and the encryption is performed by using a fixed key, the ninth device decrypts the traffic packet based on the corresponding key, and then parses the session based on the format of Protobuf.

FIG. 4 illustrates a flow diagram of a method for identifying abnormal user operation in accordance with another aspect of the subject invention.

Specifically, in step S1, the identification device obtains the ingress and egress traffic data of the application server; in step S2, the identification device parses the ingress and egress traffic data to generate one or more user operation sequences; in step S3, the identification device compares the sequence of user operations with abnormal operation data and/or normal operation data to identify abnormal user operations.

In step S1, the identification device obtains the ingress and egress traffic data of the application server.

Specifically, in step S1, the identification device obtains the ingress and egress traffic data between the application server and the user by directly interacting with the application server, or in step S1, the identification device obtains the ingress and egress traffic data of the application server provided by other devices by interacting with the other devices capable of providing the ingress and egress traffic data.

Preferably, in step S1, the identification device mirrors and stores the ingress and egress traffic data of the application server into a mirror storage device, and then reads the ingress and egress traffic data from the mirror storage device.

Specifically, in step S1, the identifying device mirrors the incoming and outgoing traffic data of the application server at any point in the network to obtain the incoming and outgoing traffic data and store the incoming and outgoing traffic data in a mirrored storage device; then, the identification device reads the ingress and egress traffic data from the mirror storage device.

Preferably, the storage mode of the mirror storage device includes, but is not limited to, a distributed file system or a message queue, and the identification device may select a mirror storage device with a specific storage mode to perform storage of the incoming and outgoing traffic data based on a processing requirement of the incoming and outgoing traffic data.

In step S2, the identification device parses the incoming and outgoing flow data to generate one or more sequences of user operations.

Specifically, in step S2, the identification device groups the ingress and egress traffic data, and then parses the ingress and egress traffic data in each group, thereby treating each group of parsed user operation information as a user operation sequence.

Or, in step S2, the identification device determines an application protocol corresponding to each traffic data packet by parsing each traffic data packet of the ingress and egress traffic data based on a data transmission related protocol and the application protocol of the application, and then parses traffic data packets of the same protocol to obtain user operation information of the application; and then, determining one or more user operation sequences corresponding to the input and output flow data based on the time sequence relation between each flow data packet and the incidence relation between the corresponding user operation information.

Alternatively, in step S2, the identification device analyzes data transmission related information of each traffic data packet in the ingress and egress traffic data based on a data transmission protocol; then, grouping the traffic data packets based on the data transmission related information, and sequencing the traffic data packets in each group to generate one or more sessions; finally, analyzing the session according to an application protocol corresponding to the application to generate one or more pieces of user operation information of the application; and then, determining one or more user operation sequences corresponding to the input and output flow data based on the time sequence relation between each flow data packet and the incidence relation between the corresponding user operation information.

In step S3, the identification device compares the sequence of user operations with abnormal operation data and/or normal operation data to identify abnormal user operations.

Specifically, in step S3, the identification device compares the generated user operation sequence with abnormal operation data in an abnormal model to determine whether the user operation sequence conforms to the abnormal operation data; if yes, the user operation sequence is judged to be abnormal user operation.

Or, in step S3, the identification device compares the generated user operation sequence with normal operation data in a normal model, and if the user operation sequence conforms to the characteristics of the normal operation data, the user operation sequence is considered to be a normal user operation, otherwise, the user operation sequence is considered to be an abnormal user operation.

The machine learning manner, for example:

3. counting the number of all behavior blocks of all users;

Preferably, in step S3, the identification device determines one or more user operation sequences to be analyzed from the user operation sequences according to a predetermined abnormal model, wherein at least one parameter in the user operation sequences to be analyzed matches with at least one abnormal operation data included in the abnormal model; and identifying abnormal user operation according to the matching relation between the user operation sequence to be analyzed and the abnormal model.

Specifically, in step S3, the identification device analyzes and extracts parameters corresponding to the user operation sequence according to a predetermined abnormal model, so as to determine, from the user operation sequence, a user operation sequence in which one or more parameters conform to parameters of abnormal operation data, as the user operation sequence to be analyzed.

Preferably, the method further includes step S4 (not shown), step S5 (not shown), step S6 (not shown), step S7 (not shown); wherein, in step S4, the identification device determines a plurality of abnormal users; in step S5, the identification device determines one or more historical operation sequences corresponding to the abnormal user according to the historical operation data corresponding to the abnormal user; in step S6, the identification device determines one or more abnormal operation data from the historical operation sequence according to the statistical result of the historical operation sequence; in step S7, the identification device generates a predetermined abnormal model from the abnormal operation data.

Specifically, in step S4, the identification device determines a plurality of abnormal users by acquiring manual labeling data or according to a machine learning manner. Here, the abnormal user includes, but is not limited to, a user who utilizes a system bug, a user who utilizes a script or a plug-in, and other users who utilize abnormal means, and the like, which negatively affect the application system or other users.

The manual labeling method includes, for example:

and the application operator marks the users with suspicious operation behavior sequences as abnormal users through manual analysis of a large amount of user behavior data, and the identification equipment acquires the determined abnormal users.

In step S5, the identification device blocks a plurality of historical operations in the historical operation data according to the historical operation data corresponding to the abnormal user, for example, N historical operations are divided into one operation block, and each operation block is determined as one or more historical operation sequences corresponding to the abnormal user.

In step S6, the identification device determines one or more abnormal operation data from the historical operation sequences according to the statistical result of the historical operation sequences, for example, if the statistical result of a certain historical operation sequence is high and is an abnormal operation sequence, it may be regarded as the abnormal operation data; in step S7, the identification device generates a predetermined abnormal model from the abnormal operation data.

The machine learning manner, for example:

3. counting the number of all behavior blocks of all users;

In step S5, the identification device determines one or more historical operation sequences corresponding to the abnormal user according to the historical operation data corresponding to the abnormal user, that is, the behavior block corresponding to the abnormal user is taken as the historical operation sequence.

In step S6, the identification device takes the historical operation sequence with the largest occurrence number as a highly suspicious behavior block according to statistics on the historical operation sequence, for example, statistics on the occurrence number of each Ngram behavior block; and then generating abnormal operation data according to the high suspicious behavior block.

Then, in step S7, the identification device generates a predetermined abnormal model from the abnormal operation data. Thus, the present invention is able to generate an abnormal behavior database (i.e., an abnormal model) of abnormal operation data.

Preferably, the method further includes step S8 (not shown), wherein in step S8, the identification device updates the abnormal user according to the user corresponding to the identified abnormal user operation.

Specifically, in step S8, the identification device may count the users corresponding to the abnormal user operations, so as to regard the users as abnormal users, and update the abnormal users.

Specifically, in step S1, the identification device obtains the ingress and egress traffic data of the application server; in step S21, the identification device parses the ingress and egress traffic data to generate one or more user operation information; in step S22, the identification device generates one or more user operation sequences according to the user operation information and the sequence corresponding to the user operation information; in step S3, the identification device compares the sequence of user operations with abnormal operation data and/or normal operation data to identify abnormal user operations.

The steps S1 and S3 are the same as or similar to the corresponding steps described in fig. 4, and therefore are not repeated herein and are included herein by reference.

In step S21, the identification device parses the incoming and outgoing flow data to generate one or more user operation information.

Specifically, in step S21, the identification device determines an application protocol corresponding to each traffic data packet by parsing each traffic data packet of the ingress and egress traffic data based on a data transmission related protocol and the application protocol of the application; then, the traffic data packet of the same protocol is analyzed to obtain the user operation information of the application.

Alternatively, in step S21, the identification device analyzes data transmission related information of each traffic data packet in the ingress and egress traffic data based on a data transmission protocol; then, grouping the traffic data packets based on the data transmission related information, and sequencing the traffic data packets in each group to generate one or more sessions; and finally, analyzing the session according to an application protocol corresponding to the application to generate one or more pieces of user operation information of the application.

In step S22, the identification device generates one or more user operation sequences according to the user operation information and the sequence corresponding to the user operation information.

Specifically, in step S22, the identification device determines one or more user operation sequences corresponding to the ingress and egress traffic data based on a time sequence relationship between each traffic data packet and an association relationship between the user operation information corresponding to the traffic data packet; alternatively, in step S22, the identification device determines one or more user operation sequences corresponding to the ingress and egress traffic data based on the time-series relationship between each traffic data packet and the association relationship between the user operation information corresponding to the traffic data packet.

Preferably, in step S21, the identification device is configured to parse out data transmission related information of each traffic data packet in the ingress and egress traffic data based on a data transmission protocol; grouping the traffic data packets based on the data transmission related information and ordering the traffic data packets in each group to generate one or more sessions; and analyzing the session according to an application protocol corresponding to an application to generate one or more pieces of user operation information, wherein the application corresponds to the application server.

Specifically, in step S21, the identification device reads the ingress and egress traffic data in the mirror storage device by directly taking the ingress and egress traffic data based on the acquired data in step S1 or interacting with the mirror storage device; then, the identification device analyzes each traffic data packet in the ingress and egress traffic data according to a data transmission protocol adopted by the application server to obtain data transmission related information.

When the identification device reads each piece of the input and output flow data, each piece of the input and output flow data is a binary data array; the recognition device then parses these binary arrays, first recovering, according to the data transmission protocol, for example the Ethernet header, the IP header, the TCP/UDP header and the transmitted data portion following the above header. Then, the identification device further analyzes the information to obtain data transmission related information.

Then, the identified device groups the traffic data packets based on one or more of the data transmission-related information; here, the grouping method includes, but is not limited to:

After the grouping of the traffic data packets is completed, the identification device sorts all the traffic data packets in each group in time order, thereby generating one or more sessions according to the sorted traffic data packets. The session may be a short session or a long-back session, for example, if the session is a game application, the session is mostly a long-back session, that is, one message session stream contains a large number of back-and-forth messages, and can last for tens of minutes or even tens of minutes; if the application is a general application, such as a shopping application, the session is mostly a short session, that is, the number of the back-and-forth messages included in the message session flow is small.

An example of a segment of consecutive traffic packets is shown below:

and the IP of the sender: port(s)	And the IP of the receiver: port(s)	SEQ	ACK	Size
					116.62.173.112:23	210.12.118.194:2648	-1401430175	-660031943	28
210.12.118.194:2648	116.62.173.112:23	-660031943	-1401430147	11
					116.62.173.112:23	210.12.118.194:2648	-1401430147	-660031943	13
116.62.173.112:23	210.12.118.194:2648	-1401430134	-660031932	8

Table 1: data transmission related information of continuous flow data packet

Note: size means packet Size

Next, the identification device parses the generated session according to an application protocol corresponding to the application, where the application protocol is a protocol specific to the application, such as a game protocol of a game application, a shopping application protocol of a shopping application, and the like.

Preferably, the method further includes step S9 (not shown), wherein in step S9, the identification device decrypts the traffic data packets in the session according to the key corresponding to the session; in step S21, the identification device parses the decrypted session according to the application protocol corresponding to the application, so as to generate one or more pieces of user operation information.

Specifically, in step S9, the identification device determines the key and the decryption method according to the encryption mode of the application; here, the key may be a fixed key or a dynamic key, and the key may be obtained by, but not limited to, directly obtaining a key corresponding to the application, or determining the key and/or encryption manner by analyzing the first several frames of data of the session or the traffic data of the application server.

After the identification device decrypts the traffic data packet based on the key, in step S21, the identification device obtains the decrypted session, analyzes the decrypted session based on the application protocol corresponding to the application to generate the application data, and extracts user operation information from the application data. Here, the corresponding analysis method is different depending on the compiling information corresponding to the application.

For example, if the application protocol (or game protocol) of the game application is Protobuf and the encryption is performed by using a fixed key, the identification device decrypts the traffic packet based on the corresponding key, and then parses the session based on the format of Protobuf.

It should be noted that the present invention may be implemented in software and/or in a combination of software and hardware, for example, as an Application Specific Integrated Circuit (ASIC), a general purpose computer or any other similar hardware device. In one embodiment, the software program of the present invention may be executed by a processor to implement the steps or functions described above. Also, the software programs (including associated data structures) of the present invention can be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Further, some of the steps or functions of the present invention may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.

In addition, some of the present invention can be applied as a computer program product, such as computer program instructions, which when executed by a computer, can invoke or provide the method and/or technical solution according to the present invention through the operation of the computer. Program instructions which invoke the methods of the present invention may be stored on a fixed or removable recording medium and/or transmitted via a data stream on a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the invention herein comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or solution according to embodiments of the invention as described above.

It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims

1. A method for identifying abnormal user operation, wherein the method comprises the steps of:

acquiring flow data of an application server;

analyzing data transmission related information of each flow data packet in the ingress and egress flow data based on a data transmission protocol, wherein the data transmission related information comprises a sending IP and port, a receiving IP and port, SEQ, ACK, a data packet size or a transmitted data part; grouping the traffic data packets based on the data transmission related information and ordering the traffic data packets in each group to generate one or more sessions; analyzing the session according to an application protocol corresponding to the application, generating application content corresponding to the session to serve as application data of the application, and extracting one or more pieces of user operation information from the application data, wherein the application corresponds to the application server, and the application data is data recovery in the application sense; generating one or more user operation sequences according to the user operation information and the sequence corresponding to the user operation information;

2. The method of claim 1, wherein grouping the traffic packets comprises:

3. The method of claim 1 or 2, wherein the step of ordering the traffic packets in each packet to generate one or more sessions comprises:

4. The method of any of claims 1 to 3, wherein the method further comprises:

5. The method of any of claims 1 to 4, wherein identifying abnormal user operation comprises:

6. The method of claim 5, wherein the method further comprises:

determining a plurality of abnormal users;

7. The method of claim 6, wherein the method further comprises:

8. The method of any one of claims 1 to 7, wherein the step of obtaining ingress and egress traffic data for the application server comprises:

9. An identification device for identifying abnormal user operation, wherein the device comprises:

the first device is used for acquiring the flow data of the application server;

the second device comprises a first unit and a second unit, wherein the first unit is used for analyzing data transmission related information of each flow data packet in the input and output flow data based on a data transmission protocol, and the data transmission related information comprises a sending IP and a port, a receiving IP and a port, SEQ, ACK, a data packet size or a transmitted data part; grouping the traffic data packets based on the data transmission related information and ordering the traffic data packets in each group to generate one or more sessions; analyzing the session according to an application protocol corresponding to the application, generating application content corresponding to the session to serve as application data of the application, and extracting one or more pieces of user operation information from the application data, wherein the application corresponds to the application server, and the application data is data recovery in the application sense; a second unit, configured to generate one or more user operation sequences according to the user operation information and a sequence corresponding to the user operation information;

10. The identification device of claim 9, wherein when grouping the traffic packets, the two-in-one unit is to:

11. An identification device as claimed in claim 9 or 10, wherein, when ordering the traffic data packets in each packet to generate one or more sessions, the first and second units are configured to:

12. An identification device as claimed in any of claims 9 to 11 wherein the third means is for:

13. The identification device of claim 12, wherein the device further comprises:

fourth means for determining a plurality of anomalous users;

14. The identification device of claim 13, wherein the device further comprises:

15. A computer-readable storage medium having computer-readable instructions stored thereon, which, when executed by one or more devices, cause the devices to perform the method of any one of claims 1-8.

16. A computer device, the computer device comprising:

one or more processors;

a memory for storing one or more computer programs;

the one or more computer programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-8.