CN108268886A - For identifying the method and system of plug-in operation - Google Patents

For identifying the method and system of plug-in operation Download PDF

Info

Publication number
CN108268886A
CN108268886A CN201710004491.0A CN201710004491A CN108268886A CN 108268886 A CN108268886 A CN 108268886A CN 201710004491 A CN201710004491 A CN 201710004491A CN 108268886 A CN108268886 A CN 108268886A
Authority
CN
China
Prior art keywords
plug
operating characteristics
time
real
model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710004491.0A
Other languages
Chinese (zh)
Other versions
CN108268886B (en
Inventor
周晓伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Sichuan Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Sichuan Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Sichuan Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201710004491.0A priority Critical patent/CN108268886B/en
Publication of CN108268886A publication Critical patent/CN108268886A/en
Application granted granted Critical
Publication of CN108268886B publication Critical patent/CN108268886B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of for identifying the method and system of plug-in operation.Method includes:The primitive operation information of capturing service system;From primitive operation information extraction operating characteristics associated with plug-in operation;Based on operating characteristics associated with plug-in operation, plug-in operating characteristics model is established;And using the operation information of plug-in operating characteristics model analysis real-time operation to identify plug-in operation, so as to solve deficiency of the traditional means to known plug-in behavioral value, and the problem of None- identified unknown plug-in behavior, and then improve and identify plug-in accuracy, it enhances and identifies plug-in applicability.

Description

For identifying the method and system of plug-in operation
Technical field
This patent disclosure relates generally to computer system more particularly to a kind of method and system for being used to identify plug-in operation.
Background technology
At present, CRM (Customer Relationship Management, customer relation management), BOSS (Business Operation Support System, business operation support system) etc. in business operation support systems generally existing pass through it is outer The batch queries such as linked script, program user information, single operations such as information or transacting business, this generic operation have between time of origin in detail Every the features such as shorter, batch execution number is more, and concealment is not easy to be found by force, so as to which user sensitive information be brought to reveal and disobeyed The risk of business handling is advised, leads to the safety of business to reduce.
In the prior art to the discovery means of plug-in operation mainly by artificial statistical analysis, but the human resources put into Larger, analytical cycle is long, poor in timeliness, and the accuracy of manual examination and verification is also poor, can not effectively identify that service operation supports Plug-in operation in system, it is therefore necessary to propose that improved technological means solves the above problems.
Invention content
It is a kind of for identifying the method and system of plug-in operation it is a primary object of the present invention to provide, to solve existing skill In art by artificial means identify inefficiency caused by plug-in operation and it is ineffective the problem of.
A kind of method for identifying plug-in operation is provided according to embodiments of the present invention, including:Capturing service system Primitive operation information;From primitive operation information extraction operating characteristics associated with plug-in operation;Based on related to plug-in operation The operating characteristics of connection establish plug-in operating characteristics model;And the operation using plug-in operating characteristics model analysis real-time operation Information is to identify plug-in operation.
A kind of system for identifying plug-in operation is additionally provided according to embodiments of the present invention, including:Data acquisition module, For the primitive operation information of capturing service system;Characteristic extracting module, for from primitive operation information extraction and plug-in operation Associated operating characteristics;Model building module for being based on operating characteristics associated with plug-in operation, establishes plug-in operation Characteristic model;And identification module, for being identified using the operation information of plug-in operating characteristics model analysis real-time operation Plug-in operation.
According to the technique and scheme of the present invention, whether met by decision behavior and pre-established or the operation of self study is special The fundamental in (that is, information fingerprint) model is levied, carries out effective identification of plug-in operation.Entire identification process does not need to be artificial Intervene, solve the problem of traditional means are to the unknown plug-in behavior of plug-in known to detection deficiency and None- identified, improve It identifies plug-in accuracy, enhances and identify plug-in applicability so that user can need not have professional knowledge, without setting With preservation & testing rule, you can easily realize the monitoring to plug-in program, the safety of operation system is further promoted, so as to drop The low user sensitive information leakage brought by plug-in program and the risk of violation business handling.
Description of the drawings
Attached drawing described herein is used to provide further understanding of the present invention, and forms the part of the present invention, this hair Bright illustrative embodiments and their description do not constitute improper limitations of the present invention for explaining the present invention.In the accompanying drawings:
Fig. 1 is the flow chart for being used to identify the method for plug-in operation according to embodiments of the present invention;
Fig. 2 is the schematic diagram of plug-in operating characteristics (for example, plug-in fingerprint) model according to embodiments of the present invention;
Fig. 3 is the schematic diagram of operating characteristics (for example, information fingerprint) cluster according to embodiments of the present invention;
Fig. 4 is the structure diagram for being used to identify the system of plug-in operation according to embodiments of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with the specific embodiment of the invention and Technical solution of the present invention is clearly and completely described in corresponding attached drawing.Obviously, described embodiment is only the present invention one Section Example, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not doing Go out all other embodiments obtained under the premise of creative work, shall fall within the protection scope of the present invention.
The technical solution provided below in conjunction with attached drawing, each embodiment that the present invention will be described in detail.
Fig. 1 is according to embodiments of the present invention for identifying the flow chart of the method for plug-in operation, as shown in Figure 1, the party Method includes:
In step s 102, the primitive operation information of capturing service system, wherein operation system may, for example, be business fortune Seek support system.As used herein term " business operation support system " can refer to the business for being mainly used in the communications industry System performs user corresponding service operation.For example, business operation support system can be CRM, BOSS, BASS (Business Analysis Support System, operation analysis system), 4A (Authentication Account Authorization Audit, certification, account, mandate, audit) platform etc..But in terms of embodiments of the present invention are not limited thereto.
In some embodiments, primitive operation information can include the login of capturing service Operation Support System, inquire, do Manage one or more of the operation logs data such as class and the operation information of scheduled plug-in operation.
In step S104, from primitive operation information extraction operating characteristics associated with plug-in operation.
Then, in step s 106, based on operating characteristics associated with plug-in operation, plug-in operating characteristics mould is established Type.
In embodiments of the present invention, event can be extracted from the primitive operation information of such as business diary data etc to refer to Line (that is, operating characteristics) establishes illegal event (for example, plug-in operating characteristics) model, accurately finds out these by various modes Crucial log field or multi-field combine, and it is appointed as to the fingerprint of plug-in action event one by one.As it is used herein, Term " event fingerprint ", " information fingerprint " can respectively refer to alternative distinguish or the feature of identified event or information.
The method of the critical field or field combination of the fingerprint of determining plug-in action event is given below.
(1), plug-in event fingerprint is extracted by event sample learning
First fingerprint:The time that behavior in daily record is occurred is as a fingerprint.For example, normal operating is generally in work in the daytime Make the time, plug-in operation is generally at midnight;
Second fingerprint:Using behavior frequency in daily record as a fingerprint.For example, the QueryTicket of normal operating is usually 1 Minute 1 time, the frequency of plug-in operation is much several times as much as this number.
Third fingerprint:Using subsequent operation content of the act in daily record as a fingerprint.For example, normal operating is detailed in inquiry The relative recording of business handling is often accompanied by after list, and record single in detail is often only inquired in plug-in operation, and without after It is continuous.
No. four fingerprint:Using account logs in from daily record and the sequential correlation of operation log is as a fingerprint.For example, just Normal CRM operations, which are often spaced not wait for 5 to 30 minutes after 4A is logged in, just has corresponding CRM to operate, and plug-in program is often without this One time interval or even the record logged in without 4A directly detour or repeatedly log in this extreme case in the unit interval.
More than 4 fingerprints be then by sample include existing business diary, the critical field found out or multi-field group It closes, is defined as the fingerprint set of plug-in operating time.As long as that is its system operatio row of certain subsequent behavioral agent Go out for journal displaying similar to the height of the fingerprint set, then system judges that its operation belongs to plug-in operation.Wherein:
First fingerprint belongs to the independent field in CRM daily records;
Second fingerprint belongs to multi-field combination, is collectively constituted by two fields of operating time and operation content;
Third fingerprint belongs to multi-field combination, by specific operating time+operation content and subsequent operating time+ (difference) operation content collectively constitutes;
4th fingerprint belongs to the combination of cross-system daily record multi-field, by the time field of 4A daily records and the time of CRM daily records Field collectively constitutes.
By event sample key feature come higher, fingerprint reasonable design of extracting event fingerprint precision.
(2), discrete analysis extraction event fingerprint
In some embodiments, classify to existing magnanimity primal system daily record, these user behaviors logs are divided into Two classifications of maximum probability and small probability.Secondary refinement is carried out to label using sample again, event type is specified for it.
For example, per second about generate 33 crm system daily records, the daily record amount for then one day is up to 2,000,000 or so (non-works Make time daily record amount to die-off).In some embodiments, machine is to " sub- account+action event+operation content+account in CRM daily records The multi-fields such as bugle color " are polymerize, it can be deduced that draw a conclusion:
Same authorization role difference account carries out time interval (such as working time 9 of same operation:00——17:00);
Same authorization role difference account carries out the frequency of same operation (such as QueryTicket, frequency are 1 hour 5 times);
Same authorization role difference account whether there is subsequent operation (next operation after such as QueryTicket after carrying out a certain operation Content is certain business handling).
And above-mentioned 3 conclusions can distinguish maximum probability operating time section, entering frequency, subsequent association operation etc. in Hold, and after isolating the maximum probability of 3 and small probability daily record, it can be aforementioned by can obtain to the comparison judgement of sample again First to third event fingerprint, above three conclusion is corresponded with one or two No. three event fingerprints.
In some embodiments, event fingerprint is extracted using the method for discrete classification analysis, not exclusively relies on event sample Or artificial experience, the difference of daily record maximum probability and small probability can be automatically stripped.
By foregoing description as can be seen that each field of primal system daily record is the prototype of event fingerprint.And event fingerprint Different log fields or field combination are then determined, as the characteristic fingerprint that can illustrate a certain event.Below with CRM systems System daily record citing illustrates the relationship of primal system daily record and fingerprint.
In some embodiments, crm system daily record include multiple fields, need to find out in these fields with certain types of events Field with High relevancy as event fingerprint, forms event fingerprint base, to be associated after acquiring user behaviors log in the future Polymerization.
(1) core fingerprint generates
Core fingerprint can be extracted by the basic field in daily record, they are the key factors for generating event model.Such as CRM In daily record, for certain types of events, certain fields then play the role of vital qualitative, these fields will all determine as event Property portrait core fingerprint be included in Fingerprint system.Core fingerprint in CRM daily records includes at least following one or more: OPERATE_CONTENT (operation content), OPERATE_TIME (operating time), PERSON_DUTY_NAME (user roles/duty Business) and CLIENT_NETWORK_ADDRESS (client address).
These fields can restore the key element of a certain event, i.e. 5W1H phases plus user's essential attribute field inside the Pass Hold, these fields are just included in event fingerprint base using as the core fingerprint of the event.
In some embodiments, equipment analysis is to the same account that all identity in this part of daily record are " shop assistant ", extraction " entering frequency " this fingerprint is analyzed, then can distinguish maximum probability and small probability.Such as a certain shop assistant and most shop assistants Entering frequency or the operating time be not inconsistent, then it belongs to small probability, and the content that the relevant field of the shop assistant is shown may be close to This event fingerprint of plug-in operation, system then finally judge that the behavior of the shop assistant belongs to plug-in behavior.This sentences " operation frequency For degree ", other relevant fingerprint extractions and clustering method similarly, repeat no more.
It has analyzed after all same identity 4A logins are associated with sequential with CRM operation logs in massive logs, then can divide general Rate or small probability fingerprint value, when event is drawn a portrait, this fingerprint is also one of core fingerprint of this plug-in event.Similarly, no With the fingerprint that field combination is formed by it is similar collect analysis after, can show that the event that behavior is played to this is qualitative, final root According to its similarity judgement with plug-in event fingerprint collection, whether it belongs to plug-in.
(2) Fingerprint Model generates
For same operation system, the fingerprint set that this method forms different event, the finger of these different events are passed sequentially through Line set ultimately forms the event Fingerprint Model of the system.There may be field weights for the fingerprint of different event in same fingerprint base It is folded, it is also possible to which that fingerprint is generated by entirely different field.As IP address this field in plug-in program not as fingerprint or work The fingerprint relatively low for weight, and core fingerprint will be used as to exist in another plug-in event.This difference also embodies There will be classification situations, i.e. fingerprint in the Fingerprint system of this programme will have not according to its height of weight to a certain event type Same severity level.
Fig. 2 shows plug-in operating characteristics (for example, fingerprint of plug-in event) model, model master according to embodiments of the present invention It to be made of above-mentioned 4 kinds of core fingerprints and basic fingerprint.
After to a certain plug-in relevant fingerprint sequence construction feature collection of event, fingerprint cluster is carried out to it, using corresponding Fingerprint Model algorithm, realize the generation of plug-in Fingerprint Model.It is as follows:
Step 1:Certain group fingerprint characteristic vector is stored in list, selects two distance thresholds:T1 and T2, wherein T1> T2, with reference to figure 3, the coil of lines depth is T1, and the shallow coil of lines is that the value of T2, T1 and T2 can be determined with cross check;
Step 2:Appoint from feature vector list and take a feature vector P, calculate the distance between P and all feature sets (such as Fruit is there is currently no feature set, then using P as a feature set), if P and some feature set distance within T1, will point P It is added to this feature set;
The present invention accounts for the ratio of all elements to weigh two using similarity distance algorithm with elements different in two set The discrimination of a feature set.Circular is as follows:
Two set and the number of B intersection elements in A, B and concentrate shared ratio, referred to as the two distance phases gathered Like coefficient, represented with symbol J (A, B).It is a kind of index for weighing two set similarities apart from similarity factor, such as by following public affairs Shown in formula:
In some embodiments, with that apart from the opposite concept of similarity factor, can be represented with equation below (2):
Assuming that Qi' and Q'jIt is two n-dimensional vectors, is all 0 or 1 in the value of its fingerprint dimension.For example, (0,1,1,0) and (1,0,1,1), 1 represents that set includes some corresponding fingerprint, and 0 represents not including the fingerprint.
In some embodiments, J (Q can be calculated with following formula (3)i', Q'j)
Wherein, p:Qi' and Q'jAll it is the number of 1 dimension, q:Qi' be 1 and Q'jIt is the number and r of 0 dimension:Qi' 0 and Q 'jIt is the number of 1 dimension.
Step 3:If P once with the distance of some feature set within T2, is needed point P from feature vector list It deletes, it is near to represent that P has been reached at this time with this feature set, therefore it cannot do the center of other feature collection again;
Step 4:Step 2,3 are repeated, are terminated until list is empty.
Step 5:From whole fingerprint set, another fingerprint correlated series feature set is built, repeats step 1 to 4, it is right All fingerprint sequence vectors are clustered.
Step 6:Degree of overlapping judgement is carried out to each fingerprint set after all clusters, merges the high fingerprint set of degree of overlapping Final cluster result is formed, plug-in Fingerprint Model is formed with this.
It is as a result as follows after cluster:
Q′11={ P11..., P1n}
……
Q′1i={ Pi1..., Pin}
In step S108, using the operation information of plug-in operating characteristics model analysis real-time operation to identify plug-in behaviour Make.
Specifically, according to the user key words included in operation log, including:Account, name, IP address etc. to user into Row is sorted out.All operation behaviors for sorting out each user are associated, form event, such as:" user is in XX months XX day XX points carry out 4A logins, log on to crm system by 4A in XX month XX day XX points, and in XX month XX day XX points to 8142 modules into It has gone operation, queried detailed single information of user ".
In some embodiments, the key operation fingerprint or time series in user behavior event are extracted, with plug-in fingerprint The fingerprint sequence included in model does the matching of approximation, if successful match, output is plug-in operation behavior, if matching Failure, then abandon corresponding affair character data.In one embodiment, it is 5 times that the practical operation frequency of user is per second, is more than The upper limiting frequency that time series gives in Fingerprint Model is 2 times per second, and successful match, system can be identified as plug-in operation row at this time For.This is the matching way of single fingerprint sequence, often in a practical situation there is also the matching of multiple fingerprint sequences, such as:From From the point of view of the event action fingerprint of certain user, this user is not through 4A and logs in crm system, but there are CRM operation logs, and 100 daily records were operated within 5 minutes, are needed the login fingerprint of user, CRM operation fingerprints and operating time at this time respectively Frequency fingerprint sequence corresponding with Fingerprint Model matches, if multiple fingerprints all successful match or the pass more than 80% Key fingerprint matching success, then be determined as plug-in operation.
In addition, when carrying out plug-in fingerprint matching, and not all fingerprint sequence can one by one with complete of model fingerprint It mixes, it can be by forming new plug-in fingerprint number after polymerization and definition again for the plug-in fingerprint in the part not matched According to, and new plug-in model is generated, to reach the function of Model Self-Learning.
According to embodiments of the present invention, by judge access behavior whether meet pre-establish or the Fingerprint Model of self study in Fundamental, carry out effective identification of plug-in operation.Entire identification process does not need to manual intervention, solves traditional means pair The problem of deficiency and None- identified of known plug-in detection unknown plug-in behavior, improves the accuracy of plug-in identification, enhancing The applicability of plug-in identification so that user can need not have professional knowledge, without setting, preservation & testing rule, you can light The existing monitoring plug-in to business of pine nut, further promotes the safety of operation system, so as to reduce the use brought by plug-in program Family sensitive information leakage and the risk of violation business handling.
Fig. 4 is according to embodiments of the present invention for identifying the structure diagram of the system of plug-in operation, as shown in figure 4, institute The system of stating includes:Data acquisition module 41, characteristic extracting module 42, model building module 43 and identification module 44.
In some embodiments, data acquisition module 41 can be with the primitive operation information of capturing service system (for example, business Daily record data).
In some embodiments, characteristic extracting module 42 can be associated with plug-in operation from primitive operation information extraction Operating characteristics.Specifically, characteristic extracting module 42 is combined according to preset critical field or multi-field from business daily record data Extraction operation feature, that is, event fingerprint.In some embodiments, characteristic extracting module 42 is included according in business diary data User key words user sorted out, wherein user key words can include:Account, name, IP address, then by classification All operation behaviors of each user are associated to form user behavior event.
In some embodiments, the extraction of 43 feature based extraction module 42 of model building module is associated with plug-in operation Operating characteristics, establish plug-in operating characteristics model.Specifically, model building module 43 is according to preset critical field or multiword Duan Zuhe carries out data discrete analysis to business diary data, and business diary data are classified as Great possibility and small probability thing Part.Next, model building module 43 establishes plug-in operation model according to small probability event, which can for example be used to identify Illegal event.Wherein, preset critical field or multi-field combination include:Operating time, entering frequency, subsequent operation.
In some embodiments, identification module 44 can utilize the plug-in operating characteristics model that model building module 43 generates (for example, illegal event model) analyzes the operation information of real-time operation to identify plug-in operation.For example, identification module 44 can be with User behavior event is identified according to illegal event model, to judge whether user behavior event is illegal plug-in operation.
Specifically, identification module 44 extracts the key operation fingerprint or time series in user behavior event, and and model The illegal event model for establishing the generation of module 43 is matched.If successful match, which is identified as non- The plug-in operation of method.If it fails to match, user behavior event is abandoned.In addition, in some embodiments, in the feelings that it fails to match In shape, the user behavior event that it fails to match can be provided to model building module 43 by identification module 44, then model foundation Module 43 can re-start these user behavior events analysis to form new illegal event model.
The operating procedure of the method for the present invention is corresponding with the structure feature of system, can be cross-referenced, no longer repeats one by one.
According to the technique and scheme of the present invention, it is pre-established or the fingerprint mould of self study by judging whether access behavior meets Fundamental in type carries out effective identification of plug-in operation.Entire identification process does not need to manual intervention, solves traditional hand The problem of section is to the unknown plug-in behavior of the deficiency and None- identified of known plug-in detection improves the accuracy of plug-in identification, Enhance the applicability of plug-in identification so that user can need not have professional knowledge, need not set, preservation & testing rule, i.e., It can easily realize the monitoring plug-in to business, the safety of operation system further be promoted, so as to reduce because plug-in program is brought User sensitive information leakage and violation business handling risk.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program Product.Therefore, the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware can be used in the present invention Apply the form of example.Moreover, the computer for wherein including computer usable program code in one or more can be used in the present invention The computer program production that usable storage medium is implemented on (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The foregoing is merely the embodiment of the present invention, are not intended to restrict the invention.For those skilled in the art For, the invention may be variously modified and varied.All any modifications made within spirit and principles of the present invention are equal Replace, improve etc., it should be included within scope of the presently claimed invention.

Claims (16)

  1. A kind of 1. method for identifying plug-in operation, which is characterized in that including:
    The primitive operation information of capturing service system;
    From primitive operation information extraction operating characteristics associated with plug-in operation;
    Based on the operating characteristics associated with plug-in operation, plug-in operating characteristics model is established;And
    Using the operation information of the plug-in operating characteristics model analysis real-time operation to identify the plug-in operation.
  2. 2. according to the method described in claim 1, wherein described operating characteristics associated with plug-in operation are including described plug-in The combination of the one or more critical fielies or multiple critical fielies of operation, and wherein, one or more of keywords The combination of section or multiple critical fielies includes following one or more:After operating time, entering frequency, the operation to be identified Continuous operation and time sequential routine.
  3. 3. according to the method described in claim 2, wherein, the operating time is one or more critical fielies and described Entering frequency, the subsequent operation of the operation to be identified and the time sequential routine are the combinations of multiple critical fielies.
  4. 4. according to the method described in claim 1, wherein described primitive operation information includes the history service of the operation system One or more of operation information of daily record and scheduled plug-in operation.
  5. 5. according to the method described in claim 1, wherein from primitive operation information extraction behaviour associated with plug-in operation Include as feature:
    From primitive operation information extraction operating characteristics associated with the primitive operation;
    Pair associated with primitive operation operating characteristics carry out data discrete to be classified as maximum probability operating characteristics and small general Rate operating characteristics;And
    The small probability operating characteristics are extracted to obtain the operating characteristics associated with plug-in operation.
  6. 6. it according to the method described in claim 1, is wherein established plug-in based on the operating characteristics associated with plug-in operation Operating characteristics model includes:
    The operating characteristics associated with plug-in operation are clustered, to generate operation associated with the plug-in operation The set of feature;
    Degree of overlapping judgement is carried out, and merge the high set of degree of overlapping to the set;And
    The plug-in operating characteristics model is established based on the set through merging,
    Wherein, when the degree of overlapping is greater than or equal to first threshold, show the degree of overlapping height of the set and when described heavy When folded degree is less than first threshold, show that the degree of overlapping of the set is low.
  7. 7. according to the method described in claim 1, wherein utilize the operation of the plug-in operating characteristics model analysis real-time operation Information is to identify that the plug-in operation includes:
    The operation information of the real-time operation is analyzed to extract operating characteristics associated with the real-time operation;And
    It is matched using the plug-in operating characteristics model operating characteristics associated with the real-time operation,
    Wherein, when operating characteristics associated with the real-time operation and the plug-in operating characteristics Model Matching, by described in Real-time operation is identified as the plug-in operation and when operating characteristics associated with the real-time operation and the plug-in operation When characteristic model mismatches, the operation information of the real-time operation is abandoned.
  8. 8. it the method according to the description of claim 7 is characterized in that further includes:
    When operating characteristics associated with the real-time operation and the plug-in operating characteristics unmatched models, to described real-time Operation re-starts analysis, to change the plug-in operating characteristics model.
  9. 9. a kind of system for identifying plug-in operation, which is characterized in that including:
    Data acquisition module is configured as the primitive operation information of capturing service system;
    Characteristic extracting module is configured as from primitive operation information extraction operating characteristics associated with plug-in operation;
    Model building module is configured as, based on the operating characteristics associated with plug-in operation, establishing plug-in operating characteristics Model;And
    Identification module is configured as the operation information using the plug-in operating characteristics model analysis real-time operation to identify State plug-in operation.
  10. 10. system according to claim 9, wherein the operating characteristics associated with plug-in operation are including described plug-in The combination of the one or more critical fielies or multiple critical fielies of operation, and wherein, one or more of keywords The combination of section or multiple critical fielies includes following one or more:After operating time, entering frequency, the operation to be identified Continuous operation and time sequential routine.
  11. 11. system according to claim 10, wherein, the operating time is one or more critical fielies, Yi Jisuo State the combination that entering frequency, the subsequent operation of the operation to be identified and the time sequential routine are multiple critical fielies.
  12. 12. system according to claim 9, wherein the primitive operation information includes the history service of the operation system One or more of operation information of daily record and scheduled plug-in operation.
  13. 13. system according to claim 9, wherein the characteristic extracting module is additionally configured to carry out following operate:
    From primitive operation information extraction operating characteristics associated with the primitive operation;
    Pair associated with primitive operation operating characteristics carry out data discrete to be classified as maximum probability operating characteristics and small general Rate operating characteristics;And
    The small probability operating characteristics are extracted to obtain the operating characteristics associated with plug-in operation.
  14. 14. system according to claim 9, wherein the model building module is configured for following operation:
    The operating characteristics associated with plug-in operation are clustered, to generate operation associated with the plug-in operation The set of feature;
    Degree of overlapping judgement is carried out, and merge the high set of degree of overlapping to the set;And
    The plug-in operating characteristics model is established based on the set through merging,
    Wherein when the degree of overlapping is greater than or equal to first threshold, show the degree of overlapping height of the set and when described heavy When folded degree is less than first threshold, show that the degree of overlapping of the set is low.
  15. 15. system according to claim 9, wherein the identification module is configured as:
    The operation information of the real-time operation is analyzed to extract operating characteristics associated with the real-time operation;And
    It is matched using the plug-in operating characteristics model operating characteristics associated with the real-time operation,
    Wherein, when operating characteristics associated with the real-time operation and the plug-in operating characteristics Model Matching, by described in Real-time operation is identified as the plug-in operation and when operating characteristics associated with the real-time operation and the plug-in operation When characteristic model mismatches, the operation information of the real-time operation is abandoned.
  16. 16. system according to claim 15, wherein the model building module is additionally configured to:
    When operating characteristics associated with the real-time operation and the plug-in operating characteristics unmatched models, to described real-time Operation re-starts analysis, to change the plug-in operating characteristics model.
CN201710004491.0A 2017-01-04 2017-01-04 Method and system for identifying plug-in operation Active CN108268886B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710004491.0A CN108268886B (en) 2017-01-04 2017-01-04 Method and system for identifying plug-in operation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710004491.0A CN108268886B (en) 2017-01-04 2017-01-04 Method and system for identifying plug-in operation

Publications (2)

Publication Number Publication Date
CN108268886A true CN108268886A (en) 2018-07-10
CN108268886B CN108268886B (en) 2020-10-30

Family

ID=62771713

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710004491.0A Active CN108268886B (en) 2017-01-04 2017-01-04 Method and system for identifying plug-in operation

Country Status (1)

Country Link
CN (1) CN108268886B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109325779A (en) * 2018-08-20 2019-02-12 北京数美时代科技有限公司 A kind of read-write portrait method, system and portrait processing system cheated for counter
CN109376718A (en) * 2018-12-17 2019-02-22 成都国腾实业集团有限公司 A kind of recognition methods of plug-in operation fingerprint similarity
CN109731339A (en) * 2018-12-17 2019-05-10 福建天晴数码有限公司 Detect plug-in method, storage medium
CN111389012A (en) * 2020-02-26 2020-07-10 完美世界征奇(上海)多媒体科技有限公司 Method, device and system for anti-plug-in
CN111417021A (en) * 2020-03-16 2020-07-14 广州虎牙科技有限公司 Plug-in identification method and device, computer equipment and readable storage medium
CN111444983A (en) * 2020-04-22 2020-07-24 中国科学院上海微系统与信息技术研究所 Risk event identification method and system based on sensing data information fingerprints

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080220854A1 (en) * 2007-03-08 2008-09-11 Timothy Michael Midgley Method and apparatus for collecting user game play data and crediting users in an online gaming environment
US20100162405A1 (en) * 2008-12-23 2010-06-24 Valve Corporation Protecting against polymorphic cheat codes in a video game
US20120106829A1 (en) * 2010-11-03 2012-05-03 Tae-Kyeong Lee Robot cleaner and controlling method of the same
TW201402180A (en) * 2012-07-06 2014-01-16 Jun-Guang Chen Game character plug-in module and method
CN103825780A (en) * 2014-02-26 2014-05-28 珠海市君天电子科技有限公司 Tag-on program identification method, service and system
CN105138982A (en) * 2015-08-21 2015-12-09 中南大学 Crowd abnormity detection and evaluation method based on multi-characteristic cluster and classification
CN105159948A (en) * 2015-08-12 2015-12-16 成都数联易康科技有限公司 Medical insurance fraud detection method based on multiple features
JP5936748B1 (en) * 2015-05-20 2016-06-22 株式会社Cygames Information processing system, server and program, and terminal and program
CN105812200A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Abnormal behavior detection method and device
CN106067088A (en) * 2016-05-30 2016-11-02 中国邮政储蓄银行股份有限公司 E-bank accesses detection method and the device of behavior

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080220854A1 (en) * 2007-03-08 2008-09-11 Timothy Michael Midgley Method and apparatus for collecting user game play data and crediting users in an online gaming environment
US20100162405A1 (en) * 2008-12-23 2010-06-24 Valve Corporation Protecting against polymorphic cheat codes in a video game
US20120106829A1 (en) * 2010-11-03 2012-05-03 Tae-Kyeong Lee Robot cleaner and controlling method of the same
TW201402180A (en) * 2012-07-06 2014-01-16 Jun-Guang Chen Game character plug-in module and method
CN103825780A (en) * 2014-02-26 2014-05-28 珠海市君天电子科技有限公司 Tag-on program identification method, service and system
CN105812200A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Abnormal behavior detection method and device
JP5936748B1 (en) * 2015-05-20 2016-06-22 株式会社Cygames Information processing system, server and program, and terminal and program
CN105159948A (en) * 2015-08-12 2015-12-16 成都数联易康科技有限公司 Medical insurance fraud detection method based on multiple features
CN105138982A (en) * 2015-08-21 2015-12-09 中南大学 Crowd abnormity detection and evaluation method based on multi-characteristic cluster and classification
CN106067088A (en) * 2016-05-30 2016-11-02 中国邮政储蓄银行股份有限公司 E-bank accesses detection method and the device of behavior

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
ANDERS DRACHEN: "Guns, Swords and Data: Clustering of Player Behavior in Computer Games in the Wild", 《2012 IEEE CONFERENCE ON COMPUTATIONAL INTELLIGENCE AND GAMES》 *
GALLI, L.,ET.AL: "A cheating detection framework for unreal tournament iii: A machine learning approach", 《IN 2011 IEEE CONFERENCE ON COMPUTATIONAL INTELLIGENCE AND GAMES》 *
RASHIDI, BAHMAN,ET.AL: "Bottracer: Bot user detection using clustering method in recdroid", 《NETWORK OPERATIONS AND MANAGEMENT SYMPOSIUM》 *
周阳光: "利用过程挖掘提高网络游戏客户分类准确率的方法的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》》 *
黄文彬: "游戏反外挂系统设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109325779A (en) * 2018-08-20 2019-02-12 北京数美时代科技有限公司 A kind of read-write portrait method, system and portrait processing system cheated for counter
CN109376718A (en) * 2018-12-17 2019-02-22 成都国腾实业集团有限公司 A kind of recognition methods of plug-in operation fingerprint similarity
CN109731339A (en) * 2018-12-17 2019-05-10 福建天晴数码有限公司 Detect plug-in method, storage medium
CN109731339B (en) * 2018-12-17 2022-04-12 福建天晴数码有限公司 Method and storage medium for detecting plug-in
CN111389012A (en) * 2020-02-26 2020-07-10 完美世界征奇(上海)多媒体科技有限公司 Method, device and system for anti-plug-in
CN111417021A (en) * 2020-03-16 2020-07-14 广州虎牙科技有限公司 Plug-in identification method and device, computer equipment and readable storage medium
CN111444983A (en) * 2020-04-22 2020-07-24 中国科学院上海微系统与信息技术研究所 Risk event identification method and system based on sensing data information fingerprints
CN111444983B (en) * 2020-04-22 2023-10-24 中国科学院上海微系统与信息技术研究所 Risk event identification method and system based on sensing data information fingerprint

Also Published As

Publication number Publication date
CN108268886B (en) 2020-10-30

Similar Documents

Publication Publication Date Title
CN108268886A (en) For identifying the method and system of plug-in operation
US10769290B2 (en) Systems and methods for fraud detection via interactive link analysis
US10521748B2 (en) Retention risk determiner
CN106469181B (en) User behavior pattern analysis method and device
CN109325691A (en) Abnormal behaviour analysis method, electronic equipment and computer program product
US8139756B2 (en) Method, apparatus, and computer product for computing skill value
CN106326248A (en) A storage method and device for data of databases
CN109034194A (en) Transaction swindling behavior depth detection method based on feature differentiation
US11562262B2 (en) Model variable candidate generation device and method
CN101438296A (en) Methods and apparatus for clustering templates in non-metric similarity spaces
CN110415107A (en) Data processing method, device, storage medium and electronic equipment
CN113051291A (en) Work order information processing method, device, equipment and storage medium
CN111950622A (en) Behavior prediction method, behavior prediction device, behavior prediction terminal and storage medium based on artificial intelligence
CN110008976A (en) A kind of network behavior classification method and device
WO2021120587A1 (en) Method and apparatus for retina classification based on oct, computer device, and storage medium
CN112348417A (en) Marketing value evaluation method and device based on principal component analysis algorithm
CN110348516A (en) Data processing method, device, storage medium and electronic equipment
CN104965846B (en) Visual human's method for building up in MapReduce platform
CN115577172A (en) Article recommendation method, device, equipment and medium
CN111277433B (en) Network service abnormity detection method and device based on attribute network characterization learning
CN115577983A (en) Enterprise task matching method based on block chain, server and storage medium
CN112422505A (en) Network malicious traffic identification method based on high-dimensional extended key feature vector
CN111460052A (en) Low-security fund supervision method and system based on supervised data correlation analysis
CN111984798A (en) Atlas data preprocessing method and device
US20150324813A1 (en) System and method for determining by an external entity the human hierarchial structure of an rganization, using public social networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: No.10, Gaopeng Avenue, high tech Zone, Chengdu, Sichuan 610041

Patentee after: China Mobile Group Sichuan Co.,Ltd.

Patentee after: CHINA MOBILE COMMUNICATIONS GROUP Co.,Ltd.

Address before: No.10, Gaopeng Avenue, high tech Zone, Chengdu, Sichuan 610041

Patentee before: China Mobile Group Sichuan Co.,Ltd.

Patentee before: China Mobile Communications Corp.

CP01 Change in the name or title of a patent holder