CN108509793A - A kind of user's anomaly detection method and device based on User action log data - Google Patents
A kind of user's anomaly detection method and device based on User action log data Download PDFInfo
- Publication number
- CN108509793A CN108509793A CN201810306815.0A CN201810306815A CN108509793A CN 108509793 A CN108509793 A CN 108509793A CN 201810306815 A CN201810306815 A CN 201810306815A CN 108509793 A CN108509793 A CN 108509793A
- Authority
- CN
- China
- Prior art keywords
- user
- action log
- word
- lda
- user action
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Abstract
The invention discloses a kind of user's anomaly detection methods and device based on User action log data, and this approach includes the following steps:User journal data are acquired, and are normalized;Score value assessment is carried out to new collected User action log by LDA analysis models;When point value of evaluation is less than predetermined score value, determine that freshly harvested User action log is suspicious user user behaviors log;It determines the corresponding user terminal of suspicious user user behaviors log and application software, and generates warning information.Technical solution through the invention can quickly find the abnormal behaviour of user, alarm in time to administrator or user, improve processing and threaten discovery treatment effeciency;It is completed with intimate speed in real time, enhances system audit function and the timeliness of alarm function.
Description
Technical field
The present invention relates to data security arts, and in particular to a kind of user's abnormal behaviour based on User action log data
Detection method.
Background technology
LDA (Latent Dirichlet Allocation) is that a kind of document subject matter generates model, also referred to as one three layers
Bayesian probability model, including word, theme and document three-decker.So-called generation model, that is, it is believed that an article
Each word be by " with some theme of certain probability selection, and with some word of certain probability selection from this theme
Such a process of language " obtains.Document obeys multinomial distribution to theme, and theme to word obeys multinomial distribution.
LDA is a kind of non-supervisory machine learning techniques, can be used for identifying extensive document sets (document
Collection the subject information) or in corpus (corpus) hidden.The method that it uses bag of words (bag of words),
Each document is considered as a word frequency vector by this method, is believed for ease of the number of modeling to convert text message
Breath.
User behavior analysis refers to being counted, being analyzed to related data, therefrom in the case where obtaining master data
It was found that the rule of user behavior.
Such as Fig. 1, A-NIDS frames in the prior art include mainly three phases:
1. the stage of parametrization:System will be collected into information and format or pre-process in a predetermined manner.
2. the training stage:Classified according to the performance of normally performed activity feature, then establishes corresponding model.
3. detection-phase:System model training is completed and be can be used, and is compared with obtained data on flows, if it find that partially
When difference is more than given threshold values, system will give a warning, and generate examining report.
For the prior art, need to solve following technical problem:
1. acquisition and the normalized of user behavior data.
2. the foundation of the machine learning LDA models based on spark.
3. the alarm of abnormal behaviour result is shown.
Invention content
In order to solve the above technical problems, the present invention provides a kind of user's abnormal behaviours based on User action log data
Detection method, which is characterized in that this approach includes the following steps:
1) user journal data are acquired, and are normalized;
2) score value assessment is carried out to new collected User action log by LDA analysis models;
3) when point value of evaluation is less than predetermined score value, determine that freshly harvested User action log is suspicious user behavior day
Will;
4) the corresponding user terminal of suspicious user user behaviors log and application software are determined, and generates warning information.
With the method for the invention it is preferred to, in the LDA analysis models, User action log data include following word
Language:User ID, user terminal ID, application software coding, operating time, action type are analyzed based on these words according to LDA is established
Document, theme needed for mode input calculate the probability of every User action log appearance, and will then according to LDA algorithm
Score value of the probability as this User action log.
With the method for the invention it is preferred to, each word occurs in collection of document in the User action log
Probability stamps are:It is newly acquired according to the determine the probability
The score value of the User action log arrived.
With the method for the invention it is preferred to, before the step 1), LDA is trained by User action log data
Analysis model;
Using user journal data as the document of training LDA analysis models, the word formed after user's operation data processing
As the word of trained LDA analysis models, theme of the theme as trained LDA analysis models in terms of user's operation type.
With the method for the invention it is preferred to, User action log data are divided into two words;
One of word includes:User ID, user terminal ID, application software type and operating time;
Another word includes:Action type, operation duration, request field reference numeral, response field number.
In order to solve the above technical problems, the present invention provides a kind of user's abnormal behaviours based on User action log data
Detection device, which is characterized in that the device includes:
Digital sampling and processing acquires user journal data, and is normalized;
Score value evaluation module carries out score value assessment by LDA analysis models to new collected User action log;
Score value judgment module determines that freshly harvested User action log is suspicious when point value of evaluation is less than predetermined score value
User action log;
Alarm module determines the corresponding user terminal of suspicious user user behaviors log and application software, and generates alarm letter
Breath.
The apparatus according to the invention, it is preferred that in the LDA analysis models, User action log data include following word
Language:User ID, user terminal ID, application software coding, operating time, action type are analyzed based on these words according to LDA is established
Document, theme needed for mode input calculate the probability of every User action log appearance, and will then according to LDA algorithm
Score value of the probability as this User action log.
The apparatus according to the invention, it is preferred that each word occurs in collection of document in the User action log
Probability stamps areIt is newly collected according to the determine the probability
User action log score value.
The apparatus according to the invention, it is preferred that the device further includes model training module, passes through User action log data
Training LDA analysis models;
Using user journal data as the document of training LDA analysis models, the word formed after user's operation data processing
As the word of trained LDA analysis models, theme of the theme as trained LDA analysis models in terms of user's operation type.
The apparatus according to the invention, it is preferred that User action log data are divided into two words;
One of word includes:User ID, user terminal ID, application software type and operating time;
Another word includes:Action type, operation duration, request field reference numeral, response field number.
In order to solve the above technical problems, the present invention provides a kind of computer readable storage medium, which has meter
Calculation machine program instruction is realized when executing the computer program instructions such as one of above-mentioned method.
Technical solution using the present invention achieves following technique effect:
1. Function Extension:Machine learning abnormal behaviour analysis method based on User action log can quickly find user
Abnormal behaviour, alarm in time to administrator or user, improve processing and threaten and find treatment effeciency.
2. real-time:Machine learning LDA analysis models based on spark make the analysis of data with intimate real-time speed
It completes, enhances system audit function and the timeliness of alarm function.
Description of the drawings
Fig. 1 is prior art data analysis flowcharts;
Fig. 2 is the user behavior anomaly flow chart of the present invention.
Specific implementation mode
LDA (Latent Dirichlet Allocation) is that a kind of document subject matter generates model, also referred to as one three layers
Bayesian probability model, including word, theme and document three-decker.So-called generation model, that is, it is believed that an article
Each word be by " with some theme of certain probability selection, and with some word of certain probability selection from this theme
Such a process of language " obtains.Document obeys multinomial distribution to theme, and theme to word obeys multinomial distribution.
LDA is a kind of non-supervisory machine learning techniques, can be used for identifying extensive document sets (document
Collection the subject information) or in corpus (corpus) hidden.The method that it uses bag of words (bag of words),
Each document is considered as a word frequency vector by this method, is believed for ease of the number of modeling to convert text message
Breath.But bag of words method does not account for the sequence between word and word, this simplifies the complex natures of the problem, while being also changing for model
Into providing opportunity.The probability distribution that some themes of each documents representative are constituted, and each theme represents
Probability distribution that many words are constituted.
LDA generating process
For every document in corpus, LDA defines following generating process (generativeprocess):
1. pair each document extracts a theme from theme distribution;
2. extracting a word from the word distribution corresponding to the above-mentioned theme being pumped to;
3. repeating the above process each word until in traversal document.
One multinomial point of each document in corpus and T (given in advance by the methods of repetition test) a theme
Cloth (multinomialdistribution) is corresponding, which is denoted as θ.Each theme and and vocabulary
(vocabulary) multinomial distribution of V word in is corresponding, this multinomial distribution is denoted as φ.
LDA overall flows
First define the meaning of some letters:Collection of document D, theme (topic) set T
Each document d regards a word sequence as in D<w1,w2,...,wn>, wi indicates i-th of word, if d has n list
Word.(being referred to as wordbag inside LDA, the appearance position of actually each word is on LDA algorithm without influencing)
All various words involved in D form a big collection VOCABULARY (abbreviation VOC), and LDA is with collection of document D
As input, it is desirable to two result vectors (set and be polymerized to k topic, include m word altogether in VOC) trained:
To the document d in each D, the probability θ d of different Topic are corresponded to<pt1,...,ptk>, wherein pti indicates d pairs
Answer the probability of i-th of topic in T.Computational methods are intuitive, pti=nti/n, and wherein nti indicates i-th corresponding in d
The number of the word of topic, n are the sums of all words in d.
To the topict in each T, the probability φ t of various words are generated<pw1,...,pwm>, wherein pwi indicates t lifes
At the probability of i-th of word in VOC.Computational methods are equally very intuitive, and pwi=Nwi/N, wherein Nwi expression correspond to topict
VOC in i-th of word number, N indicates all total words for corresponding to topict.
The core formula of LDA is as follows:
P (w | d)=p (w | t) * p (t | d)
It intuitively sees this formula, is exactly that can give text by current θ d and φ t using Topic as middle layer
There is the probability of word w in shelves d.Wherein p (t | d) it is calculated using θ d, p (w | t) it is calculated using φ t.
In fact, using current θ d and φ t, we can be that a word in a document calculates its correspondence arbitrarily
P (w | d) when one Topic, then according to these results come update this word should corresponding topic.Then, if this
Update changes the Topic corresponding to this word, will influence θ d and φ t in turn.[2]
LDA learning processes
When LDA algorithm starts, first randomly give θ d and φ t assignment (to all d and t).Then the above process is constantly heavy
Multiple, the result finally converged to is exactly the output of LDA.The specifically once learning process of this iteration again:
It, can be with if enabling the corresponding topic of the word for tj 1. for the i-th word wi in specific document ds
Above-mentioned formula is rewritten as:
Pj (wi | ds)=p (wi | tj) * p (tj | ds)
2. we can enumerate the topic in T now, all pj (wi | ds), wherein 1~k of j values are obtained.Then may be used
To be that i-th of word wi in ds selects a topic according to these probability value results.Simplest idea be take enable pj (wi |
Ds) maximum tj (note that it is variable there was only j in this formula), i.e. argmax [j] pj (wi | ds)
3., will be to θ then, if i-th of word wi in ds has selected one and original different topic herein
D and φ t have an impact and (one can readily appreciate that according to the calculation formula of the two aforementioned vectors).Their influence
It can influence the calculating to p above-mentioned (w | d) in turn again.P's (w | d) is carried out to all w in d all in D
It calculates and reselects topic and regard an iteration as.After carrying out n times loop iteration in this way, it is required LDA will to be converged to
As a result.
Below in conjunction with the accompanying drawings and specific embodiment the present invention is further illustrated, but protection scope of the present invention is simultaneously
It is without being limited thereto.
<User's anomaly detection method>
Referring to such as Fig. 2, steps are as follows for behavioral value:
(1) business diary of each system is acquired by log acquisition module.Collected data are passed through into association
Analysis forms the User action log that can describe user behavior.The User action log of generation is normalized.Return
Daily record after at one change can describe what which when a user on which station terminal has carried out using (app) by
Operation.Treated, and message field includes:
Receive the time of data
Operation duration
Terminal ID number
ID users
Application software encodes
Action type (increases, deletes, looking into, changing)
The length (byte number) of required parameter
The length (byte number) of response results
(2) judge that LDA analysis models whether there is, if it does not exist, then establishing the machine learning LDA (texts based on spark
Shelves topic model) analysis model, using the user behavior data of input as input document, by large volume document data to model into
Row training, obtains convergent result.Trained model is preserved.If it does, to new collected user behavior number
According to analysis marking is carried out, a threshold values is set, when score value is less than threshold values, it is believed that the behavior is suspicious actions.
(3) warning message is generated according to the suspicious actions data of generation, is shown in the warning message Show board of front end page
Show, alarm is made to administrator.
Clustering algorithm (LDA):
LDA, which can be used for identifying in extensive document sets (document collection) or corpus (corpus), to dive
The subject information of Tibetan.Each document is considered as a word by the method that it uses bag of words (bag of words), this method
Frequency vector, to which text message to be converted to the digital information for ease of modeling.But bag of words method do not account for word and word it
Between sequence, this simplifies the complex natures of the problem, while also providing opportunity for the improvement of model.Each documents representative one
The probability distribution that a little themes are constituted, and each theme represents the probability distribution that many words are constituted.
LDA is considered a following cluster process:
(1) each theme (Topics) corresponds to all kinds of " barycenter ", and each document is considered as one in data set
Sample.
(2) theme and document are considered to there are in a vector space, each feature vector in this vector space
All it is word frequency (bag of words)
(3) from using unlike being weighed using range formula in traditional clustering method, LDA is using one based on counting
The equation of model, and this statistical model discloses how these documents all generate.
It is based on a common-sense and assumes:All texts in collection of document share a certain number of implicit themes.Base
In this it is assumed that entire document sets are characterized as the set of implicit theme by it, and every text is represented as these implicit themes
Special ratios mixing.The core formula of LDA is as follows:
D represents certain document, and w represents some word, zkThe i-th theme is represented, K theme is shared.Popular understanding is:Text
Shelves d belongs to theme z with certain probabilityk, i.e. p (zk| d), and theme zkThe lower prior probability for word w occur be p (w | zk), therefore
In theme zkUnder, probability that word w occurs in document be p (w | zk)*p(zk| d), nature ti under all themes document:K occurs
The probability of word w adds up, and is exactly the Probability p (w | d) (word frequency) for occurring word w in document d.
LDA is a level Bayesian model, and the parameter of model is also regarded as stochastic variable, so as to introduce control ginseng
Several parameters is realized thoroughly " randomization ".The prior distribution of the Dirichlet of LDA models, the multinomial of theme on document d
Distribution.Currently, parameter Estimation is the most important tasks of LDA, there are mainly two types of methods:Gibbs samplings (it is computationally intensive, but phase
To simple and accurate) and variational Bayesian method (calculation amount is small, and precision degree is weak).
User behavior analysis LDA models are established to include the following steps:
(1) LDA (LATENT DIRICHLET ALLOCATION) document subject matter model brief introduction
LDA is a kind of non-supervisory machine learning techniques, can be used for identifying extensive document sets (document
Collection the subject information) or in corpus (corpus) hidden.The method that it uses bag of words (bag of words),
Each document is considered as a word frequency vector by this method, is believed for ease of the number of modeling to convert text message
Breath.The probability distribution that some themes of each documents representative are constituted, and each theme represents many words
The probability distribution constituted.If we will generate a document, the probability that each word inside it occurs is:
(2) document subject matter corresponding with LDA models is defined as follows in the present invention:
Model User action logs
Document UserAction data
The word formed after word UserAction data processings
Theme in terms of topic user behaviors
The essence of LDA model trainings is to obtain the probability-distribution function of a word in a document, then general according to this
Rate distribution function generates a word every time.Therefore, significant in order to make the LDA model trainings based on User action log obtain
As a result, word segmentation processing must be carried out to the User action log that is collected into because the later data of normalized include very
More fields, these data there is no repeatability, the model of convergence meaning can not be directly trained by these data.
(3) word segmentation processing of User action log
It is divided to every User action log to two independent words (word), respectively userid_hardwareid_
appcode_trhour、actionType_duration_resLen_reqLen.The specific establishment rule of word is as follows:
Time of day (time)
Use the trhour fields in data.The corresponding hour numerical value for generating time when operating.
Request Bytes (size of required parameter)
Use the number of the respective bins corresponding to the resLen field respective values in data.As follows [0,512,
1024,2048,4096 ...], unit is byte number, if resLen is equal to 256 bytes, corresponding value is 1;If
ResLen is equal to 760 bytes, then corresponding value is 2.
Response Bytes (sizes of response results)
Use the number of the respective bins corresponding to the reqLen field respective values in data.As follows [0,512,
1024,2048,4096 ...], unit is byte number, if resLen is equal to 256 bytes, corresponding value is 1;If
ResLen is equal to 760 bytes, then corresponding value is 2.
ActionType (action type)
0 corresponds to increase;1 corresponds to deletion;2 correspond to inquiry;3 correspond to modification.
Duration (operation duration)
The number in section where time of the whole operation from request to response corresponds to, as follows [0,10,20,30,40,
50,60,70 ...], unit is the second, if duration is equal to 10 seconds, corresponding value is 2.
Word generates example
A. a User action log is userid:1200211123456789,hardwareid:000426,
duration:20,trhour:10,appcode:100026,resLen:100,reqLen:200, actionType;1.It generates
Word be:
I, first words are:“1200211123456789_000426_100026_10”.
II words of second are:“1_1_2_2_4”.
The threat detection system based on User action log of the present invention is applied in the big data analysis system of certain enterprise,
The system effectively alarms to abnormal behaviour.
Scheme through the invention, the machine learning abnormal behaviour analysis method based on User action log can quickly be sent out
The abnormal behaviour at current family is alarmed to administrator or user in time, is improved processing and is threatened discovery treatment effeciency.Based on spark
Machine learning LDA analysis models make the analysis of data with it is intimate in real time speed complete, enhance system audit function and
The timeliness of alarm function.
Example of the above example only as protection scheme of the present invention does not limit the specific implementation mode of the present invention
It is fixed.
Claims (11)
1. a kind of user's anomaly detection method based on User action log data, which is characterized in that this method include with
Lower step:
1) user journal data are acquired, and are normalized;
2) score value assessment is carried out to new collected User action log by LDA analysis models;
3) when point value of evaluation is less than predetermined score value, determine that freshly harvested User action log is suspicious user user behaviors log;
4) the corresponding user terminal of suspicious user user behaviors log and application software are determined, and generates warning information.
2. according to the method described in claim 1, in the LDA analysis models, User action log data include following word:
User ID, user terminal ID, application software coding, operating time, action type analyze mould based on these words according to LDA is established
Document, theme needed for type input calculate the probability of every User action log appearance, and should then according to LDA algorithm
Score value of the probability as this User action log.
3. according to the method described in claim 2, in the User action log each word occur in collection of document it is general
Rate is identified as:It is newly collected according to the determine the probability
User action log score value.
4. according to the method described in claim 1, before the step 1), LDA points are trained by User action log data
Analyse model;
Using user journal data as the document of training LDA analysis models, the word conduct formed after user's operation data processing
The word of LDA analysis models is trained, theme of the theme as training LDA analysis models in terms of user's operation type.
5. according to the method described in claim 1, User action log data are divided into two words;
One of word includes:User ID, user terminal ID, application software type and operating time;
Another word includes:Action type, operation duration, request field reference numeral, response field number.
6. a kind of user's unusual checking device based on User action log data, which is characterized in that the device includes:
Digital sampling and processing acquires user journal data, and is normalized;
Score value evaluation module carries out score value assessment by LDA analysis models to new collected User action log;
Score value judgment module determines that freshly harvested User action log is suspicious user when point value of evaluation is less than predetermined score value
User behaviors log;
Alarm module determines the corresponding user terminal of suspicious user user behaviors log and application software, and generates warning information.
7. device according to claim 6, in the LDA analysis models, User action log data include following word:
User ID, user terminal ID, application software coding, operating time, action type analyze mould based on these words according to LDA is established
Document, theme needed for type input calculate the probability of every User action log appearance, and should then according to LDA algorithm
Score value of the probability as this User action log.
8. device according to claim 7, each word occurs general in collection of document in the User action log
Rate is identified asIt is newly collected according to the determine the probability
The score value of User action log.
9. device according to claim 6, which further includes model training module, is instructed by User action log data
Practice LDA analysis models;
Using user journal data as the document of training LDA analysis models, the word conduct formed after user's operation data processing
The word of LDA analysis models is trained, theme of the theme as training LDA analysis models in terms of user's operation type.
10. User action log data are divided into two words by device according to claim 6;
One of word includes:User ID, user terminal ID, application software type and operating time;
Another word includes:Action type, operation duration, request field reference numeral, response field number.
11. a kind of computer readable storage medium, which has computer program instructions, when the execution computer program
When instruction, realize such as one of above-mentioned method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810306815.0A CN108509793A (en) | 2018-04-08 | 2018-04-08 | A kind of user's anomaly detection method and device based on User action log data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810306815.0A CN108509793A (en) | 2018-04-08 | 2018-04-08 | A kind of user's anomaly detection method and device based on User action log data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108509793A true CN108509793A (en) | 2018-09-07 |
Family
ID=63381023
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810306815.0A Pending CN108509793A (en) | 2018-04-08 | 2018-04-08 | A kind of user's anomaly detection method and device based on User action log data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108509793A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109218321A (en) * | 2018-09-25 | 2019-01-15 | 北京明朝万达科技股份有限公司 | A kind of network inbreak detection method and system |
| CN109325232A (en) * | 2018-09-25 | 2019-02-12 | 北京明朝万达科技股份有限公司 | A kind of user behavior exception analysis method, system and storage medium based on LDA |
| CN110162445A (en) * | 2019-05-23 | 2019-08-23 | 中国工商银行股份有限公司 | The host health assessment method and device of Intrusion Detection based on host log and performance indicator |
| CN110378124A (en) * | 2019-07-19 | 2019-10-25 | 杉树岭网络科技有限公司 | A kind of network security threats analysis method and system based on LDA machine learning |
| CN111368534A (en) * | 2018-12-25 | 2020-07-03 | 中国移动通信集团浙江有限公司 | Application log noise reduction method and device |
| CN112765003A (en) * | 2020-12-31 | 2021-05-07 | 北方工业大学 | Risk prediction method based on APP behavior log |
| CN114254716A (en) * | 2022-03-02 | 2022-03-29 | 浙江鹏信信息科技股份有限公司 | High-risk operation identification method and system based on user behavior analysis |
| CN114721861A (en) * | 2022-05-23 | 2022-07-08 | 北京必示科技有限公司 | Fault positioning method and system based on log differentiation comparison |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1649311A (en) * | 2005-03-23 | 2005-08-03 | 北京首信科技有限公司 | Detecting system and method for user behaviour abnormal based on machine study |
| CN103853841A (en) * | 2014-03-19 | 2014-06-11 | 北京邮电大学 | Method for analyzing abnormal behavior of user in social networking site |
| CN104424354A (en) * | 2013-08-27 | 2015-03-18 | 国际商业机器公司 | Detecting Anomalous User Behavior Using Generative Models of User Actions |
| US20150186901A1 (en) * | 2008-06-12 | 2015-07-02 | Tom Miltonberger | Fraud detection and analysis |
| CN106021620A (en) * | 2016-07-14 | 2016-10-12 | 北京邮电大学 | Method for realizing automatic detection for power failure event by utilizing social contact media |
| CN107798083A (en) * | 2017-10-17 | 2018-03-13 | 广东广业开元科技有限公司 | A kind of information based on big data recommends method, system and device |
-
2018
- 2018-04-08 CN CN201810306815.0A patent/CN108509793A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1649311A (en) * | 2005-03-23 | 2005-08-03 | 北京首信科技有限公司 | Detecting system and method for user behaviour abnormal based on machine study |
| US20150186901A1 (en) * | 2008-06-12 | 2015-07-02 | Tom Miltonberger | Fraud detection and analysis |
| CN104424354A (en) * | 2013-08-27 | 2015-03-18 | 国际商业机器公司 | Detecting Anomalous User Behavior Using Generative Models of User Actions |
| CN103853841A (en) * | 2014-03-19 | 2014-06-11 | 北京邮电大学 | Method for analyzing abnormal behavior of user in social networking site |
| CN106021620A (en) * | 2016-07-14 | 2016-10-12 | 北京邮电大学 | Method for realizing automatic detection for power failure event by utilizing social contact media |
| CN107798083A (en) * | 2017-10-17 | 2018-03-13 | 广东广业开元科技有限公司 | A kind of information based on big data recommends method, system and device |
Non-Patent Citations (1)
| Title |
|---|
| 韩群: "LDA模型下的APT通信日志特征研究", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109218321A (en) * | 2018-09-25 | 2019-01-15 | 北京明朝万达科技股份有限公司 | A kind of network inbreak detection method and system |
| CN109325232A (en) * | 2018-09-25 | 2019-02-12 | 北京明朝万达科技股份有限公司 | A kind of user behavior exception analysis method, system and storage medium based on LDA |
| CN111368534A (en) * | 2018-12-25 | 2020-07-03 | 中国移动通信集团浙江有限公司 | Application log noise reduction method and device |
| CN110162445A (en) * | 2019-05-23 | 2019-08-23 | 中国工商银行股份有限公司 | The host health assessment method and device of Intrusion Detection based on host log and performance indicator |
| CN110378124A (en) * | 2019-07-19 | 2019-10-25 | 杉树岭网络科技有限公司 | A kind of network security threats analysis method and system based on LDA machine learning |
| CN112765003A (en) * | 2020-12-31 | 2021-05-07 | 北方工业大学 | Risk prediction method based on APP behavior log |
| CN112765003B (en) * | 2020-12-31 | 2021-09-14 | 北方工业大学 | Risk prediction method based on APP behavior log |
| CN114254716A (en) * | 2022-03-02 | 2022-03-29 | 浙江鹏信信息科技股份有限公司 | High-risk operation identification method and system based on user behavior analysis |
| CN114721861A (en) * | 2022-05-23 | 2022-07-08 | 北京必示科技有限公司 | Fault positioning method and system based on log differentiation comparison |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108509793A (en) | A kind of user's anomaly detection method and device based on User action log data | |
| Niyaz et al. | A deep learning approach for network intrusion detection system | |
| WO2017084586A1 (en) | Method , system, and device for inferring malicious code rule based on deep learning method | |
| CN110781317A (en) | Method and device for constructing event map and electronic equipment | |
| CN108255805A (en) | The analysis of public opinion method and device, storage medium, electronic equipment | |
| CN104077417B (en) | People tag in social networks recommends method and system | |
| CN105868108A (en) | Instruction-set-irrelevant binary code similarity detection method based on neural network | |
| CN106354818B (en) | Social media-based dynamic user attribute extraction method | |
| Olmezogullari et al. | Representation of click-stream datasequences for learning user navigational behavior by using embeddings | |
| CN108549658A (en) | A kind of deep learning video answering method and system based on the upper attention mechanism of syntactic analysis tree | |
| CN104484343A (en) | Topic detection and tracking method for microblog | |
| CN110197389A (en) | A kind of user identification method and device | |
| CN109325232A (en) | A kind of user behavior exception analysis method, system and storage medium based on LDA | |
| CN114330966A (en) | Risk prediction method, device, equipment and readable storage medium | |
| CN108040053A (en) | A kind of network security threats analysis method and system based on DNS daily record datas | |
| CN112667979A (en) | Password generation method and device, password identification method and device, and electronic device | |
| CN109299286A (en) | The Knowledge Discovery Method and system of unstructured data | |
| CN110149280B (en) | Network traffic classification method and device | |
| CN105468731A (en) | Preprocessing method of text sentiment analysis characteristic verification | |
| CN110674370A (en) | Domain name identification method and device, storage medium and electronic equipment | |
| CN108173818A (en) | A kind of network security threats analysis method and system based on Proxy daily record datas | |
| CN110309355A (en) | Generation method, device, equipment and the storage medium of content tab | |
| CN111723182A (en) | Key information extraction method and device for vulnerability text | |
| CN106815199A (en) | Protocol type analysis method and device based on machine learning | |
| CN112463964B (en) | Text classification and model training method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180907 |
|
| RJ01 | Rejection of invention patent application after publication |