CN108809745A - A kind of user's anomaly detection method, apparatus and system - Google Patents

A kind of user's anomaly detection method, apparatus and system Download PDF

Info

Publication number
CN108809745A
CN108809745A CN201710306998.1A CN201710306998A CN108809745A CN 108809745 A CN108809745 A CN 108809745A CN 201710306998 A CN201710306998 A CN 201710306998A CN 108809745 A CN108809745 A CN 108809745A
Authority
CN
China
Prior art keywords
user behavior
user
barycenter
characteristics value
information
Prior art date
Application number
CN201710306998.1A
Other languages
Chinese (zh)
Inventor
赵立农
陆艳军
陈浪
杨翔
邓秘密
黄国强
廖天宇
Original Assignee
中国移动通信集团重庆有限公司
北京启明星辰信息安全技术有限公司
中国移动通信集团公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信集团重庆有限公司, 北京启明星辰信息安全技术有限公司, 中国移动通信集团公司 filed Critical 中国移动通信集团重庆有限公司
Priority to CN201710306998.1A priority Critical patent/CN108809745A/en
Publication of CN108809745A publication Critical patent/CN108809745A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing packet switching networks
    • H04L43/10Arrangements for monitoring or testing packet switching networks using active monitoring, e.g. heartbeat protocols, polling, ping, trace-route
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance or administration or management of packet switching networks
    • H04L41/14Arrangements for maintenance or administration or management of packet switching networks involving network analysis or design, e.g. simulation, network model or planning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing packet switching networks
    • H04L43/16Arrangements for monitoring or testing packet switching networks using threshold monitoring

Abstract

The present invention provides a kind of user's anomaly detection method, apparatus and systems.User's anomaly detection method therein, including:Obtain user behavior information;Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;According to the Clustering features of user behavior characteristics value, the cluster barycenter per the relevant user behavior characteristics value of a kind of user behavior is calculated;Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal behaviour information.The present invention is by acquiring user behavior information and therefrom extracting characteristic value, clustering is carried out to the characteristic value of extraction in conjunction with normal behaviour standard baseline, judge the abnormal conditions of user behavior, to simplify the deterministic process of user's abnormal behaviour, quick, the accurate detection to user's abnormal behaviour is realized.

Description

A kind of user's anomaly detection method, apparatus and system

Technical field

The present invention relates to networks congestion control monitoring technology field, specifically design a kind of user's anomaly detection method and System.

Background technology

With the universal and development of computer techno-stress, either LAN or wide area network, the scale of the network user is all It is being gradually expanded, user behavior also becomes increasingly complex, and in this context, seems to the quick detection and effectively control of user behavior It is particularly important.Cluster is to sort data into different classes or such a process of cluster, so the object in the same cluster There is prodigious similitude, and the object between different clusters has prodigious diversity.The target of clustering is that the object in group is mutual Between be relevant, and the object in different group is incoherent.Similitude in group is bigger, and difference is bigger between group, and cluster is just Better.Cluster can be regarded as a kind of classification, it creates the label of object with class (cluster) label, but can only export these from data Label, therefore clustering becomes unsupervised classification.

The object of existing abnormality detection is usually one section of current behavior sequence (being denoted as q) of the machine, passes through certain method To judge sequence q with the presence or absence of abnormal.Utilizable resource has the historical behavior sequences h of the machine in the judgment process, and The group behavior arrangement set c of network environment where the machine.Unusual checking judges to apply as one mode, often exists Certain erroneous judgement, it is therefore desirable to behavior is detected from multi-angle, practice to close judging, to reduce the probability of erroneous judgement.

The user's anomaly detection method for being currently based on cluster judges exception procedure complexity, inspection slow with detection speed The true problem of indeterminacy.

Invention content

User's anomaly detection method to solve to be currently based on cluster judges exception procedure complexity, has detection speed Slowly, the inaccurate problem of detection, an embodiment of the present invention provides a kind of user's anomaly detection method, apparatus and systems.

One side according to the ... of the embodiment of the present invention provides a kind of user's anomaly detection method, including:

Obtain user behavior information;

Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;

According to the Clustering features of user behavior characteristics value, calculate per the relevant user behavior characteristics value of a kind of user behavior Cluster barycenter;

Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;

The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;

Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal row For information.

Selectively, user's anomaly detection method further includes:

The user behavior information is the whole user behavior information obtained in predetermined period.

The Clustering features according to user behavior characteristics value are calculated per the relevant user behavior characteristics of a kind of user behavior The cluster barycenter of value, including:

An initial barycenter is selected from every a kind of user behavior characteristics value;

The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;

The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;

Recalculate the amendment barycenter of every a kind of user behavior characteristics value;

Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initially if variation is more than predetermined threshold value Barycenter recalculates;The cluster matter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value The heart.

The initial barycenter is selected by the way of random selected or specified.

The predetermined threshold value is 0 or the numerical value that is arbitrarily designated.

It is described centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined, using Euclidean space In distance calculate each user behavior characteristics value to corresponding barycenter distance.

The user behavior information, including user log in behavioural information and customer service operation behavior information.

The user logs in behavioural information, including ssh daily records, telnet daily records, ftp daily records, sftp daily records, database are stepped on Record any one or more in daily record, service application login daily record, pop3 logins daily record, imap login daily records.

The customer service operation behavior information, including user operation records daily record.

The second aspect according to the ... of the embodiment of the present invention provides a kind of user's unusual checking device, including:

Information acquisition module, for obtaining user behavior information;

Characteristics extraction module, for the extraction from user behavior information and the relevant user behavior characteristics of user behavior Value;

First processing module calculates related per a kind of user behavior for the Clustering features according to user behavior characteristics value User behavior characteristics value cluster barycenter;

Second processing module, for centered on the cluster barycenter, determining the standard baseline of user's normal behaviour;

Third processing module, for calculating the user behavior characteristics value of user behavior information at a distance from cluster barycenter;

Comparison module judges user behavior information for calculated distance to be compared with the standard baseline Whether abnormal behaviour information is belonged to.

Selectively, information acquisition module, for acquiring whole user behavior information in predetermined period.

The first processing module, is additionally operable to:

An initial barycenter is selected in per one kind user behavior characteristics value;

The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;

The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;

Recalculate the amendment barycenter of every a kind of user behavior characteristics value;

Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initially if variation is more than predetermined threshold value Barycenter recalculates;The cluster matter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value The heart.

In terms of third according to the ... of the embodiment of the present invention, a kind of user's unusual checking system is provided, including:

Memory, processor, communication interface and bus;

The memory, the processor are connected by the bus with the communication interface and complete mutual lead to Letter;

The memory is for storing program code;

The processor can perform to run with described by reading the executable program code stored in the memory A kind of corresponding program of program code, for executing user's anomaly detection method, wherein user's abnormal behaviour inspection Survey method includes:

Obtain user behavior information;

Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;

According to the Clustering features of user behavior characteristics value, calculate per the relevant user behavior characteristics value of a kind of user behavior Cluster barycenter;

Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;

The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;

Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal row For information.

A kind of user's anomaly detection method provided in an embodiment of the present invention, apparatus and system pass through and acquire user's row Characteristic value is extracted for information and therefrom, clustering is carried out to the characteristic value of extraction in conjunction with normal behaviour standard baseline, judges to use The abnormal conditions of family behavior, to simplify the deterministic process of user's abnormal behaviour, realize to user's abnormal behaviour it is quick, Accurate detection.

Description of the drawings

From below in conjunction with the accompanying drawings to the present invention specific implementation mode description in the present invention may be better understood, In:

By reading referring to the drawings to being described in detail made by non-limiting embodiment, other feature of the invention, Objects and advantages will become more apparent upon, wherein same or analogous reference numeral indicates same or analogous feature.

Fig. 1 is the flow chart of user's anomaly detection method described in the embodiment of the present invention;

Fig. 2 is the flow chart of the calculating cluster barycenter step described in the embodiment of the present invention;

Fig. 3 is the module diagram of user's unusual checking device described in the embodiment of the present invention.

Specific implementation mode

The feature and exemplary embodiment of various aspects of the invention is described more fully below.In following detailed description In, it is proposed that many details, in order to provide complete understanding of the present invention.But to those skilled in the art It will be apparent that the present invention can be implemented in the case of some details in not needing these details.Below to implementing The description of example is just for the sake of by showing that the example of the present invention is better understood from the present invention to provide.The present invention never limits In any concrete configuration set forth below and algorithm, but cover under the premise of without departing from the spirit of the present invention element, Any modification, replacement and the improvement of component and algorithm.In the the accompanying drawings and the following description, well known structure and skill is not shown Art is unnecessary fuzzy to avoid causing the present invention.

However, it is desirable to clear, the invention is not limited in specific configuration described above and shown in figure and processing. Also, the detailed description to known method technology for brevity, is omitted here.In the above-described embodiments, it describes and shows Several specific steps are as example.But procedure of the invention is not limited to described and illustrated specific steps, Those skilled in the art can be variously modified, modification and addition after the spirit for understanding the present invention, or change step Sequence between rapid.

Functional block shown in structures described above block diagram can be implemented as hardware, software, firmware or their group It closes.When realizing in hardware, it may, for example, be electronic circuit, application-specific integrated circuit (ASIC), firmware appropriate, insert Part, function card etc..When being realized with software mode, element of the invention is used to execute program or the generation of required task Code section.Either code segment can be stored in machine readable media program or the data-signal by being carried in carrier wave is passing Defeated medium or communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information. The example of machine readable media includes electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), soft Disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via such as internet, inline The computer network of net etc. is downloaded.

As shown in FIG. 1, FIG. 1 is the flow charts of user's anomaly detection method provided in an embodiment of the present invention.

In the present embodiment, user's anomaly detection method specifically includes:

S101, user behavior information is obtained, is summarized with carrying out big data analysis;

Wherein, user behavior information, including user log in behavioural information and customer service operation behavior information.User Chang Deng Record behavioural information includes ssh daily records, telnet daily records, ftp daily records, sftp daily records, database login daily record, service application login Daily record, pop3 log in daily record, imap logs in daily record;Customer service operation behavior information includes that association 4A systems, crm system etc. are The login daily record obtained on system and operation log.

S102, extraction and the relevant user behavior characteristics value of user behavior from user behavior information;

New feature set, which is created, from initial data is referred to as feature extraction.User behavior includes abnormal login row in the present embodiment For with abnormal operation behavior, from user log in behavioural information in extract user behavior characteristics value, specifically include from ssh daily records, Telnet daily records, ftp daily records, sftp daily records, database login daily record, service application logs in daily record, pop3 logs in daily record, imap The user login information logged in daily record is classified, and major class (and group) is established, for the log-on message each time of user The major class for once forming log-on message, group vector, the spy as user's abnormal login behavioural information will be recorded in classification Value indicative, meanwhile, abnormal login behavior disposition can be built on the log-on message class vector of user;From abnormal operation behavioural information Middle extraction user behavior characteristics value is specifically included the login daily record obtained from the systems such as association 4A systems, crm system and behaviour The user login information made in daily record is classified, and major class (and group) is established, for the action each time of user, Yong Hucao Primary, major class (and group) vector of formation user's operation behavioural information can be recorded in classification by making behavioural information all, as The characteristic value of user's abnormal operation behavioural information, meanwhile, abnormal operation row can be built on the operation information class vector of user For tendency.

S103, according to the Clustering features of user behavior characteristics value, calculate special per a kind of relevant user behavior of user behavior The cluster barycenter (establishing focusing solutions analysis model) of value indicative;

As shown in Fig. 2, Clustering features of the present embodiment according to user behavior characteristics value, calculate related per a kind of user behavior User behavior characteristics value cluster barycenter, specifically include following steps:

An initial barycenter is selected in S1031, every a kind of user behavior characteristics value;

Using the user behavior characteristics value extracted from user behavior information in step S102 as initial data, in original number In specify each class user behavior characteristics value in an object as initial barycenter, initial barycenter can be it is random, Can be specified.

S1032, the user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;

Each point is calculated separately to the distance of initial barycenter, specifically uses euclidean distance function:

Wherein Xk, Yk are the coordinate of barycenter, the n of K=1,2,3 ...;

S1033, the user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;

S1034, the amendment barycenter for recalculating every a kind of user behavior characteristics value;

Assuming that with K initial barycenter, for each data, there is the K distance value to K initial barycenter, choose it All data are judged that it corrects the position of barycenter by amendment barycenter of that the nearest initial barycenter of distance as the data It sets;Each point is recalculated to the distance for correcting barycenter, is obtained according to the distance recalculated and corrects centroid position.

S1035, judging to correct whether barycenter changes with initial barycenter, be made with correcting the heart more than if predetermined threshold value if changed It is recalculated for initial barycenter;Determine that it is such user behavior characteristics value to correct barycenter if changing and being no more than predetermined threshold value Cluster barycenter.

S104, centered on the cluster barycenter, determine the standard baseline of user's normal behaviour;This step can pass through machine User's normal behaviour standard baseline is established in device study;

It is to have demarcated drawing the line for abnormal behaviour to establish user's normal behaviour standard baseline, when user behavior is shown as When fixed One-Dimensional Normal distribution, if position of the user behavior numerical value in distribution is further from group, it can be identified For exception.

Gaussian Profile with mean value 0 and standard deviation 1 is derived from for attribute x, an object with attribute value x is to peel off Point, if

|x|≥c;

Wherein, c is a selected constant, meets prob (| x | >=c)=α.

As c is far from mean value 0, α is decreased.Illustrate when we specify α, in reflection to distribution, c is namely far from Value 0.α is defined as rare degree herein, when α is smaller, explanation

Further away from mean value in distribution, the possibility that object meets distribution decreases object, that is, is unsatisfactory for being distributed Possibility increase.

According to equation

Prob (| x | >=c)=α

Rare degree α is determined, has determined that the c in distribution, c here namely reflect the standard base in reality Line.

If reality distribution is not normal distribution, but can be converted normal distribution, then can be by after conversion Normal distribution determine standard baseline, be converted into the standard baseline of actual distribution.

S105, the user behavior characteristics value for calculating user behavior information are at a distance from cluster barycenter;

S106, calculated distance is compared with the standard baseline, judges whether user behavior information belongs to Abnormal behaviour information.According to calculated distance, in conjunction with the normal behaviour standard baseline that step S104 is determined, to user behavior Characteristic value is analyzed, and judges user behavior abnormal conditions.

In conjunction with normal behaviour standard baseline, abnormal login behavioural information analysis unusual IP addresses are logged in (non-common IP, With period different-place login), business personnel's improper period log in (logins of non operation time section), the shared account number of maintenance personnel (simultaneously, with place high frequency time), business personnel share account number (Multi-Subscriber Number logs in, No.1 multimachine logs in), Personnel Who Left work number Behaviors such as (after administrator locks the date, which are still used by other people from account number) are illegally usurped, find O&M people in time The violation operation of member, business personnel.And abnormal login behavior in one section of period is counted, generate statistical report form and trend analysis.

In conjunction with normal behaviour standard baseline, abnormal traffic operation behavior is analyzed, the behavior that personnel are precipitated in statistical is special Sign is analyzed, daily login time, daily logout time, number of operations, user with the data that past 6 months is even longer Account modification, forms normally performed activity standard at the modification of user's Card Type, and the behavior of similar personnel is checked and approved by this class standard.Weight The a large amount of searching user's informations of point analysis non-working time section, only (local, strange land, high frequency time) is not handled in inquiry, plug-in batch obtains Take user information, unauthorized access (lack of competence but have operation log), business operation amount apparent abnormal in the similar personnel of same region Equal abnormal traffics operation behavior, finds the violation operation of operation maintenance personnel, business personnel in time.And count abnormal industry in one section of period Business operation behavior, generates statistical report form and trend analysis.

Technical scheme of the present invention is by acquiring user behavior information and therefrom extracting characteristic value, in conjunction with normal behaviour standard Baseline carries out clustering to the characteristic value of extraction, the abnormal conditions of user behavior is judged, to simplify user's abnormal behaviour Deterministic process, realize quick, the accurate detection to user's abnormal behaviour.

As shown in figure 3, the module diagram of user's unusual checking device described in the embodiment of the present invention;

The present embodiment provides a kind of user's unusual checking device, including information acquisition module, characteristics extraction module, First processing module, Second processing module, third processing module and comparison module.Specifically:

Information acquisition module is summarized for obtaining user behavior information with carrying out big data analysis;

Wherein, user behavior information, including user log in behavioural information and customer service operation behavior information.User Chang Deng Record behavioural information includes ssh daily records, telnet daily records, ftp daily records, sftp daily records, database login daily record, service application login Daily record, pop3 log in daily record, imap logs in daily record;Customer service operation behavior information includes that association 4A systems, crm system etc. are The login daily record obtained on system and operation log;

Characteristics extraction module, for the extraction from user behavior information and the relevant user behavior characteristics of user behavior Value;New feature set, which is created, from initial data is referred to as feature extraction.In the present embodiment user behavior include abnormal login behavior and Abnormal operation behavior logs in from user and extracts user behavior characteristics value in behavioural information, specifically includes from ssh daily records, telnet Daily record, ftp daily records, sftp daily records, database login daily record, service application logs in daily record, pop3 logs in daily record, imap logs in day User login information in will is classified, and major class (and group) is established, all can be for the log-on message each time of user It records primary in classification, forms major class, the group vector of log-on message, as the characteristic value of user's abnormal login behavioural information, Meanwhile abnormal login behavior disposition can be built on the log-on message class vector of user;It is carried from abnormal operation behavioural information User behavior characteristics value is taken to specifically include the login daily record obtained from the systems such as association 4A systems, crm system and operation day User login information in will is classified, and major class (and group) is established, for the action each time of user, user's operation row Primary, major class (and group) vector of formation user's operation behavioural information, as user can be all recorded in classification for information The characteristic value of abnormal operation behavioural information, meanwhile, abnormal operation behavior can be built on the operation information class vector of user incline To.

First processing module calculates related per a kind of user behavior for the Clustering features according to user behavior characteristics value User behavior characteristics value cluster barycenter;

Second processing module, for centered on the cluster barycenter, determining the standard baseline of user's normal behaviour;It can be with User's normal behaviour standard baseline is established by machine learning;

It is to have demarcated drawing the line for abnormal behaviour to establish user's normal behaviour standard baseline, when user behavior is shown as When fixed One-Dimensional Normal distribution, if position of the user behavior numerical value in distribution is further from group, it can be identified For exception.

Gaussian Profile with mean value 0 and standard deviation 1 is derived from for attribute x, an object with attribute value x is to peel off Point, if

|x|≥c

Wherein, c is a selected constant, meets prob (| x | >=c)=α.

As c is far from mean value 0, α is decreased.Illustrate when we specify α, in reflection to distribution, c is namely far from Value 0.α is defined as rare degree herein, when α is smaller, illustrates that object meets distribution in distribution further away from mean value, object Possibility decreases, that is, is unsatisfactory for the possibility increase of distribution.

According to equation

Prob (| x | >=c)=α

Rare degree α is determined, has determined that the c in distribution, c here namely reflect the standard base in reality Line.

If reality distribution is not normal distribution, but can be converted normal distribution, then can be by after conversion Normal distribution determine standard baseline, be converted into the standard baseline of actual distribution.

Third processing module, for calculating the user behavior characteristics value of user behavior information at a distance from cluster barycenter;

Comparison module judges user behavior information for calculated distance to be compared with the standard baseline Whether abnormal behaviour information is belonged to.

Selectively, information acquisition module, for acquiring whole user behavior information in predetermined period.

The first processing module, is additionally operable to:

An initial barycenter is selected in per one kind user behavior characteristics value;

The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;

The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;

Recalculate the amendment barycenter of every a kind of user behavior characteristics value;

Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initially if variation is more than predetermined threshold value Barycenter recalculates;The cluster matter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value The heart.

The embodiment of the present invention also provides a kind of user's unusual checking system, including:

Memory, processor, communication interface and bus;

The memory, the processor are connected by the bus with the communication interface and complete mutual lead to Letter;

The memory is for storing program code;

The processor can perform to run with described by reading the executable program code stored in the memory The corresponding program of program code, for executing a kind of user's anomaly detection method, wherein user's unusual checking Method includes:

Obtain user behavior information;

Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;

According to the Clustering features of user behavior characteristics value, calculate per the relevant user behavior characteristics value of a kind of user behavior Cluster barycenter;

Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;

The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;

Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal row For information.

Those skilled in the art will be understood that above-described embodiment is illustrative and not restrictive.In different embodiments The different technologies feature of middle appearance can be combined, to obtain advantageous effect.Those skilled in the art are in research attached drawing, explanation On the basis of book and claims, the embodiment of other variations of revealed embodiment is will be understood that and realized.In right In claim, term " comprising " is not precluded from other devices or steps;Indefinite article "one" be not excluded for it is multiple;Term " the One ", " second " is for indicating title not for any specific sequence of expression.Any reference numeral in claim is not It should be understood limiting of its scope.The function of the multiple portions occurred in claim can be by an individual hardware Or software module is realized.Certain technical characteristic appearance are not meant in different dependent claims cannot be by these skills Art feature is combined to obtain advantageous effect.

Claims (13)

1. a kind of user's anomaly detection method, including:
Obtain user behavior information;
Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;
According to the Clustering features of user behavior characteristics value, the cluster per the relevant user behavior characteristics value of a kind of user behavior is calculated Barycenter;
Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;
The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;
Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal behaviour letter Breath.
2. user's anomaly detection method as described in claim 1, which is characterized in that
The user behavior information is the whole user behavior information obtained in predetermined period.
3. user's anomaly detection method as described in claim 1, which is characterized in that
The Clustering features according to user behavior characteristics value are calculated per the relevant user behavior characteristics value of a kind of user behavior Barycenter is clustered, including:
An initial barycenter is selected from every a kind of user behavior characteristics value;
The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;
The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;
Recalculate the amendment barycenter of every a kind of user behavior characteristics value;
Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initial barycenter if variation is more than predetermined threshold value It recalculates;The cluster barycenter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value.
4. user's anomaly detection method as claimed in claim 3, which is characterized in that
The initial barycenter is selected by the way of random selected or specified.
5. user's anomaly detection method as claimed in claim 3, which is characterized in that
The predetermined threshold value is 0 or the numerical value that is arbitrarily designated.
6. user's anomaly detection method as described in claim 1, which is characterized in that
It is described centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined, using in Euclidean space Distance calculates each user behavior characteristics value to the distance of corresponding barycenter.
7. user's anomaly detection method as described in claim 1, which is characterized in that
The user behavior information, including user log in behavioural information and customer service operation behavior information.
8. user's anomaly detection method as claimed in claim 7, which is characterized in that
The user logs in behavioural information, including ssh daily records, telnet daily records, ftp daily records, sftp daily records, database login day Will, service application log in any one or more in daily record, pop3 logins daily record, imap login daily records.
9. user's anomaly detection method as claimed in claim 7, which is characterized in that
The customer service operation behavior information, including user operation records daily record.
10. a kind of user's unusual checking device, which is characterized in that including:
Information acquisition module, for obtaining user behavior information;
Characteristics extraction module, for the extraction from user behavior information and the relevant user behavior characteristics value of user behavior;
First processing module is calculated for the Clustering features according to user behavior characteristics value per the relevant use of a kind of user behavior The cluster barycenter of family behavioural characteristic value;
Second processing module, for centered on the cluster barycenter, determining the standard baseline of user's normal behaviour;
Third processing module, for calculating the user behavior characteristics value of user behavior information at a distance from cluster barycenter;
Whether comparison module judges user behavior information for calculated distance to be compared with the standard baseline Belong to abnormal behaviour information.
11. user's unusual checking device as claimed in claim 10, which is characterized in that
Described information acquisition module, for acquiring whole user behavior information in predetermined period.
12. user's unusual checking device as claimed in claim 10, which is characterized in that
The first processing module, is additionally operable to:
An initial barycenter is selected in per one kind user behavior characteristics value;
The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;
The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;
Recalculate the amendment barycenter of every a kind of user behavior characteristics value;
Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initial barycenter if variation is more than predetermined threshold value It recalculates;The cluster barycenter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value.
13. a kind of user's unusual checking system, which is characterized in that including:
Memory, processor, communication interface and bus;
The memory, the processor are connected by the bus with the communication interface and complete mutual communication;
The memory is for storing program code;
The processor is run and the executable program by reading the executable program code stored in the memory The corresponding program of code, for executing a kind of user's anomaly detection method, wherein the user unusual checking side Method includes:
Obtain user behavior information;
Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;
According to the Clustering features of user behavior characteristics value, the cluster per the relevant user behavior characteristics value of a kind of user behavior is calculated Barycenter;
Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;
The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;
Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal behaviour letter Breath.
CN201710306998.1A 2017-05-02 2017-05-02 A kind of user's anomaly detection method, apparatus and system CN108809745A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710306998.1A CN108809745A (en) 2017-05-02 2017-05-02 A kind of user's anomaly detection method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710306998.1A CN108809745A (en) 2017-05-02 2017-05-02 A kind of user's anomaly detection method, apparatus and system

Publications (1)

Publication Number Publication Date
CN108809745A true CN108809745A (en) 2018-11-13

Family

ID=64054445

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710306998.1A CN108809745A (en) 2017-05-02 2017-05-02 A kind of user's anomaly detection method, apparatus and system

Country Status (1)

Country Link
CN (1) CN108809745A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355504A (en) * 2008-08-14 2009-01-28 成都市华为赛门铁克科技有限公司 Method and apparatus for confirming user behavior
CN102045358A (en) * 2010-12-29 2011-05-04 深圳市永达电子股份有限公司 Intrusion detection method based on integral correlation analysis and hierarchical clustering
CN103150374A (en) * 2013-03-11 2013-06-12 中国科学院信息工程研究所 Method and system for identifying abnormal microblog users
US8719257B2 (en) * 2011-02-16 2014-05-06 Symantec Corporation Methods and systems for automatically generating semantic/concept searches
CN104780217A (en) * 2015-04-24 2015-07-15 福建师范大学 Method, system and client terminal for detecting working efficiency of user

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355504A (en) * 2008-08-14 2009-01-28 成都市华为赛门铁克科技有限公司 Method and apparatus for confirming user behavior
CN102045358A (en) * 2010-12-29 2011-05-04 深圳市永达电子股份有限公司 Intrusion detection method based on integral correlation analysis and hierarchical clustering
US8719257B2 (en) * 2011-02-16 2014-05-06 Symantec Corporation Methods and systems for automatically generating semantic/concept searches
CN103150374A (en) * 2013-03-11 2013-06-12 中国科学院信息工程研究所 Method and system for identifying abnormal microblog users
CN104780217A (en) * 2015-04-24 2015-07-15 福建师范大学 Method, system and client terminal for detecting working efficiency of user

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WEPON: "Kmeans聚类算法思想与可视化", 《CSDN博客,BLOG.CSDN.NET/U012162613/ARTICLE/DETAILS/47811235》 *

Similar Documents

Publication Publication Date Title
Savage et al. Anomaly detection in online social networks
Moustafa et al. The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set
US7739211B2 (en) Dynamic SNA-based anomaly detection using unsupervised learning
Olusola et al. Analysis of KDD’99 intrusion detection dataset for selection of relevance features
US9165299B1 (en) User-agent data clustering
Fan et al. Using artificial anomalies to detect unknown and known network intrusions
Agrawal et al. Survey on anomaly detection using data mining techniques
Zhu et al. Data mining for network intrusion detection: a comparison of alternative methods
Ektefa et al. Intrusion detection using data mining techniques
US9906539B2 (en) Suspicious message processing and incident response
Mabu et al. An intrusion-detection model based on fuzzy class-association-rule mining using genetic network programming
Hu et al. A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection
Portnoy Intrusion detection with unlabeled data using clustering
US9749356B2 (en) Systems and methods for detecting and scoring anomalies
EP2487860B1 (en) Method and system for improving security threats detection in communication networks
Yang et al. A time efficient approach for detecting errors in big sensor data on cloud
CN105009137B (en) Orient safety warning
Gharibian et al. Comparative study of supervised machine learning techniques for intrusion detection
Sheikhan et al. Intrusion detection using reduced-size RNN based on feature grouping
CN105553998A (en) Network attack abnormality detection method
Kabir et al. A novel statistical technique for intrusion detection systems
CN104246786A (en) Field selection for pattern discovery
Çelik et al. Anomaly detection in temperature data using dbscan algorithm
US9268927B1 (en) Method and system of identifying users based upon free text keystroke patterns
Barbará et al. Mining malicious corruption of data with hidden Markov models

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination