CN108809745A - A kind of user's anomaly detection method, apparatus and system - Google Patents
A kind of user's anomaly detection method, apparatus and system Download PDFInfo
- Publication number
- CN108809745A CN108809745A CN201710306998.1A CN201710306998A CN108809745A CN 108809745 A CN108809745 A CN 108809745A CN 201710306998 A CN201710306998 A CN 201710306998A CN 108809745 A CN108809745 A CN 108809745A
- Authority
- CN
- China
- Prior art keywords
- user behavior
- user
- barycenter
- characteristics value
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Virology (AREA)
- Cardiology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention provides a kind of user's anomaly detection method, apparatus and systems.User's anomaly detection method therein, including:Obtain user behavior information;Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;According to the Clustering features of user behavior characteristics value, the cluster barycenter per the relevant user behavior characteristics value of a kind of user behavior is calculated;Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal behaviour information.The present invention is by acquiring user behavior information and therefrom extracting characteristic value, clustering is carried out to the characteristic value of extraction in conjunction with normal behaviour standard baseline, judge the abnormal conditions of user behavior, to simplify the deterministic process of user's abnormal behaviour, quick, the accurate detection to user's abnormal behaviour is realized.
Description
Technical field
The present invention relates to networks congestion control monitoring technology field, specifically design a kind of user's anomaly detection method and
System.
Background technology
With the universal and development of computer techno-stress, either LAN or wide area network, the scale of the network user is all
It is being gradually expanded, user behavior also becomes increasingly complex, and in this context, seems to the quick detection and effectively control of user behavior
It is particularly important.Cluster is to sort data into different classes or such a process of cluster, so the object in the same cluster
There is prodigious similitude, and the object between different clusters has prodigious diversity.The target of clustering is that the object in group is mutual
Between be relevant, and the object in different group is incoherent.Similitude in group is bigger, and difference is bigger between group, and cluster is just
Better.Cluster can be regarded as a kind of classification, it creates the label of object with class (cluster) label, but can only export these from data
Label, therefore clustering becomes unsupervised classification.
The object of existing abnormality detection is usually one section of current behavior sequence (being denoted as q) of the machine, passes through certain method
To judge sequence q with the presence or absence of abnormal.Utilizable resource has the historical behavior sequences h of the machine in the judgment process, and
The group behavior arrangement set c of network environment where the machine.Unusual checking judges to apply as one mode, often exists
Certain erroneous judgement, it is therefore desirable to behavior is detected from multi-angle, practice to close judging, to reduce the probability of erroneous judgement.
The user's anomaly detection method for being currently based on cluster judges exception procedure complexity, inspection slow with detection speed
The true problem of indeterminacy.
Invention content
User's anomaly detection method to solve to be currently based on cluster judges exception procedure complexity, has detection speed
Slowly, the inaccurate problem of detection, an embodiment of the present invention provides a kind of user's anomaly detection method, apparatus and systems.
One side according to the ... of the embodiment of the present invention provides a kind of user's anomaly detection method, including:
Obtain user behavior information;
Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;
According to the Clustering features of user behavior characteristics value, calculate per the relevant user behavior characteristics value of a kind of user behavior
Cluster barycenter;
Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;
The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;
Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal row
For information.
Selectively, user's anomaly detection method further includes:
The user behavior information is the whole user behavior information obtained in predetermined period.
The Clustering features according to user behavior characteristics value are calculated per the relevant user behavior characteristics of a kind of user behavior
The cluster barycenter of value, including:
An initial barycenter is selected from every a kind of user behavior characteristics value;
The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;
The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;
Recalculate the amendment barycenter of every a kind of user behavior characteristics value;
Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initially if variation is more than predetermined threshold value
Barycenter recalculates;The cluster matter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value
The heart.
The initial barycenter is selected by the way of random selected or specified.
The predetermined threshold value is 0 or the numerical value that is arbitrarily designated.
It is described centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined, using Euclidean space
In distance calculate each user behavior characteristics value to corresponding barycenter distance.
The user behavior information, including user log in behavioural information and customer service operation behavior information.
The user logs in behavioural information, including ssh daily records, telnet daily records, ftp daily records, sftp daily records, database are stepped on
Record any one or more in daily record, service application login daily record, pop3 logins daily record, imap login daily records.
The customer service operation behavior information, including user operation records daily record.
The second aspect according to the ... of the embodiment of the present invention provides a kind of user's unusual checking device, including:
Information acquisition module, for obtaining user behavior information;
Characteristics extraction module, for the extraction from user behavior information and the relevant user behavior characteristics of user behavior
Value;
First processing module calculates related per a kind of user behavior for the Clustering features according to user behavior characteristics value
User behavior characteristics value cluster barycenter;
Second processing module, for centered on the cluster barycenter, determining the standard baseline of user's normal behaviour;
Third processing module, for calculating the user behavior characteristics value of user behavior information at a distance from cluster barycenter;
Comparison module judges user behavior information for calculated distance to be compared with the standard baseline
Whether abnormal behaviour information is belonged to.
Selectively, information acquisition module, for acquiring whole user behavior information in predetermined period.
The first processing module, is additionally operable to:
An initial barycenter is selected in per one kind user behavior characteristics value;
The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;
The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;
Recalculate the amendment barycenter of every a kind of user behavior characteristics value;
Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initially if variation is more than predetermined threshold value
Barycenter recalculates;The cluster matter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value
The heart.
In terms of third according to the ... of the embodiment of the present invention, a kind of user's unusual checking system is provided, including:
Memory, processor, communication interface and bus;
The memory, the processor are connected by the bus with the communication interface and complete mutual lead to
Letter;
The memory is for storing program code;
The processor can perform to run with described by reading the executable program code stored in the memory
A kind of corresponding program of program code, for executing user's anomaly detection method, wherein user's abnormal behaviour inspection
Survey method includes:
Obtain user behavior information;
Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;
According to the Clustering features of user behavior characteristics value, calculate per the relevant user behavior characteristics value of a kind of user behavior
Cluster barycenter;
Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;
The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;
Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal row
For information.
A kind of user's anomaly detection method provided in an embodiment of the present invention, apparatus and system pass through and acquire user's row
Characteristic value is extracted for information and therefrom, clustering is carried out to the characteristic value of extraction in conjunction with normal behaviour standard baseline, judges to use
The abnormal conditions of family behavior, to simplify the deterministic process of user's abnormal behaviour, realize to user's abnormal behaviour it is quick,
Accurate detection.
Description of the drawings
From below in conjunction with the accompanying drawings to the present invention specific implementation mode description in the present invention may be better understood,
In:
By reading referring to the drawings to being described in detail made by non-limiting embodiment, other feature of the invention,
Objects and advantages will become more apparent upon, wherein same or analogous reference numeral indicates same or analogous feature.
Fig. 1 is the flow chart of user's anomaly detection method described in the embodiment of the present invention;
Fig. 2 is the flow chart of the calculating cluster barycenter step described in the embodiment of the present invention;
Fig. 3 is the module diagram of user's unusual checking device described in the embodiment of the present invention.
Specific implementation mode
The feature and exemplary embodiment of various aspects of the invention is described more fully below.In following detailed description
In, it is proposed that many details, in order to provide complete understanding of the present invention.But to those skilled in the art
It will be apparent that the present invention can be implemented in the case of some details in not needing these details.Below to implementing
The description of example is just for the sake of by showing that the example of the present invention is better understood from the present invention to provide.The present invention never limits
In any concrete configuration set forth below and algorithm, but cover under the premise of without departing from the spirit of the present invention element,
Any modification, replacement and the improvement of component and algorithm.In the the accompanying drawings and the following description, well known structure and skill is not shown
Art is unnecessary fuzzy to avoid causing the present invention.
However, it is desirable to clear, the invention is not limited in specific configuration described above and shown in figure and processing.
Also, the detailed description to known method technology for brevity, is omitted here.In the above-described embodiments, it describes and shows
Several specific steps are as example.But procedure of the invention is not limited to described and illustrated specific steps,
Those skilled in the art can be variously modified, modification and addition after the spirit for understanding the present invention, or change step
Sequence between rapid.
Functional block shown in structures described above block diagram can be implemented as hardware, software, firmware or their group
It closes.When realizing in hardware, it may, for example, be electronic circuit, application-specific integrated circuit (ASIC), firmware appropriate, insert
Part, function card etc..When being realized with software mode, element of the invention is used to execute program or the generation of required task
Code section.Either code segment can be stored in machine readable media program or the data-signal by being carried in carrier wave is passing
Defeated medium or communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information.
The example of machine readable media includes electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), soft
Disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via such as internet, inline
The computer network of net etc. is downloaded.
As shown in FIG. 1, FIG. 1 is the flow charts of user's anomaly detection method provided in an embodiment of the present invention.
In the present embodiment, user's anomaly detection method specifically includes:
S101, user behavior information is obtained, is summarized with carrying out big data analysis;
Wherein, user behavior information, including user log in behavioural information and customer service operation behavior information.User Chang Deng
Record behavioural information includes ssh daily records, telnet daily records, ftp daily records, sftp daily records, database login daily record, service application login
Daily record, pop3 log in daily record, imap logs in daily record;Customer service operation behavior information includes that association 4A systems, crm system etc. are
The login daily record obtained on system and operation log.
S102, extraction and the relevant user behavior characteristics value of user behavior from user behavior information;
New feature set, which is created, from initial data is referred to as feature extraction.User behavior includes abnormal login row in the present embodiment
For with abnormal operation behavior, from user log in behavioural information in extract user behavior characteristics value, specifically include from ssh daily records,
Telnet daily records, ftp daily records, sftp daily records, database login daily record, service application logs in daily record, pop3 logs in daily record, imap
The user login information logged in daily record is classified, and major class (and group) is established, for the log-on message each time of user
The major class for once forming log-on message, group vector, the spy as user's abnormal login behavioural information will be recorded in classification
Value indicative, meanwhile, abnormal login behavior disposition can be built on the log-on message class vector of user;From abnormal operation behavioural information
Middle extraction user behavior characteristics value is specifically included the login daily record obtained from the systems such as association 4A systems, crm system and behaviour
The user login information made in daily record is classified, and major class (and group) is established, for the action each time of user, Yong Hucao
Primary, major class (and group) vector of formation user's operation behavioural information can be recorded in classification by making behavioural information all, as
The characteristic value of user's abnormal operation behavioural information, meanwhile, abnormal operation row can be built on the operation information class vector of user
For tendency.
S103, according to the Clustering features of user behavior characteristics value, calculate special per a kind of relevant user behavior of user behavior
The cluster barycenter (establishing focusing solutions analysis model) of value indicative;
As shown in Fig. 2, Clustering features of the present embodiment according to user behavior characteristics value, calculate related per a kind of user behavior
User behavior characteristics value cluster barycenter, specifically include following steps:
An initial barycenter is selected in S1031, every a kind of user behavior characteristics value;
Using the user behavior characteristics value extracted from user behavior information in step S102 as initial data, in original number
In specify each class user behavior characteristics value in an object as initial barycenter, initial barycenter can be it is random,
Can be specified.
S1032, the user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;
Each point is calculated separately to the distance of initial barycenter, specifically uses euclidean distance function:
Wherein Xk, Yk are the coordinate of barycenter, the n of K=1,2,3 ...;
S1033, the user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;
S1034, the amendment barycenter for recalculating every a kind of user behavior characteristics value;
Assuming that with K initial barycenter, for each data, there is the K distance value to K initial barycenter, choose it
All data are judged that it corrects the position of barycenter by amendment barycenter of that the nearest initial barycenter of distance as the data
It sets;Each point is recalculated to the distance for correcting barycenter, is obtained according to the distance recalculated and corrects centroid position.
S1035, judging to correct whether barycenter changes with initial barycenter, be made with correcting the heart more than if predetermined threshold value if changed
It is recalculated for initial barycenter;Determine that it is such user behavior characteristics value to correct barycenter if changing and being no more than predetermined threshold value
Cluster barycenter.
S104, centered on the cluster barycenter, determine the standard baseline of user's normal behaviour;This step can pass through machine
User's normal behaviour standard baseline is established in device study;
It is to have demarcated drawing the line for abnormal behaviour to establish user's normal behaviour standard baseline, when user behavior is shown as
When fixed One-Dimensional Normal distribution, if position of the user behavior numerical value in distribution is further from group, it can be identified
For exception.
Gaussian Profile with mean value 0 and standard deviation 1 is derived from for attribute x, an object with attribute value x is to peel off
Point, if
|x|≥c;
Wherein, c is a selected constant, meets prob (| x | >=c)=α.
As c is far from mean value 0, α is decreased.Illustrate when we specify α, in reflection to distribution, c is namely far from
Value 0.α is defined as rare degree herein, when α is smaller, explanation
Further away from mean value in distribution, the possibility that object meets distribution decreases object, that is, is unsatisfactory for being distributed
Possibility increase.
According to equation
Prob (| x | >=c)=α
Rare degree α is determined, has determined that the c in distribution, c here namely reflect the standard base in reality
Line.
If reality distribution is not normal distribution, but can be converted normal distribution, then can be by after conversion
Normal distribution determine standard baseline, be converted into the standard baseline of actual distribution.
S105, the user behavior characteristics value for calculating user behavior information are at a distance from cluster barycenter;
S106, calculated distance is compared with the standard baseline, judges whether user behavior information belongs to
Abnormal behaviour information.According to calculated distance, in conjunction with the normal behaviour standard baseline that step S104 is determined, to user behavior
Characteristic value is analyzed, and judges user behavior abnormal conditions.
In conjunction with normal behaviour standard baseline, abnormal login behavioural information analysis unusual IP addresses are logged in (non-common IP,
With period different-place login), business personnel's improper period log in (logins of non operation time section), the shared account number of maintenance personnel
(simultaneously, with place high frequency time), business personnel share account number (Multi-Subscriber Number logs in, No.1 multimachine logs in), Personnel Who Left work number
Behaviors such as (after administrator locks the date, which are still used by other people from account number) are illegally usurped, find O&M people in time
The violation operation of member, business personnel.And abnormal login behavior in one section of period is counted, generate statistical report form and trend analysis.
In conjunction with normal behaviour standard baseline, abnormal traffic operation behavior is analyzed, the behavior that personnel are precipitated in statistical is special
Sign is analyzed, daily login time, daily logout time, number of operations, user with the data that past 6 months is even longer
Account modification, forms normally performed activity standard at the modification of user's Card Type, and the behavior of similar personnel is checked and approved by this class standard.Weight
The a large amount of searching user's informations of point analysis non-working time section, only (local, strange land, high frequency time) is not handled in inquiry, plug-in batch obtains
Take user information, unauthorized access (lack of competence but have operation log), business operation amount apparent abnormal in the similar personnel of same region
Equal abnormal traffics operation behavior, finds the violation operation of operation maintenance personnel, business personnel in time.And count abnormal industry in one section of period
Business operation behavior, generates statistical report form and trend analysis.
Technical scheme of the present invention is by acquiring user behavior information and therefrom extracting characteristic value, in conjunction with normal behaviour standard
Baseline carries out clustering to the characteristic value of extraction, the abnormal conditions of user behavior is judged, to simplify user's abnormal behaviour
Deterministic process, realize quick, the accurate detection to user's abnormal behaviour.
As shown in figure 3, the module diagram of user's unusual checking device described in the embodiment of the present invention;
The present embodiment provides a kind of user's unusual checking device, including information acquisition module, characteristics extraction module,
First processing module, Second processing module, third processing module and comparison module.Specifically:
Information acquisition module is summarized for obtaining user behavior information with carrying out big data analysis;
Wherein, user behavior information, including user log in behavioural information and customer service operation behavior information.User Chang Deng
Record behavioural information includes ssh daily records, telnet daily records, ftp daily records, sftp daily records, database login daily record, service application login
Daily record, pop3 log in daily record, imap logs in daily record;Customer service operation behavior information includes that association 4A systems, crm system etc. are
The login daily record obtained on system and operation log;
Characteristics extraction module, for the extraction from user behavior information and the relevant user behavior characteristics of user behavior
Value;New feature set, which is created, from initial data is referred to as feature extraction.In the present embodiment user behavior include abnormal login behavior and
Abnormal operation behavior logs in from user and extracts user behavior characteristics value in behavioural information, specifically includes from ssh daily records, telnet
Daily record, ftp daily records, sftp daily records, database login daily record, service application logs in daily record, pop3 logs in daily record, imap logs in day
User login information in will is classified, and major class (and group) is established, all can be for the log-on message each time of user
It records primary in classification, forms major class, the group vector of log-on message, as the characteristic value of user's abnormal login behavioural information,
Meanwhile abnormal login behavior disposition can be built on the log-on message class vector of user;It is carried from abnormal operation behavioural information
User behavior characteristics value is taken to specifically include the login daily record obtained from the systems such as association 4A systems, crm system and operation day
User login information in will is classified, and major class (and group) is established, for the action each time of user, user's operation row
Primary, major class (and group) vector of formation user's operation behavioural information, as user can be all recorded in classification for information
The characteristic value of abnormal operation behavioural information, meanwhile, abnormal operation behavior can be built on the operation information class vector of user incline
To.
First processing module calculates related per a kind of user behavior for the Clustering features according to user behavior characteristics value
User behavior characteristics value cluster barycenter;
Second processing module, for centered on the cluster barycenter, determining the standard baseline of user's normal behaviour;It can be with
User's normal behaviour standard baseline is established by machine learning;
It is to have demarcated drawing the line for abnormal behaviour to establish user's normal behaviour standard baseline, when user behavior is shown as
When fixed One-Dimensional Normal distribution, if position of the user behavior numerical value in distribution is further from group, it can be identified
For exception.
Gaussian Profile with mean value 0 and standard deviation 1 is derived from for attribute x, an object with attribute value x is to peel off
Point, if
|x|≥c
Wherein, c is a selected constant, meets prob (| x | >=c)=α.
As c is far from mean value 0, α is decreased.Illustrate when we specify α, in reflection to distribution, c is namely far from
Value 0.α is defined as rare degree herein, when α is smaller, illustrates that object meets distribution in distribution further away from mean value, object
Possibility decreases, that is, is unsatisfactory for the possibility increase of distribution.
According to equation
Prob (| x | >=c)=α
Rare degree α is determined, has determined that the c in distribution, c here namely reflect the standard base in reality
Line.
If reality distribution is not normal distribution, but can be converted normal distribution, then can be by after conversion
Normal distribution determine standard baseline, be converted into the standard baseline of actual distribution.
Third processing module, for calculating the user behavior characteristics value of user behavior information at a distance from cluster barycenter;
Comparison module judges user behavior information for calculated distance to be compared with the standard baseline
Whether abnormal behaviour information is belonged to.
Selectively, information acquisition module, for acquiring whole user behavior information in predetermined period.
The first processing module, is additionally operable to:
An initial barycenter is selected in per one kind user behavior characteristics value;
The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;
The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;
Recalculate the amendment barycenter of every a kind of user behavior characteristics value;
Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initially if variation is more than predetermined threshold value
Barycenter recalculates;The cluster matter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value
The heart.
The embodiment of the present invention also provides a kind of user's unusual checking system, including:
Memory, processor, communication interface and bus;
The memory, the processor are connected by the bus with the communication interface and complete mutual lead to
Letter;
The memory is for storing program code;
The processor can perform to run with described by reading the executable program code stored in the memory
The corresponding program of program code, for executing a kind of user's anomaly detection method, wherein user's unusual checking
Method includes:
Obtain user behavior information;
Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;
According to the Clustering features of user behavior characteristics value, calculate per the relevant user behavior characteristics value of a kind of user behavior
Cluster barycenter;
Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;
The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;
Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal row
For information.
Those skilled in the art will be understood that above-described embodiment is illustrative and not restrictive.In different embodiments
The different technologies feature of middle appearance can be combined, to obtain advantageous effect.Those skilled in the art are in research attached drawing, explanation
On the basis of book and claims, the embodiment of other variations of revealed embodiment is will be understood that and realized.In right
In claim, term " comprising " is not precluded from other devices or steps;Indefinite article "one" be not excluded for it is multiple;Term " the
One ", " second " is for indicating title not for any specific sequence of expression.Any reference numeral in claim is not
It should be understood limiting of its scope.The function of the multiple portions occurred in claim can be by an individual hardware
Or software module is realized.Certain technical characteristic appearance are not meant in different dependent claims cannot be by these skills
Art feature is combined to obtain advantageous effect.
Claims (13)
1. a kind of user's anomaly detection method, including:
Obtain user behavior information;
Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;
According to the Clustering features of user behavior characteristics value, the cluster per the relevant user behavior characteristics value of a kind of user behavior is calculated
Barycenter;
Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;
The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;
Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal behaviour letter
Breath.
2. user's anomaly detection method as described in claim 1, which is characterized in that
The user behavior information is the whole user behavior information obtained in predetermined period.
3. user's anomaly detection method as described in claim 1, which is characterized in that
The Clustering features according to user behavior characteristics value are calculated per the relevant user behavior characteristics value of a kind of user behavior
Barycenter is clustered, including:
An initial barycenter is selected from every a kind of user behavior characteristics value;
The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;
The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;
Recalculate the amendment barycenter of every a kind of user behavior characteristics value;
Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initial barycenter if variation is more than predetermined threshold value
It recalculates;The cluster barycenter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value.
4. user's anomaly detection method as claimed in claim 3, which is characterized in that
The initial barycenter is selected by the way of random selected or specified.
5. user's anomaly detection method as claimed in claim 3, which is characterized in that
The predetermined threshold value is 0 or the numerical value that is arbitrarily designated.
6. user's anomaly detection method as described in claim 1, which is characterized in that
It is described centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined, using in Euclidean space
Distance calculates each user behavior characteristics value to the distance of corresponding barycenter.
7. user's anomaly detection method as described in claim 1, which is characterized in that
The user behavior information, including user log in behavioural information and customer service operation behavior information.
8. user's anomaly detection method as claimed in claim 7, which is characterized in that
The user logs in behavioural information, including ssh daily records, telnet daily records, ftp daily records, sftp daily records, database login day
Will, service application log in any one or more in daily record, pop3 logins daily record, imap login daily records.
9. user's anomaly detection method as claimed in claim 7, which is characterized in that
The customer service operation behavior information, including user operation records daily record.
10. a kind of user's unusual checking device, which is characterized in that including:
Information acquisition module, for obtaining user behavior information;
Characteristics extraction module, for the extraction from user behavior information and the relevant user behavior characteristics value of user behavior;
First processing module is calculated for the Clustering features according to user behavior characteristics value per the relevant use of a kind of user behavior
The cluster barycenter of family behavioural characteristic value;
Second processing module, for centered on the cluster barycenter, determining the standard baseline of user's normal behaviour;
Third processing module, for calculating the user behavior characteristics value of user behavior information at a distance from cluster barycenter;
Whether comparison module judges user behavior information for calculated distance to be compared with the standard baseline
Belong to abnormal behaviour information.
11. user's unusual checking device as claimed in claim 10, which is characterized in that
Described information acquisition module, for acquiring whole user behavior information in predetermined period.
12. user's unusual checking device as claimed in claim 10, which is characterized in that
The first processing module, is additionally operable to:
An initial barycenter is selected in per one kind user behavior characteristics value;
The user behavior characteristics value of user behavior information is calculated at a distance from each initial barycenter;
The user behavior characteristics value of user behavior information is assigned to give minimum range corresponding initial barycenter;
Recalculate the amendment barycenter of every a kind of user behavior characteristics value;
Judge to correct whether barycenter changes with initial barycenter, to correct the heart as initial barycenter if variation is more than predetermined threshold value
It recalculates;The cluster barycenter for correcting that barycenter is such user behavior characteristics value is determined if changing and being no more than predetermined threshold value.
13. a kind of user's unusual checking system, which is characterized in that including:
Memory, processor, communication interface and bus;
The memory, the processor are connected by the bus with the communication interface and complete mutual communication;
The memory is for storing program code;
The processor is run and the executable program by reading the executable program code stored in the memory
The corresponding program of code, for executing a kind of user's anomaly detection method, wherein the user unusual checking side
Method includes:
Obtain user behavior information;
Extraction and the relevant user behavior characteristics value of user behavior from user behavior information;
According to the Clustering features of user behavior characteristics value, the cluster per the relevant user behavior characteristics value of a kind of user behavior is calculated
Barycenter;
Centered on the cluster barycenter, the standard baseline of user's normal behaviour is determined;
The user behavior characteristics value of user behavior information is calculated at a distance from cluster barycenter;
Calculated distance is compared with the standard baseline, judges whether user behavior information belongs to abnormal behaviour letter
Breath.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710306998.1A CN108809745A (en) | 2017-05-02 | 2017-05-02 | A kind of user's anomaly detection method, apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710306998.1A CN108809745A (en) | 2017-05-02 | 2017-05-02 | A kind of user's anomaly detection method, apparatus and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108809745A true CN108809745A (en) | 2018-11-13 |
Family
ID=64054445
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710306998.1A Pending CN108809745A (en) | 2017-05-02 | 2017-05-02 | A kind of user's anomaly detection method, apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108809745A (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109960753A (en) * | 2019-02-13 | 2019-07-02 | 平安科技(深圳)有限公司 | Detection method, device, storage medium and the server of equipment for surfing the net user |
| CN110020687A (en) * | 2019-04-10 | 2019-07-16 | 北京神州泰岳软件股份有限公司 | Abnormal behaviour analysis method and device based on operator's Situation Awareness portrait |
| CN110046297A (en) * | 2019-03-28 | 2019-07-23 | 广州视源电子科技股份有限公司 | Recognition methods, device and the storage medium of O&M violation operation |
| CN110189092A (en) * | 2019-04-10 | 2019-08-30 | 阿里巴巴集团控股有限公司 | Audit group membership's appraisal procedure and device |
| CN110351307A (en) * | 2019-08-14 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | Abnormal user detection method and system based on integrated study |
| CN110460587A (en) * | 2019-07-23 | 2019-11-15 | 平安科技(深圳)有限公司 | A kind of exception account detection method, device and computer storage medium |
| CN110597719A (en) * | 2019-09-05 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Image clustering method, device and medium for adaptation test |
| CN110751231A (en) * | 2019-10-30 | 2020-02-04 | 上海观安信息技术股份有限公司 | Card number detection method and system based on unsupervised algorithm |
| CN110784470A (en) * | 2019-10-30 | 2020-02-11 | 上海观安信息技术股份有限公司 | Method and device for determining abnormal login of user |
| WO2020135392A1 (en) * | 2018-12-24 | 2020-07-02 | 杭州海康威视数字技术股份有限公司 | Method and device for detecting abnormal behavior |
| CN111444534A (en) * | 2020-03-12 | 2020-07-24 | 中国建设银行股份有限公司 | Method, device, equipment and computer readable medium for monitoring user operation |
| CN111683102A (en) * | 2020-06-17 | 2020-09-18 | 绿盟科技集团股份有限公司 | FTP behavior data processing method, and method and device for identifying abnormal FTP behavior |
| CN112001756A (en) * | 2020-08-24 | 2020-11-27 | 北京道隆华尔软件股份有限公司 | Method and device for determining abnormal telecommunication service scene and computer equipment |
| CN112070458A (en) * | 2020-08-07 | 2020-12-11 | 新华三信息安全技术有限公司 | Account identification method and device |
| CN112134723A (en) * | 2020-08-21 | 2020-12-25 | 杭州数梦工场科技有限公司 | Network anomaly monitoring method and device, computer equipment and storage medium |
| WO2020258505A1 (en) * | 2019-06-28 | 2020-12-30 | 平安科技(深圳)有限公司 | Network access security determination method and apparatus |
| CN112307475A (en) * | 2020-09-29 | 2021-02-02 | 北京软慧科技有限公司 | System detection method and device |
| CN113343056A (en) * | 2021-05-21 | 2021-09-03 | 北京市燃气集团有限责任公司 | Method and device for detecting abnormal gas consumption of user |
| CN113518058A (en) * | 2020-04-09 | 2021-10-19 | 中国移动通信集团海南有限公司 | Abnormal login behavior detection method and device, storage medium and computer equipment |
| CN113779568A (en) * | 2021-09-18 | 2021-12-10 | 中国平安人寿保险股份有限公司 | Abnormal behavior user identification method, device, equipment and storage medium |
| CN114826876A (en) * | 2022-01-11 | 2022-07-29 | 杭州金硕信息技术有限公司 | Cloud service fault detection system and method based on log analysis and online simulation |
| CN116684202A (en) * | 2023-08-01 | 2023-09-01 | 光谷技术有限公司 | Internet of things information security transmission method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355504A (en) * | 2008-08-14 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for confirming user behavior |
| CN102045358A (en) * | 2010-12-29 | 2011-05-04 | 深圳市永达电子股份有限公司 | Intrusion detection method based on integral correlation analysis and hierarchical clustering |
| CN103150374A (en) * | 2013-03-11 | 2013-06-12 | 中国科学院信息工程研究所 | Method and system for identifying abnormal microblog users |
| US8719257B2 (en) * | 2011-02-16 | 2014-05-06 | Symantec Corporation | Methods and systems for automatically generating semantic/concept searches |
| CN104780217A (en) * | 2015-04-24 | 2015-07-15 | 福建师范大学 | Method, system and client terminal for detecting working efficiency of user |
-
2017
- 2017-05-02 CN CN201710306998.1A patent/CN108809745A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355504A (en) * | 2008-08-14 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for confirming user behavior |
| CN102045358A (en) * | 2010-12-29 | 2011-05-04 | 深圳市永达电子股份有限公司 | Intrusion detection method based on integral correlation analysis and hierarchical clustering |
| US8719257B2 (en) * | 2011-02-16 | 2014-05-06 | Symantec Corporation | Methods and systems for automatically generating semantic/concept searches |
| CN103150374A (en) * | 2013-03-11 | 2013-06-12 | 中国科学院信息工程研究所 | Method and system for identifying abnormal microblog users |
| CN104780217A (en) * | 2015-04-24 | 2015-07-15 | 福建师范大学 | Method, system and client terminal for detecting working efficiency of user |
Non-Patent Citations (1)
| Title |
|---|
| WEPON: "Kmeans聚类算法思想与可视化", 《CSDN博客,BLOG.CSDN.NET/U012162613/ARTICLE/DETAILS/47811235》 * |
Cited By (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020135392A1 (en) * | 2018-12-24 | 2020-07-02 | 杭州海康威视数字技术股份有限公司 | Method and device for detecting abnormal behavior |
| CN109960753B (en) * | 2019-02-13 | 2023-07-25 | 平安科技(深圳)有限公司 | Method and device for detecting internet surfing equipment user, storage medium and server |
| CN109960753A (en) * | 2019-02-13 | 2019-07-02 | 平安科技(深圳)有限公司 | Detection method, device, storage medium and the server of equipment for surfing the net user |
| CN110046297A (en) * | 2019-03-28 | 2019-07-23 | 广州视源电子科技股份有限公司 | Recognition methods, device and the storage medium of O&M violation operation |
| CN110046297B (en) * | 2019-03-28 | 2023-04-07 | 广州视源电子科技股份有限公司 | Operation and maintenance violation identification method and device and storage medium |
| CN110189092A (en) * | 2019-04-10 | 2019-08-30 | 阿里巴巴集团控股有限公司 | Audit group membership's appraisal procedure and device |
| CN110020687A (en) * | 2019-04-10 | 2019-07-16 | 北京神州泰岳软件股份有限公司 | Abnormal behaviour analysis method and device based on operator's Situation Awareness portrait |
| CN110020687B (en) * | 2019-04-10 | 2021-11-05 | 北京神州泰岳软件股份有限公司 | Abnormal behavior analysis method and device based on operator situation perception portrait |
| WO2020258505A1 (en) * | 2019-06-28 | 2020-12-30 | 平安科技(深圳)有限公司 | Network access security determination method and apparatus |
| CN110460587A (en) * | 2019-07-23 | 2019-11-15 | 平安科技(深圳)有限公司 | A kind of exception account detection method, device and computer storage medium |
| CN110460587B (en) * | 2019-07-23 | 2022-01-25 | 平安科技(深圳)有限公司 | Abnormal account detection method and device and computer storage medium |
| WO2021012509A1 (en) * | 2019-07-23 | 2021-01-28 | 平安科技(深圳)有限公司 | Method, device, and computer storage medium for detecting abnormal account |
| CN110351307A (en) * | 2019-08-14 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | Abnormal user detection method and system based on integrated study |
| CN110351307B (en) * | 2019-08-14 | 2022-01-28 | 杭州安恒信息技术股份有限公司 | Abnormal user detection method and system based on ensemble learning |
| CN110597719B (en) * | 2019-09-05 | 2021-06-15 | 腾讯科技(深圳)有限公司 | Image clustering method, device and medium for adaptation test |
| CN110597719A (en) * | 2019-09-05 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Image clustering method, device and medium for adaptation test |
| CN110751231A (en) * | 2019-10-30 | 2020-02-04 | 上海观安信息技术股份有限公司 | Card number detection method and system based on unsupervised algorithm |
| CN110784470B (en) * | 2019-10-30 | 2022-10-11 | 上海观安信息技术股份有限公司 | Method and device for determining abnormal login of user |
| CN110751231B (en) * | 2019-10-30 | 2022-04-29 | 上海观安信息技术股份有限公司 | Card number detection method and system based on unsupervised algorithm |
| CN110784470A (en) * | 2019-10-30 | 2020-02-11 | 上海观安信息技术股份有限公司 | Method and device for determining abnormal login of user |
| CN111444534A (en) * | 2020-03-12 | 2020-07-24 | 中国建设银行股份有限公司 | Method, device, equipment and computer readable medium for monitoring user operation |
| CN113518058A (en) * | 2020-04-09 | 2021-10-19 | 中国移动通信集团海南有限公司 | Abnormal login behavior detection method and device, storage medium and computer equipment |
| CN113518058B (en) * | 2020-04-09 | 2022-12-13 | 中国移动通信集团海南有限公司 | Abnormal login behavior detection method and device, storage medium and computer equipment |
| CN111683102B (en) * | 2020-06-17 | 2022-12-06 | 绿盟科技集团股份有限公司 | FTP behavior data processing method, and method and device for identifying abnormal FTP behavior |
| CN111683102A (en) * | 2020-06-17 | 2020-09-18 | 绿盟科技集团股份有限公司 | FTP behavior data processing method, and method and device for identifying abnormal FTP behavior |
| CN112070458A (en) * | 2020-08-07 | 2020-12-11 | 新华三信息安全技术有限公司 | Account identification method and device |
| CN112134723A (en) * | 2020-08-21 | 2020-12-25 | 杭州数梦工场科技有限公司 | Network anomaly monitoring method and device, computer equipment and storage medium |
| CN112001756B (en) * | 2020-08-24 | 2022-07-12 | 北京道隆华尔软件股份有限公司 | Method and device for determining abnormal telecommunication service scene and computer equipment |
| CN112001756A (en) * | 2020-08-24 | 2020-11-27 | 北京道隆华尔软件股份有限公司 | Method and device for determining abnormal telecommunication service scene and computer equipment |
| CN112307475A (en) * | 2020-09-29 | 2021-02-02 | 北京软慧科技有限公司 | System detection method and device |
| CN113343056A (en) * | 2021-05-21 | 2021-09-03 | 北京市燃气集团有限责任公司 | Method and device for detecting abnormal gas consumption of user |
| CN113779568A (en) * | 2021-09-18 | 2021-12-10 | 中国平安人寿保险股份有限公司 | Abnormal behavior user identification method, device, equipment and storage medium |
| CN114826876A (en) * | 2022-01-11 | 2022-07-29 | 杭州金硕信息技术有限公司 | Cloud service fault detection system and method based on log analysis and online simulation |
| CN114826876B (en) * | 2022-01-11 | 2024-05-03 | 杭州金硕信息技术有限公司 | Cloud service fault detection system and method based on log analysis and online simulation |
| CN116684202A (en) * | 2023-08-01 | 2023-09-01 | 光谷技术有限公司 | Internet of things information security transmission method |
| CN116684202B (en) * | 2023-08-01 | 2023-10-24 | 光谷技术有限公司 | Internet of things information security transmission method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108809745A (en) | A kind of user's anomaly detection method, apparatus and system | |
| CN111475804B (en) | Alarm prediction method and system | |
| US11496495B2 (en) | System and a method for detecting anomalous patterns in a network | |
| CN111428231B (en) | Safety processing method, device and equipment based on user behaviors | |
| CN107517216B (en) | Network security event correlation method | |
| US11966319B2 (en) | Identifying anomalies in a data center using composite metrics and/or machine learning | |
| CN111460312A (en) | Method and device for identifying empty-shell enterprise and computer equipment | |
| CN104040963A (en) | System and methods for spam detection using frequency spectra of character strings | |
| CN112491779B (en) | Abnormal behavior detection method and device and electronic equipment | |
| CN104067567A (en) | Systems and methods for spam detection using character histograms | |
| CN109218321A (en) | A kind of network inbreak detection method and system | |
| CN112435137A (en) | Cheating information detection method and system based on community mining | |
| Ahakonye et al. | Agnostic CH-DT technique for SCADA network high-dimensional data-aware intrusion detection system | |
| CN110717551A (en) | Training method and device of flow identification model and electronic equipment | |
| CN113205134A (en) | Network security situation prediction method and system | |
| US20120284381A1 (en) | Systems, methods and devices for extracting and visualizing user-centric communities from emails | |
| CN111612085A (en) | Method and device for detecting abnormal point in peer-to-peer group | |
| CN114978877A (en) | Exception handling method and device, electronic equipment and computer readable medium | |
| CN112583847B (en) | Method for network security event complex analysis for medium and small enterprises | |
| CN116738369A (en) | Traffic data classification method, device, equipment and storage medium | |
| CN117391214A (en) | Model training method and device and related equipment | |
| CN114629776B (en) | Fault analysis method and device based on graph model | |
| Song et al. | A clustering method for improving performance of anomaly-based intrusion detection system | |
| Zolotukhin et al. | Detection of anomalous http requests based on advanced n-gram model and clustering techniques | |
| Patel et al. | Hybrid relabeled model for network intrusion detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181113 |