CN109145595A - A kind of user's unusual checking system, method, equipment and storage medium - Google Patents
A kind of user's unusual checking system, method, equipment and storage medium Download PDFInfo
- Publication number
- CN109145595A CN109145595A CN201810856594.4A CN201810856594A CN109145595A CN 109145595 A CN109145595 A CN 109145595A CN 201810856594 A CN201810856594 A CN 201810856594A CN 109145595 A CN109145595 A CN 109145595A
- Authority
- CN
- China
- Prior art keywords
- user
- data set
- operation behavior
- encoding encoder
- depth self
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention relates to a kind of user's unusual checking system, method, equipment and storage mediums.Acquisition user's current operation behavior carries out polymerization and forms the current test data set of user;Reconstruction error will be obtained in the depth self-encoding encoder model of the current test data set input optimization of user, the reconstruction error is compared with preset threshold, the current operation behavior of user is detected with the presence or absence of abnormal, wherein, the depth self-encoding encoder model of optimization is to polymerize the historical operation behavior for acquiring user obtained by the history data set to be formed input depth self-encoding encoder model training, and preset threshold obtains for the depth self-encoding encoder model that the history data set inputs the optimization.The present invention solves single operation behavior wrong report by user's multioperation behavior polymerization;The white model of depth self-encoding encoder model foundation is used based on normal behaviour based on group where user, carries out the identification of user's abnormal behaviour, improves the efficiency and accuracy rate of the detection of user's operation abnormal behavior.
Description
Technical field
The present invention relates to the field of data mining more particularly to a kind of user's unusual checking system, method, equipment and deposit
Storage media.
Background technique
User's unusual checking is typically based on single behavior and analyzes at present, and it is true cannot to be well reflected user
Behavior generates a large amount of spurious alarm in actual application, leads to the control time of investigator's overspending, can not be preferable
Ground covers real anomalous event;Frequent user unusual checking largely requires manually to extract feature, feature extraction at present
Difficulty is larger;And the fine granularity of detection is inadequate, fails the row of group where preferably considering user itself behavior and user
For.
Summary of the invention
In order to solve the above-mentioned technical problem, the purpose of the present invention is to provide a kind of user's anomaly detection method, be
System and equipment.
According to an aspect of the invention, there is provided a kind of user's anomaly detection method, comprising the following steps:
Acquisition user's current operation behavior carries out polymerization and forms the current test data set of user;
Reconstruction error will be obtained in the depth self-encoding encoder model of the current test data set input optimization of user, it will be described heavy
It builds error to be compared with preset threshold, detects the current operation behavior of user with the presence or absence of abnormal, wherein the depth of optimization is certainly
Encoder model is that the historical operation behavior for acquiring user is polymerize to the history data set to be formed input depth self-encoding encoder model
Training gained, preset threshold obtain for the depth self-encoding encoder model that the history data set inputs the optimization.
Further, the operation behavior include login behavior, User behavior, be distributed as outside data at least one of.
Further, it is distributed as outside data including that mail is distributed as and/or movable storage device data copy trip and are outside.
Further, the acquisition of the current test data set of user or history data set includes:
The number that user is current in statistics predetermined period or the operation behavior of history respectively occurs;
The probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
Every number is determined according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior
According to the dimension in data set, and form the current test data set of user or history data set.
Further, the node number of the hidden layer of depth self-encoding encoder model is no more than the node number of input layer;With/
Or,
Input layer is identical with the node number of output layer.
Further, the acquisition of preset threshold, comprising:
The depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
Mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
Preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
The mean value, standard deviation, the preset relation of preset threshold are as follows:
D=S+3 × σ,
Wherein,
D is preset threshold;
S is the mean value of history data set;
σ is the standard deviation of history data set.
According to another aspect of the present invention, a kind of user's unusual checking system is provided, comprising:
Acquisition unit, be configured to acquisition the behavior of user's current operation carry out polymerization form the current test data of user
Collection;
Detection unit is configured to obtain in the depth self-encoding encoder model of the current test data set input optimization of user
The reconstruction error is compared by reconstruction error with preset threshold, and the current operation behavior for detecting user whether there is exception,
Wherein, detection unit signal connects depth self-encoding encoder, and the depth self-encoding encoder is configured to that user will be acquired
Historical operation behavior polymerize the history data set the to be formed depth that must optimize of input depth self-encoding encoder model training from encoding
Device model, and the depth self-encoding encoder model that the history data set inputs the optimization is obtained into preset threshold.
Further, the operation behavior include login behavior, User behavior, be distributed as outside data at least one of.
It is distributed as outside data including that mail is distributed as and/or movable storage device data copy trip and are outside.
Acquisition unit is also configured to:
The number that user is current in statistics predetermined period or the operation behavior of history respectively occurs;
The probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
Every number is determined according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior
According to the dimension in data set, and form the current test data set of user or history data set.
The node number of the hidden layer of depth self-encoding encoder model is no more than the node number of input layer;And/or
Input layer is identical with the node number of output layer.
Depth self-encoding encoder is also configured to:
The depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
Mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
Preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
The mean value, standard deviation, the preset relation of preset threshold are as follows:
D=S+3 × σ,
Wherein,
D is preset threshold;
S is the mean value of history data set;
σ is the standard deviation of history data set.
According to another aspect of the present invention, a kind of equipment is provided, the equipment includes:
One or more processors;
Memory, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of places
It manages device and executes as above described in any item methods.
According to another aspect of the present invention, a kind of computer-readable storage medium for being stored with computer program is provided
Matter realizes as above described in any item methods when the program is executed by processor.
Compared with prior art, the invention has the following advantages:
1, the exemplary user's anomaly detection method of the present invention, acquisition user's current operation behavior carry out polymerization and form use
The current test data set in family;Mistake will must be rebuild in the depth self-encoding encoder model of the current test data set input optimization of user
The reconstruction error is compared by difference with preset threshold, detects the current operation behavior of user with the presence or absence of abnormal, wherein
The depth self-encoding encoder model of optimization is that the historical operation behavior for acquiring user is polymerize to the history data set to be formed input depth
Obtained by self-encoding encoder model training, preset threshold is the depth self-encoding encoder model that the history data set inputs the optimization
?.The present invention solves single operation behavior wrong report by user's multioperation behavior polymerization;Feature extraction is carried out using deep learning
Solve the artificial pain spot for extracting feature;It is built based on normal behaviour based on group where user using depth self-encoding encoder model
White model is found, the identification of user's abnormal behaviour is carried out, improves the efficiency and accuracy rate of the detection of user's operation abnormal behavior.
2, the exemplary user's unusual checking system of the present invention, acquisition unit are configured to acquisition user's current operation row
The current test data set of user is formed to carry out polymerization;Detection unit is configured to the test data set input that user is current
Reconstruction error is obtained in the depth self-encoding encoder model of optimization, the reconstruction error is compared with preset threshold, detects user
Current operation behavior with the presence or absence of abnormal, wherein detection unit signal connects depth self-encoding encoder, the depth self-encoding encoder
It is configured to for the historical operation behavior for acquiring user to polymerize the history data set to be formed input depth self-encoding encoder model training
The depth self-encoding encoder model that must optimize, and the depth self-encoding encoder model that the history data set inputs the optimization obtained pre-
If threshold value.Each unit, which cooperates, to cooperate, and is encoded certainly based on the normal behaviour of group where being common based on user using depth
The white model of device model foundation carries out the identification of user's abnormal behaviour, substantially increases the efficiency of user's operation abnormal behavior detection
And accuracy rate, and structure is simple, is convenient for later maintenance.
3, the present invention exemplary login abnormality detecting apparatus, the computer-readable medium by being stored with computer program,
Convenient for the popularization of user's unusual checking technology.
Detailed description of the invention
Fig. 1 is flow chart of the present invention;
Fig. 2 is the structural schematic diagram of one depth self-encoding encoder model of embodiment.
Specific embodiment
In order to be better understood by technical solution of the present invention, combined with specific embodiments below, Figure of description is to the present invention
It is described further.
Embodiment one:
Present embodiments provide a kind of user's anomaly detection method, comprising the following steps:
S1, acquisition user's current operation behavior carry out polymerization and form the current test data set of user.
The operation behavior include login behavior, User behavior, be distributed as outside data at least one of.
It is distributed as outside data including that mail is distributed as and/or movable storage device data copy trip and are outside.
S2, reconstruction error will be obtained in the depth self-encoding encoder model of the current test data set input optimization of user, by institute
It states reconstruction error to be compared with preset threshold, detects the current operation behavior of user with the presence or absence of abnormal, wherein the depth of optimization
Degree self-encoding encoder model is that the historical operation behavior for acquiring user is polymerize to the history data set to be formed input depth self-encoding encoder
Obtained by model training, preset threshold obtains for the depth self-encoding encoder model that the history data set inputs the optimization.
The node number of the hidden layer of depth self-encoding encoder model is no more than the node number of input layer;And/or
Input layer is identical with the node number of output layer.
The acquisition of the current test data set of user or history data set includes:
(1) number that user in predetermined period is current or the operation behavior of history respectively occurs is counted;
(2) probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
(3) it is determined according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior each
Dimension of the data in data set, and form the current test data set of user or history data set.
The acquisition of preset threshold, comprising:
(1) the depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
(2) mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
(3) preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
Further, preset threshold d meets:
D=S+3 × σ,
Wherein,
S is the mean value of history data set;
σ is the standard deviation of history data set.
Above-mentioned user's anomaly detection method specific steps are as follows:
S1, data processing
S11, data acquisition:
Group where obtaining half a year to 1 year user (definable range is same post, with department or same group) each use
The normal data of family a variety of operation behaviors daily, operation behavior data for example: login behavior, operation behavior, be distributed as outside mail,
It is (such as u disk data copy trip and are) N kind that movable storage device data, which copy trip, and behavioral data is selected and specifically needs to detect
Scene it is related, generally should include logging in, being distributed as outside operation and data.The behavior of N kind should enough describe user behavior as far as possible
The behavior set of overall picture.If obtaining m user data altogether, data set D is formed, wherein each sample in D is that have behavior in N
The data of composition;
S12, data cleansing: it is directed to every kind of behavior, is handled as follows: such as in one day as unit of a hours, if in hour
There is the behavior then to record number (or the uninterrupted of operation, such as the outgoing in this hour section of behavior generation in section
Size of data), be otherwise denoted as 0.Such as a=1, then carry out data aggregate as unit of 1 hour, user is 12 points of certain day
Inside used system primary, remaining time does not have, then it is denoted as 000000000010000000000000), such as:
Table 1: user's operation behavior record
| User 1 | 0 | … | 9 | … | 12 | … | 23 |
| Login times | 0 | 0 | 0 | 1 | 0 | 0 | |
| Amount of operational data | 0 | 0 | 100 | 0 | 1 | 0 | |
| … | 0 | 0 | 0 | 0 | 5 | 0 | |
| The data volume of outgoing | 0 | 0 | 80 | 0 | 0 | 0 |
The data that N*24/a is tieed up, expand into the vector form of 1* (N*24/a).Therefore, data set D
In each sample dimension be n (n=N*24/a), be specifically expressed as follows:
S2, model foundation
S21, depth self-encoding encoder model structure are set: the node number of one input layer of building and output layer is n, L
The depth self-encoding encoder model of hidden layer, wherein L is integer, and the node number of hidden layer is usually no more than the node of input layer
Number (note: Fig. 2 is the depth self-encoding encoder containing 3 hidden layers).
S22, model training: it uses data set D as training depth self-encoding encoder model is inputted, obtains the depth optimized
Self-encoding encoder model.
S3, model application
S31, data vector.Each test data is subjected to vectorization in the same manner:
In one day as unit of a hours, recorded if having the behavior in hour section the behavior generation number (or behaviour
The uninterrupted of work, for example, within this hour outgoing size of data), be otherwise denoted as 0, with training data dimension keep one
It causes;
Expand into the vector form of 1* (N*24/a).
S32, data application: test data is calculated in the reconstruction error of trained depth self-encoding encoder model, selection is closed
Suitable threshold value d carries out anomalous identification.If the reconstruction error of test data exceeds threshold value d, user behavior exception can determine whether, instead
It is normal.The selection mode of threshold value d is as follows: calculating reconstruction error of the data set D in trained depth self-encoding encoder model, root
According to the reconstruction error of data set D, their mean value S and standard deviation sigma are calculated, therefore the value of threshold value d is d=S+3 × σ.
Present embodiments provide a kind of user's unusual checking system, comprising:
Acquisition unit, be configured to acquisition the behavior of user's current operation carry out polymerization form the current test data of user
Collection;It is also configured to:
The number that user is current in statistics predetermined period or the operation behavior of history respectively occurs;
The probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
Every number is determined according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior
According to the dimension in data set, and form the current test data set of user or history data set;
Detection unit is configured to obtain in the depth self-encoding encoder model of the current test data set input optimization of user
The reconstruction error is compared by reconstruction error with preset threshold, and the current operation behavior for detecting user whether there is exception,
Wherein, detection unit signal connects depth self-encoding encoder, and the depth self-encoding encoder is configured to that user will be acquired
Historical operation behavior polymerize the history data set the to be formed depth that must optimize of input depth self-encoding encoder model training from encoding
Device model, and the depth self-encoding encoder model that the history data set inputs the optimization is obtained into preset threshold, depth encodes certainly
The node number of the hidden layer of device model is no more than the node number of input layer;And/or the node number of input layer and output layer
It is identical.
The operation behavior include login behavior, User behavior, be distributed as outside data at least one of.
It is distributed as outside data including that mail is distributed as and/or movable storage device data copy trip and are outside.
Above-mentioned depth self-encoding encoder is also configured to:
The depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
Mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
Preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
The preset threshold d meets:
D=S+3 × σ,
Wherein,
S is the mean value of history data set;
σ is the standard deviation of history data set.
The present embodiment additionally provides a kind of equipment, and the equipment includes:
One or more processors;
Memory, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of places
It manages device and executes as above described in any item methods.
The present embodiment additionally provides a kind of computer readable storage medium for being stored with computer program, and the program is processed
As above described in any item methods are realized when device executes.
Embodiment two
The feature that the present embodiment is the same as example 1 repeats no more, and the present embodiment feature different from embodiment one exists
In:
Present embodiments provide a kind of user's anomaly detection method, comprising the following steps:
S1, acquisition user's current operation behavior carry out polymerization and form the current test data set of user.
The operation behavior include login behavior, User behavior, be distributed as outside data at least one of.
It is distributed as outside data including that mail is distributed as and/or movable storage device data copy trip and are outside.
S2, reconstruction error will be obtained in the depth self-encoding encoder model of the current test data set input optimization of user, by institute
It states reconstruction error to be compared with preset threshold, detects the current operation behavior of user with the presence or absence of abnormal, wherein the depth of optimization
Degree self-encoding encoder model is that the historical operation behavior for acquiring user is polymerize to the history data set to be formed input depth self-encoding encoder
Obtained by model training, preset threshold obtains for the depth self-encoding encoder model that the history data set inputs the optimization.
The node number of the hidden layer of depth self-encoding encoder model is no more than the node number of input layer;And/or
Input layer is identical with the node number of output layer.
The acquisition of the current test data set of user or history data set includes:
(1) number that user in predetermined period is current or the operation behavior of history respectively occurs is counted;
(2) probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
(3) it is determined according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior each
Dimension of the data in data set, and form the current test data set of user or history data set.
The acquisition of preset threshold, comprising:
(1) the depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
(2) mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
(3) preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
Further, preset threshold d meets:
D=S+3 × σ,
Wherein,
S is the mean value of history data set;
σ is the standard deviation of history data set.
Present embodiments provide a kind of user's unusual checking system, comprising:
Acquisition unit, be configured to acquisition the behavior of user's current operation carry out polymerization form the current test data of user
Collection;It is also configured to:
The number that user is current in statistics predetermined period or the operation behavior of history respectively occurs;
The probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
Every number is determined according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior
According to the dimension in data set, and form the current test data set of user or history data set;
Detection unit is configured to obtain in the depth self-encoding encoder model of the current test data set input optimization of user
The reconstruction error is compared by reconstruction error with preset threshold, and the current operation behavior for detecting user whether there is exception,
Wherein, detection unit signal connects depth self-encoding encoder, and the depth self-encoding encoder is configured to that user will be acquired
Historical operation behavior polymerize the history data set the to be formed depth that must optimize of input depth self-encoding encoder model training from encoding
Device model, and the depth self-encoding encoder model that the history data set inputs the optimization is obtained into preset threshold, depth encodes certainly
The node number of the hidden layer of device model is no more than the node number of input layer;And/or the node number of input layer and output layer
It is identical.
The operation behavior include login behavior, User behavior, be distributed as outside data at least one of.
It is distributed as outside data including that mail is distributed as and/or movable storage device data copy trip and are outside.
Above-mentioned depth self-encoding encoder is also configured to:
The depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
Mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
Preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
The preset threshold d meets:
D=S+3 × σ,
Wherein,
S is the mean value of history data set;
σ is the standard deviation of history data set.
The present embodiment additionally provides a kind of equipment, and the equipment includes:
One or more processors;
Memory, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of places
It manages device and executes as above described in any item methods.
The present embodiment additionally provides a kind of computer-readable storage medium for being stored with computer program
Matter realizes as above described in any item methods when the program is executed by processor.
Embodiment three:
The feature that the present embodiment is the same as example 1 repeats no more, and the present embodiment feature different from embodiment one exists
In:
Present embodiments provide a kind of user's anomaly detection method, comprising the following steps:
S1, acquisition user's current operation behavior carry out polymerization and form the current test data set of user.
The operation behavior includes login behavior, User behavior, is distributed as outside data.
It is distributed as including that mail is distributed as outside, movable storage device data copy trip and are outside data.
S2, reconstruction error will be obtained in the depth self-encoding encoder model of the current test data set input optimization of user, by institute
It states reconstruction error to be compared with preset threshold, detects the current operation behavior of user with the presence or absence of abnormal, wherein the depth of optimization
Degree self-encoding encoder model is that the historical operation behavior for acquiring user is polymerize to the history data set to be formed input depth self-encoding encoder
Obtained by model training, preset threshold obtains for the depth self-encoding encoder model that the history data set inputs the optimization.
The node number of the hidden layer of depth self-encoding encoder model is no more than the node number of input layer;
Input layer is identical with the node number of output layer.
The acquisition of the current test data set of user or history data set includes:
(1) number that user in predetermined period is current or the operation behavior of history respectively occurs is counted;
(2) probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
(3) it is determined according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior each
Dimension of the data in data set, and form the current test data set of user or history data set.
The acquisition of preset threshold, comprising:
(1) the depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
(2) mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
(3) preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
Further, preset threshold d meets:
D=S+3 × σ,
Wherein,
S is the mean value of history data set;
σ is the standard deviation of history data set.
Above-mentioned user's anomaly detection method specific steps are as follows:
S1, data processing
S11, data acquisition:
Group where obtaining half a year user (definable range is same post, with department or same group) each user is every
The normal data of its a variety of operation behavior, operation behavior data for example: login behavior, operation behavior are distributed as, are moved outside mail
It is (such as u disk data copy trip and are) N kind, the scene that behavioral data is selected and specifically needs to detect that storage device data, which copies trip,
Correlation generally should include logging in, being distributed as outside operation and data.The behavior of N kind should enough describe user behavior overall picture as far as possible
Behavior set.If obtaining m user data altogether, data set D is formed, wherein each sample in D is made of behavior in N
Data;
S12, data cleansing: it is directed to every kind of behavior, is handled as follows: such as in one day as unit of a hours, if in hour
There is the behavior then to record number (or the uninterrupted of operation, such as the outgoing in this hour section of behavior generation in section
Size of data), be otherwise denoted as 0.Such as a=0.5, then data aggregate is carried out as unit of 0.5 hour, user is in certain day 12:
Used system primary in 00-12:30 point, remaining time does not have.
The data that N*24/a is tieed up, expand into the vector form of 1* (N*24/a).Therefore, each sample in data set D
Dimension be n (n=N*24/a).
S2, model foundation
S21, depth self-encoding encoder model structure are set: the node number of one input layer of building and output layer is n, L
The depth self-encoding encoder model of hidden layer, wherein L is integer, and if L is 3, the node number of hidden layer is usually no more than input layer
Node number.
S22, model training: it uses data set D as training depth self-encoding encoder model is inputted, obtains the depth optimized
Self-encoding encoder model.
S3, model application
S31, data vector.Each test data is subjected to vectorization in the same manner:
In one day as unit of a hours, the number of behavior generation is recorded if having the behavior in section at 0.5 hour
(or the uninterrupted of operation, such as in this 0.5 hour, the size of data of outgoing), it is otherwise denoted as 0, is constituted with training data
Dimension is consistent;
Expand into the vector form of 1* (N*24/a).
S32, data application: test data is calculated in the reconstruction error of trained depth self-encoding encoder model, selection is closed
Suitable threshold value d carries out anomalous identification.If the reconstruction error of test data exceeds threshold value d, user behavior exception can determine whether, instead
It is normal.The selection mode of threshold value d is as follows: calculating reconstruction error of the data set D in trained depth self-encoding encoder model, root
According to the reconstruction error of data set D, their mean value S and standard deviation sigma are calculated, therefore the value of threshold value d is d=S+3 × σ.
Present embodiments provide a kind of user's unusual checking system, comprising:
Acquisition unit, be configured to acquisition the behavior of user's current operation carry out polymerization form the current test data of user
Collection;It is also configured to:
The number that user is current in statistics predetermined period or the operation behavior of history respectively occurs;
The probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
Every number is determined according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior
According to the dimension in data set, and form the current test data set of user or history data set;
Detection unit is configured to obtain in the depth self-encoding encoder model of the current test data set input optimization of user
The reconstruction error is compared by reconstruction error with preset threshold, and the current operation behavior for detecting user whether there is exception,
Wherein, detection unit signal connects depth self-encoding encoder, and the depth self-encoding encoder is configured to that user will be acquired
Historical operation behavior polymerize the history data set the to be formed depth that must optimize of input depth self-encoding encoder model training from encoding
Device model, and the depth self-encoding encoder model that the history data set inputs the optimization is obtained into preset threshold, depth encodes certainly
The node number of the hidden layer of device model is no more than the node number of input layer;Input layer is identical with the node number of output layer.
The operation behavior include login behavior, User behavior, be distributed as outside data at least one of.
Be distributed as outside data include mail be distributed as copying trip with movable storage device data outside be.
Above-mentioned depth self-encoding encoder is also configured to:
The depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
Mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
Preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
The preset threshold d meets:
D=S+3 × σ,
Wherein,
S is the mean value of history data set;
σ is the standard deviation of history data set.
The present embodiment additionally provides a kind of equipment, and the equipment includes:
One or more processors;
Memory, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of places
It manages device and executes as above described in any item methods.
The present embodiment additionally provides a kind of computer-readable storage medium for being stored with computer program
Matter realizes as above described in any item methods when the program is executed by processor.
Above description is only the preferred embodiment of the application and the explanation to institute's application technology principle.Those skilled in the art
Member is it should be appreciated that invention scope involved in the application, however it is not limited to technology made of the specific combination of above-mentioned technical characteristic
Scheme, while should also cover in the case where not departing from the inventive concept, it is carried out by above-mentioned technical characteristic or its equivalent feature
Any combination and the other technical solutions formed.Such as features described above and (but being not limited to) disclosed herein have it is similar
Function.
Claims (16)
1. a kind of user's anomaly detection method, characterized in that the following steps are included:
Acquisition user's current operation behavior carries out polymerization and forms the current test data set of user;
Reconstruction error will be obtained in the depth self-encoding encoder model of the current test data set input optimization of user, the reconstruction is missed
Difference is compared with preset threshold, detects the current operation behavior of user with the presence or absence of abnormal, wherein the depth of optimization encodes certainly
Device model is that the historical operation behavior for acquiring user is polymerize to the history data set to be formed input depth self-encoding encoder model training
Gained, preset threshold obtain for the depth self-encoding encoder model that the history data set inputs the optimization.
2. user's anomaly detection method according to claim 1, characterized in that the operation behavior includes logging in row
For, be distributed as outside User behavior, data at least one of.
3. user's anomaly detection method according to claim 2, characterized in that be distributed as including outside mail outside data
It is distributed as and/or movable storage device data copies trip and are.
4. user's anomaly detection method according to claim 1, characterized in that the current test data set of user is gone through
The acquisition of history data set includes:
The number that user is current in statistics predetermined period or the operation behavior of history respectively occurs;
The probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
Determine that each data exist according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior
Dimension in data set, and form the current test data set of user or history data set.
5. user's anomaly detection method according to claim 1, characterized in that
The node number of the hidden layer of depth self-encoding encoder model is no more than the node number of input layer;And/or
Input layer is identical with the node number of output layer.
6. -5 any user's anomaly detection method according to claim 1, characterized in that the acquisition of preset threshold,
Include:
The depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
Mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
Preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
7. user's anomaly detection method according to claim 6, characterized in that the mean value, standard deviation, default threshold
The preset relation of value are as follows:
D=S+3 × σ,
Wherein,
D is preset threshold;
S is the mean value of history data set;
σ is the standard deviation of history data set.
8. a kind of user's unusual checking system, characterized in that include:
Acquisition unit, be configured to acquisition the behavior of user's current operation carry out polymerization form the current test data set of user;
Detection unit is configured to rebuild in the depth self-encoding encoder model of the current test data set input optimization of user
The reconstruction error is compared by error with preset threshold, and the current operation behavior for detecting user whether there is exception,
Wherein, detection unit signal connects depth self-encoding encoder, and the depth self-encoding encoder is configured to that going through for user will be acquired
History operation behavior polymerize the depth self-encoding encoder mould that the history data set to be formed input depth self-encoding encoder model training must optimize
Type, and the depth self-encoding encoder model that the history data set inputs the optimization is obtained into preset threshold.
9. user's unusual checking system according to claim 8, characterized in that the operation behavior includes logging in row
For, be distributed as outside User behavior, data at least one of.
10. user's unusual checking system according to claim 9, characterized in that be distributed as including mail outside data
It is distributed as outside and/or movable storage device data copies trip and are.
11. user's unusual checking system according to claim 8, characterized in that acquisition unit is also configured to:
The number that user is current in statistics predetermined period or the operation behavior of history respectively occurs;
The probability of occurrence in each leisure predetermined period of each operation behavior is obtained according to the number of the operation behavior;
Determine that each data exist according to the probability of occurrence in operation behavior number and each leisure predetermined period of each operation behavior
Dimension in data set, and form the current test data set of user or history data set.
12. user's unusual checking system according to claim 8, characterized in that depth self-encoding encoder model it is hidden
Node number containing layer is no more than the node number of input layer;And/or
Input layer is identical with the node number of output layer.
13. according to any user's unusual checking system of claim 8-12, characterized in that depth self-encoding encoder is also
It is configured to:
The depth self-encoding encoder model that the history data set inputs the optimization must be preset into reconstruction error;
Mean value, the standard deviation of history data set are obtained according to the default reconstruction error;
Preset threshold is obtained according to the mean value, standard deviation and the mean value, standard deviation, the preset relation of preset threshold.
14. user's unusual checking system according to claim 13, characterized in that the mean value, is preset standard deviation
The preset relation of threshold value are as follows:
D=S+3 × σ,
Wherein,
D is preset threshold;
S is the mean value of history data set;
σ is the standard deviation of history data set.
15. a kind of equipment, characterized in that the equipment includes:
One or more processors;
Memory, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of processors
Execute such as method of any of claims 1-7.
16. a kind of computer readable storage medium for being stored with computer program, characterized in that when the program is executed by processor
Realize such as method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810856594.4A CN109145595A (en) | 2018-07-31 | 2018-07-31 | A kind of user's unusual checking system, method, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810856594.4A CN109145595A (en) | 2018-07-31 | 2018-07-31 | A kind of user's unusual checking system, method, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109145595A true CN109145595A (en) | 2019-01-04 |
Family
ID=64798541
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810856594.4A Pending CN109145595A (en) | 2018-07-31 | 2018-07-31 | A kind of user's unusual checking system, method, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109145595A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110414989A (en) * | 2019-07-29 | 2019-11-05 | 中国工商银行股份有限公司 | Method for detecting abnormality and device, electronic equipment and computer readable storage medium |
| CN110765461A (en) * | 2019-11-08 | 2020-02-07 | 杭州安恒信息技术股份有限公司 | Safety protection method and device for equipment maintenance process |
| CN111241688A (en) * | 2020-01-15 | 2020-06-05 | 北京百度网讯科技有限公司 | Method and device for monitoring composite production process |
| CN111476177A (en) * | 2020-04-10 | 2020-07-31 | 科航(苏州)信息科技有限公司 | Method and device for detecting suspect |
| CN111737688A (en) * | 2020-06-08 | 2020-10-02 | 上海交通大学 | Attack defense system based on user portrait |
| CN112202625A (en) * | 2019-07-08 | 2021-01-08 | 中国移动通信集团浙江有限公司 | Network element abnormity diagnosis method and device, computing equipment and computer storage medium |
| CN112347457A (en) * | 2019-08-06 | 2021-02-09 | 上海晶赞融宣科技有限公司 | Abnormal account detection method and device, computer equipment and storage medium |
| CN113051552A (en) * | 2019-12-27 | 2021-06-29 | 北京国双科技有限公司 | Abnormal behavior detection method and device |
| CN113807527A (en) * | 2020-06-11 | 2021-12-17 | 华硕电脑股份有限公司 | Signal detection method and electronic device using same |
| CN113807396B (en) * | 2021-08-12 | 2023-07-18 | 华南理工大学 | Internet of things high-dimensional data anomaly detection method, system, device and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170139794A1 (en) * | 2014-05-16 | 2017-05-18 | Nec Corporation | Information processing device, analysis method, and recording medium |
| CN107196953A (en) * | 2017-06-14 | 2017-09-22 | 上海丁牛信息科技有限公司 | A kind of anomaly detection method based on user behavior analysis |
| CN107528832A (en) * | 2017-08-04 | 2017-12-29 | 北京中晟信达科技有限公司 | Baseline structure and the unknown anomaly detection method of a kind of system-oriented daily record |
| CN107612938A (en) * | 2017-10-27 | 2018-01-19 | 朱秋华 | A kind of network user's anomaly detection method, device, equipment and storage medium |
| CN108287782A (en) * | 2017-06-05 | 2018-07-17 | 中兴通讯股份有限公司 | A kind of multidimensional data method for detecting abnormality and device |
-
2018
- 2018-07-31 CN CN201810856594.4A patent/CN109145595A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170139794A1 (en) * | 2014-05-16 | 2017-05-18 | Nec Corporation | Information processing device, analysis method, and recording medium |
| CN108287782A (en) * | 2017-06-05 | 2018-07-17 | 中兴通讯股份有限公司 | A kind of multidimensional data method for detecting abnormality and device |
| CN107196953A (en) * | 2017-06-14 | 2017-09-22 | 上海丁牛信息科技有限公司 | A kind of anomaly detection method based on user behavior analysis |
| CN107528832A (en) * | 2017-08-04 | 2017-12-29 | 北京中晟信达科技有限公司 | Baseline structure and the unknown anomaly detection method of a kind of system-oriented daily record |
| CN107612938A (en) * | 2017-10-27 | 2018-01-19 | 朱秋华 | A kind of network user's anomaly detection method, device, equipment and storage medium |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112202625B (en) * | 2019-07-08 | 2023-08-15 | 中国移动通信集团浙江有限公司 | Network element abnormality diagnosis method, device, computing equipment and computer storage medium |
| CN112202625A (en) * | 2019-07-08 | 2021-01-08 | 中国移动通信集团浙江有限公司 | Network element abnormity diagnosis method and device, computing equipment and computer storage medium |
| CN110414989A (en) * | 2019-07-29 | 2019-11-05 | 中国工商银行股份有限公司 | Method for detecting abnormality and device, electronic equipment and computer readable storage medium |
| CN112347457A (en) * | 2019-08-06 | 2021-02-09 | 上海晶赞融宣科技有限公司 | Abnormal account detection method and device, computer equipment and storage medium |
| CN110765461A (en) * | 2019-11-08 | 2020-02-07 | 杭州安恒信息技术股份有限公司 | Safety protection method and device for equipment maintenance process |
| CN113051552A (en) * | 2019-12-27 | 2021-06-29 | 北京国双科技有限公司 | Abnormal behavior detection method and device |
| CN111241688A (en) * | 2020-01-15 | 2020-06-05 | 北京百度网讯科技有限公司 | Method and device for monitoring composite production process |
| CN111241688B (en) * | 2020-01-15 | 2023-08-25 | 北京百度网讯科技有限公司 | Method and device for monitoring composite production process |
| CN111476177A (en) * | 2020-04-10 | 2020-07-31 | 科航(苏州)信息科技有限公司 | Method and device for detecting suspect |
| CN111476177B (en) * | 2020-04-10 | 2023-08-18 | 科航(苏州)信息科技有限公司 | Method and device for detecting suspects |
| CN111737688A (en) * | 2020-06-08 | 2020-10-02 | 上海交通大学 | Attack defense system based on user portrait |
| CN111737688B (en) * | 2020-06-08 | 2023-10-20 | 上海交通大学 | Attack defense system based on user portrait |
| CN113807527A (en) * | 2020-06-11 | 2021-12-17 | 华硕电脑股份有限公司 | Signal detection method and electronic device using same |
| CN113807396B (en) * | 2021-08-12 | 2023-07-18 | 华南理工大学 | Internet of things high-dimensional data anomaly detection method, system, device and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109145595A (en) | A kind of user's unusual checking system, method, equipment and storage medium | |
| CN108737406B (en) | Method and system for detecting abnormal flow data | |
| CN112987675B (en) | Method, device, computer equipment and medium for anomaly detection | |
| CN106384092B (en) | Online low-rank anomalous video event detecting method towards monitoring scene | |
| WO2016029570A1 (en) | Intelligent alert analysis method for power grid scheduling | |
| CN109902564B (en) | Abnormal event detection method based on structural similarity sparse self-coding network | |
| CN106104496A (en) | The abnormality detection not being subjected to supervision for arbitrary sequence | |
| CN112766429B (en) | Method, device, computer equipment and medium for anomaly detection | |
| CN112632609B (en) | Abnormality detection method, abnormality detection device, electronic device, and storage medium | |
| CN110414715B (en) | Community detection-based passenger flow volume early warning method | |
| CN112306982A (en) | Abnormal user detection method and device, computing equipment and storage medium | |
| CN110647456A (en) | Fault prediction method, system and related device of storage equipment | |
| CN105262715A (en) | Abnormal user detection method based on fuzzy sequential association pattern | |
| CN113553577B (en) | Unknown user malicious behavior detection method and system based on hypersphere variational automatic encoder | |
| Li et al. | A self‐exciting marked point process model for drought analysis | |
| CN117992953A (en) | Abnormal user behavior identification method based on operation behavior tracking | |
| CN114003900A (en) | Network intrusion detection method, device and system for secondary system of transformer substation | |
| CN117195044A (en) | Fault analysis method, device, computer equipment, storage medium and program product | |
| CN109507697B (en) | New precise identification method for abnormal value in GNSS time sequence | |
| CN111209567B (en) | Method and device for judging perceptibility of improving robustness of detection model | |
| CN112866257B (en) | Domain name detection method, system and device | |
| CN113518058B (en) | Abnormal login behavior detection method and device, storage medium and computer equipment | |
| CN114861163A (en) | Abnormal account identification method, device, equipment, storage medium and program product | |
| CN113743293A (en) | Fall behavior detection method and device, electronic equipment and storage medium | |
| CN108090033A (en) | Name detection method, device, computer-readable medium and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190104 |
|
| RJ01 | Rejection of invention patent application after publication |