CN109376718A - A kind of recognition methods of plug-in operation fingerprint similarity - Google Patents

Abstract

The invention discloses a kind of recognition methods of plug-in operation fingerprint similarity, the login and operation log data of the business such as CRM, BOSS, 4A are acquired by full dose, a kind of automatic identifying method carrying out high-frequency operation to some business module in the systems such as CRM in such a way that business loophole or management defect are by outer linked script, program etc. is provided, by the access operation log for collecting a large number of users or shop assistant, the service feature for therefrom extracting access behavior, by the event Fingerprint Model for the methods of polymerizeing, counting the plug-in operation behavior of building；The user's operation fingerprint acquired in real time is compared with the plug-in Fingerprint Model；When the fingerprint sequence for including in real-time operation fingerprint and plug-in model matches, exports plug-in abnormal operation and alert；It is on the contrary then be normal operating.The present invention carries out similarity monitoring to plug-in operation behavior by the precision detection to user's operation behavior, thus the plug-in operation in violation of rules and regulations of discovery in time.

Description

A kind of recognition methods of plug-in operation fingerprint similarity

Technical field

The present invention relates to service security protection technology fields, more particularly to a kind of identification of plug-in operation fingerprint similarity Method.

Background technique

In the systems such as current mobile CRM, BOSS it is generally existing by the batch queries such as outer linked script, program user information, List information or transacting business etc. operation in detail, this generic operation generally mostly occur at night, have time of origin interval shorter, hold in batches Row number is more, and concealment is not easy by force the features such as finding, therewith the leakage of bring user sensitive information and violation business handling Risk can reduce the safety of business.At present the discovery means of plug-in operation are mainly still passed through with the side manually statisticallyd analyze Formula has now been found that a complete plug-in operation generally comprises following several stages:

1) collection of business operation data: this stage mainly passes through the business handling class and user's letter to systems such as CRM, BOSS The log of breath inquiry class carries out centralized collection, and such log includes the contents such as system account, address, organization, operation content. And the completion of field is carried out according to relevant informations such as certain institutional framework, accounts, it is manually statisticallyd analyze accurately with providing the later period To relevant informations such as specific operator, shop assistant and addresses.

2) artificial statistics: firstly, daily to the same operation content and identical operation for including in the business diary of acquisition The Repeating Field of type is manually counted, and the repetition values for counting same field are greater than 1500 logs within one day； Then, to include in the data counted account or terminal IP field carry out it is secondary repeat count, count same account or Same address is determined as doubtful plug-in operation if number of operations is greater than 1500 in intraday number of operations.

3) manual analysis, audit: carrying out manual analysis audit to the doubtful plug-in operation log that the stage two counts, in conjunction with Corresponding 4A logs in log, analyses whether that detour 4A is operated, operates if it is detouring, then regard as plug-in operation；If not It detours and operates, then next step manual analysis is carried out by the operating time, such as: within 5 minutes, number of operations is more than 50 times, then Regard as plug-in operation.

4) artificial setting loss, calls to account afterwards: operation coverage and influence degree are determined by plug-in operation log content, and According to the account and address information for including in log, name and the region of operator are determined, to mention as the foundation called to account afterwards Associated safety department is handed over, serious person investigates and affix legal liability.

Traditional solution it can be seen from the plug-in operation of the above business is in the technical solution of manual analysis and audit It has the disadvantage that

1) timeliness analyzed: the systems such as CRM, BOSS generate the operation data of up to ten million items daily, from data collection, to artificial Statistical analysis and last examination and determination, this process require a great deal of time, analytical cycle is long, and analysis efficiency cannot have The guarantee of effect.

2) accuracy analyzed: in face of the business datum of daily magnanimity, traditional method is using by repeatedly statistics contracting Small-scale mode determines whether plug-in operation, can not thus be compared one by one to individual data, to reduce The accuracy of analysis.

3) validity analyzed: traditional approach is by manually auditing analysis result, in artificial review process inevitably The place of carelessness, omission is had, therefore can not ensure the authenticity and validity of final analysis result.

4) it the human input analyzed: in face of daily up to ten million data, needs to put into a large amount of human cost and is analyzed.With This rationally, is effectively also required to analysis personnel with very high technical level and business abundant using the above technology simultaneously Safe O&M experience, it is therefore desirable to the investment of high-end technology human resources.

There is an urgent need to become for the technological means and scheme of plug-in operation discovery in existing business it can be seen from above content Leather, and then tional identification means are solved based on the artificial deficiency statisticallyd analyze and audit.

Summary of the invention

It is an object of the invention to overcome the deficiencies of the prior art and provide a kind of identification sides of plug-in operation fingerprint similarity Method, this method pass through the user collected and generate in real time to business conduct log based on the plug-in Fingerprint Model established in advance The related fingerprint sequence for including in behavior event data is matched with Fingerprint Model, is reached to the automatic identification of plug-in operation Purpose.Artificial participation is not depended in identification process, avoid bring low efficiency, accuracy due to artificially participating in it is low, waste people The problems such as power cost, and have the self-learning capability to Novel external behavior, more traditional general technology more agrees with secure context Business demand, can be with the safe O&M efficiency of significant increase.

The purpose of the present invention is achieved through the following technical solutions: a kind of identification side of plug-in operation fingerprint similarity Method, comprising the following steps:

S1: acquisition access operation log, and therefrom extract the service feature data of access behavior；

S2: the event Fingerprint Model of plug-in operation behavior is constructed, plug-in Fingerprint Model is generated；

S3: the operation fingerprint of acquisition user in real time, and it is compared with the fingerprint sequence for including in the plug-in Fingerprint Model It is right；

S4: whether the fingerprint sequence for including in the user's operation fingerprint and plug-in Fingerprint Model that judgement acquires in real time matches, if so, It then exports plug-in abnormal operation signal and issues alarm signal, if it is not, then abandoning the unsuccessful characteristic of matching；

S5: the characteristic of discarding is regenerated to new plug-in Fingerprint Model, carries out the self study of plug-in behavior.

The step S2 extracts plug-in event fingerprint by artificial sample mode of learning to form event Fingerprint Model.

The step S2 extracts event fingerprint by machine discrete analysis mode to form event Fingerprint Model.

In the step S2 plug-in Fingerprint Model generation method the following steps are included:

S21: according to fingerprint to the weight height of a certain event type, fingerprint is set as different severity levels；

S22: the different fingerprint of weight height is integrated, plug-in Fingerprint Model is formed.

Acquire user's operation fingerprint in real time in the step S4 the following steps are included:

S41: user is sorted out according to the user key words for including in operation log；

S42: all operation behaviors for sorting out each user out are associated, and form event；

S43: the key operation fingerprint or time series extracted in user behavior event forms real-time user's operation fingerprint.

On the basis of not depending on the mode of artificial cognition as far as possible, establishes and a kind of automatic identification is carried out to plug-in operation behavior Method, timely and effectively discovery plug-in operation in violation of rules and regulations, and it is a set of completely new to combine the plug-in analysis mechanisms in traditional scheme to be formed Plug-in operation identifies system.

The beneficial effects of the present invention are:

1) present invention compensates for the deficiency of existing plug-in recognition methods, by determine access behavior whether meet pre-establish or Fundamental in the Fingerprint Model of self study carries out effective identification of plug-in operation.Entire identification process does not need manually dry In advance, the problem of solving traditional means to the deficiency of known plug-in detection, and can not identifying unknown plug-in behavior improves outer Hang identification accuracy, enhance the applicability of plug-in identification, allow users to without have professional knowledge, without setting, Preservation & testing rule, can easily realize the monitoring plug-in to business, the safety of operation system further be promoted, to reduce Because of the risk of plug-in program bring user sensitive information leakage and violation business handling.

2) plug-in event fingerprint is extracted by artificial sample mode of learning to form event Fingerprint Model, precision is high, refers to Line design is reasonable；Event fingerprint is extracted to form event Fingerprint Model by machine discrete analysis mode, can completely not depended on Event sample or artificial experience can automatically strip the public difference with minority in log.

3) self study generate new plug-in model by the service feature fingerprint omitted in the plug-in operation having determined that into Capable polymerization again is classified and is redefined, and forms new plug-in Fingerprint Model, the self study of plug-in behavior is realized with this, no It is disconnected to enrich plug-in Fingerprint Model library.

Detailed description of the invention

Fig. 1 is overall structure of the present invention；

Fig. 2 is the plug-in event Fingerprint Model structural schematic diagram of the present invention；

Fig. 3 is overhaul flow chart of the present invention；

Fig. 4 is the basic fingerprint example diagram of the present invention；

Fig. 5 is the non-key field example diagram of the present invention；

Fig. 6 is core fingerprint example diagram of the present invention；

Fig. 7 is operation of the present invention frequency example diagram；

Fig. 8 is that the present invention " He little Lu " 4A logs in log example diagram；

Fig. 9 is the present invention " He little Lu " CRM operation log example diagram；

Figure 10 is that the present invention " Cao Jiuke " 4A logs in log example diagram；

Figure 11 is " Cao Jiuke " crm system operation log example diagram of the invention.

Specific embodiment

Below in conjunction with embodiment, technical solution of the present invention is clearly and completely described, it is clear that described Embodiment is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, this field Technical staff's every other embodiment obtained under the premise of not making the creative labor belongs to what the present invention protected Range.

Refering to fig. 1-11, the present invention provides a kind of technical solution: as shown in Figure 1, a kind of plug-in operation fingerprint similarity Recognition methods, comprising the following steps:

S1: acquisition access operation log is multiplexed existing technical foundation, with the inquiry of the operation systems such as CRM, BOSS, BASS, handles What class log and 4A logged in log is extracted as data source, and therefrom extracts the service feature data of access behavior；

S2: the event Fingerprint Model of plug-in operation behavior is constructed, plug-in Fingerprint Model is generated；

It is generally existing by plug-in batch query user information, in detail single information or handle industry in the systems such as current mobile CRM, BOSS The operation such as business, this kind of event will all embody different compared with the user behaviors log of normal operations institute in primitive operation user behaviors log record Place.And these differences are often embodied in the certain fields or multi-field combination of specific log, such as the behavior of only field Event, multi-field combination is frequency, timing of sequence of operations of a certain operation etc..The design of event fingerprint then passes through Various modes accurately find out these crucial log fields or multi-field combination, it is appointed as to plug-in violation operation event one by one Fingerprint.

In the design process of this event fingerprint, these critical fielies or field combination, one are found out there are two types of method To form event Fingerprint Model by the plug-in event fingerprint of artificial sample mode of learning extraction.

Related original log record being had occurred and that by manual analysis, being named as plug-in violation operation event, By manually directly specified outgoing event fingerprint.This method is suitable for known, preferably qualitatively event fingerprint design, for plug-in Violation operation event:

No.1 fingerprint: the time that behavior in CRM log can be occurred is as a fingerprint.NMO normal manual operation is generally in the daytime Working time, plug-in operation is generally at midnight；

No. two fingerprints: can be using behavior frequency in CRM log as a fingerprint.The QueryTicket one of NMO normal manual operation CRM As be 1 minute 1 time, the frequency of plug-in operation is much several times as much as this number.

No. three fingerprints: can be using subsequent operation content of the act in CRM log as a fingerprint.NMO normal manual operation is being looked into The relative recording that business handling is often accompanied by after detailed list is ask, and record single in detail is often only inquired in plug-in operation, and Without subsequent.

No. four fingerprints: can be using account logs in from 4A log and the sequential correlation of CRM operation log is as a fingerprint. NMO normal manual operation, which is often spaced not wait for 5 to 30 minutes after logging in 4A, just has corresponding CRM to operate, and plug-in program does not often have This time interval, or even directly detour or repeatedly logged in the unit time this extreme case without the 4A record logged in.

Above 4 fingerprints are then by the existing sample log of manual analysis, and the critical field found out or multi-field combine, It is defined as the fingerprint set of plug-in violation operation time.As long as that is its system operatio row of certain subsequent behavioral agent Similar to the height of the fingerprint set out for journal displaying, then system judges that its operation belongs to plug-in violation operation.Wherein:

No.1 fingerprint belongs to the independent field in CRM log；

No. two fingerprints belong to multi-field combination, are collectively constituted by two fields of operating time and operation content；

No. three fingerprints belong to multi-field combination, by specific operating time+operation content and subsequent operating time+(different) Operation content collectively constitutes；

No. four fingerprints belong to the combination of cross-system log multi-field, by the time field of 4A log and the time field of CRM log It collectively constitutes.

Event fingerprint is extracted by way of manual analysis its advantage is that precision is high, fingerprint design is reasonable.

Secondly to extract event fingerprint to form event Fingerprint Model, to existing magnanimity by machine discrete analysis mode Primal system log carries out machine sort, these user behaviors logs are divided into public and two classifications of minority.Manually determine again small The log recording of many parts specifies event type for it.Such as crm system log, about 33 per second, one day log amount will reach To 2,000,000 or so (non-working time log amount die-offs).Such as: machine is to " sub- account+action event+operation in CRM log The multi-fields such as content+account roles " are polymerize, it can be deduced that draw a conclusion；

Same authorization role difference account carries out the time interval (such as working time 9:00 --- 17:00) of same operation；

Same authorization role difference account carries out the frequency of same operation (such as QueryTicket, frequency are 1 hour 5 times)；

Same authorization role difference account carries out after a certain operation that whether there is or not subsequent operation (next operation contents after such as QueryTicket It is certain business handling).

And above-mentioned 3 conclusions can distinguish the contents such as public operating time section, entering frequency, subsequent association operation, And after isolating 3 masses and minority's log, it manually can slightly determine to obtain one to No. three event fingerprint above-mentioned.

The method of the discrete classification analysis of machine the advantage is that during taking the fingerprint does not completely depend on event sample Or artificial experience, the public difference with minority in log can be automatically stripped.

In the step S2 plug-in Fingerprint Model generation method the following steps are included:

S21: according to fingerprint to the weight height of a certain event type, fingerprint is set as different severity levels；

S22: the different fingerprint of weight height is integrated, plug-in Fingerprint Model is formed.

Aforementioned analytical methods can be seen that the prototype that each field of primal system log is event fingerprint.And event fingerprint It is specified, be to draw a circle to approve out different log field or field combination, as the characteristic fingerprint that can illustrate a certain event.With Under the relationship of primal system log and fingerprint illustrated with crm system log citing.

Crm system log includes 102 fields altogether.Regardless of being manual analysis or equipment analysis, require to find out this There is in a little fields with certain types of events the field of High relevancy, as event fingerprint, event fingerprint base is formed, so as to day Polymerization is associated after acquiring user behaviors log afterwards.In this 102 fields, need successively to interpret the meaning of each field, then sentence Fixed criticality (i.e. weight) of the field in certain type field, by these fields alternately fingerprint.And it is different types of Fingerprint involved in security incident (or log field) is entirely different.

As shown in figure 4, for a certain type safety event, determining the meaning of each field one by one during manually studying and judging And the weight to this field of the event, carry out classification marker.The process of machine learning similarly, label only field when energy Clearly separate the public field with minority.As shown above, in preceding 21 fields, what is all shown is based on this log lines Attribute information, such as: PERSON_NAME(main body name), PERSON_AREA_NAME(main body affiliated area), PERSON_ ORG_NAME(main body institutional affiliation) etc., most important one field is MAIN_ACCT_NAME(primary account number) and SUB_ ACCT_NAME(is from account).Indicate this type field of body attribute to the portrait of Mr. Yu's types of events its effect be it is unique, Indispensable, it directly specifies the main body of behavior, but it is determining whether certain batch operation log belongs to plug-in behavior When indecisive key factor again, therefore such field can collect the basic fingerprint to indicate body attribute.And in other events In, these fields may be the key element for determining event type again, therefore in different event portraits, same field institute shape At fingerprint meaning be different.

And when passing through machine learning, for this type fingerprint due to respectively discrete, it is difficult in clearly separating it is public with it is small Crowd, therefore these fields will not be determined as to event key fingerprint in machine-learning process.

As shown in figure 5, this kind of substantially all consistent field of content can not provide more greatly in CRM log for event portrait Supporting role, it is difficult to by its determine event property or type, these fields will be not as finger prints processing, directly in fingerprint It is excluded in system.

In CRM log, for certain types of events, certain fields then play the role of vital qualitative, these fields The core fingerprint as the qualitative portrait of event is all included in Fingerprint system.It is as shown in Figure 6:

OPERATE_CONTENT(operation content)

The OPERATE_TIME(operating time)

PERSON_DUTY_NAME(user role/post)

CLIENT_NETWORK_ADDRESS(client address)

These fields add user's essential attribute field of front, then can restore the key element of a certain event, i.e. 5W1H phase Hold inside the Pass.So when fingerprint selects, the core fingerprint as the event is just included in event fingerprint base by these fields.Certainly, These fields enumerated above are only the fingerprints for plug-in this event of violation operation, and different scene or event correspond to Fingerprint be different from

As shown in fig. 7, collecting during equipment analysis, then can obtain to a certain sub- account in a certain unit time log To all operations that the employee carries out within the time." Tang Lina " its system neutron account in this figure is " fgae21 ", Its identity is that all operation contents that " shop assistant " carries out in one minute (time span that OPERATE_TIME difference is shown) " are looked into It is single in detail to ask client Zhou Mingfang 5.24 ".And equipment analysis will to all identity in this part of log be " shop assistant " same account into Row analysis, then can distinguish in public and minority.The entering frequency or operating time of the Tang Lina of figure as above and most shop assistants It is not inconsistent, then belongs to minority, the content that her relevant field is shown may be close to this violation event fingerprint of plug-in operation, system Then finally determine that its behavior belongs to plug-in behavior.Certain Fig. 7, which is only shown, to be extracted " entering frequency " during equipment analysis this refers to The process of line, other relevant fingerprint extractions and clustering method are similarly.

As shown in Figure 8 and Figure 9, it can be seen that generate the process of timing fingerprint, it can be seen that small dew, which logs in 4A, has twice, It is once in morning 8:02 on June 16th, 16, is once 12:58 in 16 afternoon of 16 year June.And it is the same as period journalizing CRM system The first record time of system is -16 09.00.51.000000 morning of the 16-6 month, this illustrates to operate CRM system after it logs in 4A System is after 1 hour.So the result of this timing fingerprint is 1 hour.

Simultaneity factor analyzes the timing fingerprint of similar identity user again, as shown in Figure 10 and Figure 11, it can be seen that Cao Jiuke Logging in 4A has 1 time, and the time is -16 09.00.01.000000 morning of the 16-6 month.And it is the same as period journalizing crm system First record time is -16 09.25.32.000000 morning of the 16-6 month, and operation crm system is after this illustrates its login 4A After 25 minutes.So the result of this timing fingerprint is 25 minutes.

It is such, when having analyzed that all same identity (shop assistant) 4A logins are associated with CRM operation log in massive logs After sequence, then can divide in public or minority's fingerprint value, in event portrait, this fingerprint is also that the core of this plug-in event refers to One of line.Similarly, different field combine the fingerprint to be formed by it is similar collect analysis after, can obtain the thing that behavior is played to this Part is qualitative, finally the similarity judgement according to it with plug-in event fingerprint collection its whether belong to it is plug-in.

By aforementioned citing, the fingerprint set of plug-in this time of violation is extracted, is also illustrated simultaneously Subsequent polymerization analysis method.So, for same operation system, the fingerprint set that this method forms different event is passed sequentially through, The fingerprint set of these different events ultimately forms the event Fingerprint Model of the system.The fingerprint of different event in same fingerprint base There may be field overlappings, it is also possible to generate fingerprint by entirely different field.If IP address this field is in plug-in program Not as fingerprint or as the lower fingerprint of weight, and will exist as core fingerprint in another plug-in event.This Difference is also embodied will be present classification situation in the Fingerprint system of this programme, i.e., fingerprint is according to its power to a certain event type Weight height, will there is different severity levels.

As shown in Fig. 2, according to the difference of weight, by each event tag, specifically, by being marked based on user property Label, will the time as the first label, for frequency as the second label, subsequent operation is used as third label, and 4A timing is marked as the 4th Label, then four labels are integrated, form the event Fingerprint Model of plug-in operation behavior.

S3: the operation fingerprint of acquisition user in real time, and by its with the fingerprint sequence that includes in the plug-in Fingerprint Model into Row compares；

S4: whether the fingerprint sequence for including in the user's operation fingerprint and plug-in Fingerprint Model that judgement acquires in real time matches, if so, It then exports plug-in abnormal operation signal and issues alarm signal, if it is not, then abandoning the unsuccessful characteristic of matching；

User's operation fingerprint is acquired in real time in the step S4 the following steps are included: plug-in event analysis is mainly according to foundation " plug-in event model " in real time compares to the crucial fingerprint for including in the user's operation access sequence of acquisition, extracts crucial fingerprint The similarity of data, to judge whether it is plug-in operation, detailed process is as shown in Figure 3.

S41: according to the user key words for including in operation log (user key words include account, name, IP address etc.) User is sorted out；

S42: all operation behaviors for sorting out each user out are associated, and form event, such as: " user is in XX month XX Day XX point progress 4A login, logs on to crm system by 4A in XX month XX day XX point, and in XX month XX day XX point to 8142 modules It is operated, queried detailed single information of user ".

S43: the key operation fingerprint or time series extracted in user behavior event forms real-time user's operation fingerprint, The matching of approximation is done with the fingerprint sequence for including in plug-in Fingerprint Model, successful match, then output is plug-in operation behavior, With failure, then corresponding affair character data are abandoned.Such as: the practical operation frequency of user per second is 5 times, is greater than in Fingerprint Model The given upper limiting frequency of time series is 2 times per second, and successful match, system can be identified as plug-in operation behavior at this time.This is single The matching way of a fingerprint sequence, often there is also the matchings of multiple fingerprint sequences in a practical situation, such as: from the thing of certain user From the point of view of part operates fingerprint, this user is not through 4A and logs in crm system, but there are CRM operation logs, and 5 minutes it 100 logs are inside operated, are needed the login fingerprint of user, CRM operation fingerprint and operating time frequency and finger at this time respectively Corresponding fingerprint sequence matches in line model, if multiple fingerprints all successful match, or the crucial fingerprint matching more than 80% Success, then be determined as plug-in operation.

The characteristic of discarding: being regenerated new plug-in Fingerprint Model, carries out the self study of plug-in behavior by S5, into When the plug-in fingerprint matching of row, and not all fingerprint sequence can be one by one and in the exact matching of model fingerprint, for not matching The plug-in fingerprint in part by forming new plug-in finger print data after polymerization and definition again, and generate new plug-in model, To reach the function of Model Self-Learning.

The present invention compensates for the deficiency of existing plug-in recognition methods, is pre-established by determining whether access behavior meets Or the fundamental in the Fingerprint Model of self study, carry out effective identification of plug-in operation.Entire identification process does not need manually Intervene, the problem of solving traditional means to the deficiency of known plug-in detection, and can not identify unknown plug-in behavior, improves The accuracy of plug-in identification enhances the applicability of plug-in identification, allows users to without having professional knowledge, without setting Fixed, preservation & testing rule, can easily realize the monitoring plug-in to business, further promote the safety of operation system, thus Reduce the risk because of plug-in program bring user sensitive information leakage and violation business handling.

The above is only a preferred embodiment of the present invention, it should be understood that the present invention is not limited to described herein Form should not be regarded as an exclusion of other examples, and can be used for other combinations, modifications, and environments, and can be at this In the text contemplated scope, modifications can be made through the above teachings or related fields of technology or knowledge.And those skilled in the art institute into Capable modifications and changes do not depart from the spirit and scope of the present invention, then all should be in the protection scope of appended claims of the present invention It is interior.

Claims (5)

1. a kind of recognition methods of plug-in operation fingerprint similarity, it is characterised in that: the following steps are included:

S1: acquisition access operation log, and therefrom extract the service feature data of access behavior；

S2: the event Fingerprint Model of plug-in operation behavior is constructed, plug-in Fingerprint Model is generated；

S3: the operation fingerprint of acquisition user in real time, and it is compared with the fingerprint sequence for including in the plug-in Fingerprint Model It is right；

S4: whether the fingerprint sequence for including in the user's operation fingerprint and plug-in Fingerprint Model that judgement acquires in real time matches, if so, It then exports plug-in abnormal operation signal and issues alarm signal, if it is not, then abandoning the unsuccessful characteristic of matching；

S5: the characteristic of discarding is regenerated to new plug-in Fingerprint Model, carries out the self study of plug-in behavior.

2. a kind of recognition methods of plug-in operation fingerprint similarity according to claim 1, it is characterised in that: the step Rapid S2 extracts plug-in event fingerprint by artificial sample mode of learning to form event Fingerprint Model.

3. a kind of recognition methods of plug-in operation fingerprint similarity according to claim 1, it is characterised in that: the step Rapid S2 extracts event fingerprint by machine discrete analysis mode to form event Fingerprint Model.

4. a kind of recognition methods of plug-in operation fingerprint similarity according to claim 1, it is characterised in that: the step In rapid S2 plug-in Fingerprint Model generation method the following steps are included:

S21: according to fingerprint to the weight height of a certain event type, fingerprint is set as different severity levels；

S22: the different fingerprint of weight height is integrated, plug-in Fingerprint Model is formed.

5. a kind of recognition methods of plug-in operation fingerprint similarity according to claim 1, it is characterised in that: the step Acquire user's operation fingerprint in real time in rapid S4 the following steps are included:

S41: user is sorted out according to the user key words for including in operation log；

S42: all operation behaviors for sorting out each user out are associated, and form event；

S43: the key operation fingerprint or time series extracted in user behavior event forms real-time user's operation fingerprint.