CN109522190B - Abnormal user behavior identification method and device, electronic equipment and storage medium - Google Patents

Abnormal user behavior identification method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN109522190B
CN109522190B CN201811192193.XA CN201811192193A CN109522190B CN 109522190 B CN109522190 B CN 109522190B CN 201811192193 A CN201811192193 A CN 201811192193A CN 109522190 B CN109522190 B CN 109522190B
Authority
CN
China
Prior art keywords
user
buried
abnormal
buried point
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811192193.XA
Other languages
Chinese (zh)
Other versions
CN109522190A (en
Inventor
陈伟源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Life Insurance Company of China Ltd
Original Assignee
Ping An Life Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Life Insurance Company of China Ltd filed Critical Ping An Life Insurance Company of China Ltd
Priority to CN201811192193.XA priority Critical patent/CN109522190B/en
Publication of CN109522190A publication Critical patent/CN109522190A/en
Application granted granted Critical
Publication of CN109522190B publication Critical patent/CN109522190B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The disclosure provides a method and a device for identifying abnormal user behaviors based on a buried point, electronic equipment and a computer readable storage medium, and belongs to the technical field of data processing. The method comprises the following steps: acquiring user behavior logs of a plurality of buried points; counting the total number of users and the total number of user behaviors of each buried point in a preset period according to the user behavior log, and calculating the number of per-capita behaviors of each buried point; determining the buried points with the number of the per-capita behaviors larger than a first threshold value as abnormal buried points; and counting the proportion of the behavior quantity of each user at the abnormal buried point in the preset period to the total behavior quantity of the user, and if the proportion is greater than a second threshold value, judging the behavior of the user at the abnormal buried point as abnormal user behavior. The method and the device can identify the abnormal user behaviors occurring in each buried point, and have high accuracy and identification efficiency.

Description

Abnormal user behavior identification method and device, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of data processing technologies, and in particular, to a method and an apparatus for identifying abnormal user behavior based on a buried point, an electronic device, and a computer-readable storage medium.
Background
The development of the internet and various internet-based Application programs (apps) greatly facilitates people's daily life, but some users also obtain improper benefits through abusing the internet or App services, for example, abnormal users and abnormal user behaviors such as false users, false ' fans ', malicious bills, malicious advertisements and the like appearing on the network affect the normal operation of websites or apps, and therefore the abnormal user behaviors need to be identified and processed.
Most of existing abnormal user behavior identification methods are to establish a database of abnormal user behaviors, match behavior data to be identified with the database, for example, perform regular matching or calculate cosine similarity of the behavior data, and make a judgment according to a matching result. However, this method has the following disadvantages: the user behaviors have complex diversity, and the database is difficult to cover all types of abnormal user behaviors, so omission is easily generated through database matching, and the accuracy of the identification result is influenced; and when the data is matched, all data in the database needs to be traversed, so that time is consumed, more resources are occupied, and the efficiency of the identification process is low.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure aims to provide a method and an apparatus for identifying abnormal user behavior based on a buried point, an electronic device, and a computer-readable storage medium, so as to overcome the problem of low accuracy and efficiency of the existing method for identifying abnormal user behavior at least to a certain extent.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to one aspect of the disclosure, a method for identifying abnormal user behaviors based on buried points is provided, which includes: acquiring user behavior logs of a plurality of buried points; counting the total number of users and the total number of user behaviors of each buried point in a preset period according to the user behavior logs, and calculating the per-capita behavior quantity of each buried point; determining the buried points with the number of the per-capita behaviors larger than a first threshold value as abnormal buried points; and counting the proportion of the behavior quantity of each user at the abnormal buried point in the preset period to the total behavior quantity of the user, and if the proportion is greater than a second threshold value, judging the behavior of the user at the abnormal buried point as abnormal user behavior.
In an exemplary embodiment of the present disclosure, further comprising: when the number of the per-capita behaviors of each buried point does not exceed the first threshold, dividing the plurality of buried points into a plurality of buried point groups; counting the total number of users and the total number of user behaviors of each buried point group in a preset period, and calculating the number of per-capita behaviors of each buried point group; and determining the buried points in the buried point group with the number of the per-capita behaviors larger than a first correction threshold value as abnormal buried points.
In an exemplary embodiment of the present disclosure, determining the buried points of which the number of the person-average behaviors is greater than the first threshold as abnormal buried points includes: respectively multiplying the average human behavior quantity of each buried point by the equivalent coefficient of each buried point to obtain the equivalent average human behavior quantity of each buried point; and determining the buried points with the equivalent number of the per capita behaviors larger than a first threshold value as abnormal buried points.
In an exemplary embodiment of the present disclosure, further comprising: and adjusting the equivalent coefficient of each buried point according to the content change of each buried point.
In an exemplary embodiment of the present disclosure, the abnormal buried point includes a plurality of abnormal buried points; counting the proportion of the behavior quantity of each user at the abnormal buried point in the preset period to the total behavior quantity of the users comprises the following steps: counting the behavior quantity of each user at each abnormal buried point in the preset period, and determining the abnormal buried point with the maximum behavior quantity of the user as a main abnormal buried point of the user; and calculating the proportion of the behavior quantity of the user at the main abnormal buried point to the total behavior quantity of the user.
In an exemplary embodiment of the present disclosure, the plurality of buried points includes a true confidence buried point; the method further comprises the following steps: marking users who generate behaviors at the real confident buried points as real users; and removing the behavior log of the real user from the user behavior log.
In an exemplary embodiment of the present disclosure, further comprising: identifying the user as an abnormal user if the cumulative number of abnormal user behaviors of the user exceeds a third threshold.
According to an aspect of the present disclosure, there is provided a device for identifying abnormal user behavior based on a buried point, including: the user log acquisition module is used for acquiring user behavior logs of a plurality of buried points; the buried point data counting module is used for counting the total number of users and the total number of user behaviors of each buried point in a preset period according to the user behavior log and calculating the per-capita behavior quantity of each buried point; an abnormal buried point determining module, configured to determine a buried point with the number of the average human behaviors larger than a first threshold as an abnormal buried point; and the user behavior judging module is used for counting the proportion of the behavior quantity of each user at the abnormal embedded point in the preset period to the total behavior quantity of the users, and judging the behavior of the user at the abnormal embedded point as the abnormal user behavior when the proportion is greater than a second threshold value.
According to an aspect of the present disclosure, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of any of the above exemplary embodiments via execution of the executable instructions.
According to an aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any of the above-described exemplary embodiments
Exemplary embodiments of the present disclosure have the following advantageous effects:
according to the method and the device, after user behavior logs of a plurality of buried points are obtained, the total number of users of each buried point and the total number of behaviors of all users in a preset period are counted, the number of per-person behaviors is calculated, and abnormal buried points are determined by comparing the number of per-person behaviors with a first threshold value; and then counting the proportion of the behavior quantity of each user at the abnormal buried point to the total behavior quantity of the user, and if the proportion is greater than a second threshold value, judging that the behavior of the user at the abnormal buried point is abnormal user behavior. On one hand, since the abnormal user behavior is necessarily performed through the embedded points in the website or the App, the embodiment may analyze the user behavior data based on all the embedded points, so that various types of abnormal user behaviors that may occur in each embedded point can be identified, and the accuracy of the identification result is high. On the other hand, the calculation process of the embodiment is simple, the calculation amount is small, and after the user behavior logs are obtained, the user behavior logs are used for carrying out independent data analysis without accessing other databases, so that the efficiency of the identification process is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
Fig. 1 schematically illustrates a flow chart of a method for identifying abnormal user behavior in an exemplary embodiment of the present disclosure;
FIG. 2 schematically illustrates a sub-flow diagram of a method of abnormal user behavior recognition in an exemplary embodiment of the present disclosure;
FIG. 3 schematically illustrates a sub-flow diagram of another abnormal user behavior recognition method in an exemplary embodiment of the present disclosure;
fig. 4 is a block diagram schematically illustrating a structure of an abnormal user behavior recognition apparatus in an exemplary embodiment of the present disclosure;
FIG. 5 schematically illustrates an electronic device for implementing the above method in an exemplary embodiment of the disclosure;
fig. 6 schematically illustrates a computer-readable storage medium for implementing a method in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described attributes, structures or characteristics may be combined in any suitable manner in one or more embodiments.
The exemplary embodiment of the present disclosure first provides a method for identifying abnormal user behavior based on a buried point. Referring to fig. 1, the method may include the following steps S11 to S14:
and step S11, acquiring user behavior logs of a plurality of buried points.
Usually, the user behavior logs are collected and aggregated from various burial points, and in the user behavior logs, the burial point information, namely, which burial point each log originates from, can be reserved. As shown in table 1, the user behavior log may contain buried point information, for example, user jia clicks "check-in" at the buried point of the check-in page, and user yi performs access behavior at the buried point of the product page. In order to comprehensively identify various abnormal user behaviors, user behavior logs can be acquired from all buried points or as many buried points as possible of a website or an App; however, there may be buried points where malicious operations or false behaviors cannot be performed, such as real-name authentication buried points, and the like, and the user behavior logs of these buried points may be removed to reduce the amount of subsequent data analysis.
Time Buried point User ID Event(s)
8:02:04 Sign-in page jia Click sign-in "
8:02:10 Product page yi visit
8:02:25 Comment page bing Input“xxx”
8:03:02 Product page jia visit
8:03:40 Transaction page yi pay
8:03:45 Comment page jia visit
8:03:53 Product page jia visit
TABLE 1
And S12, counting the total number of the users and the total number of the user behaviors of each embedded point in a preset period according to the user behavior log, and calculating the number of the per-capita behaviors of each embedded point.
The preset period can be set to be one day, one week, one month and the like according to the characteristics of the website or the App, the total number of the users refers to the number of the users who generate behaviors at each embedded point, and the total number of the user behaviors refers to the total number of the behaviors at each embedded point. For example, the user jia visits the product page 7 times in a day, which is counted as 1 in the total number of users and 7 in the total number of user behaviors, that is, the multiple behaviors of the same user in the same buried point are not repeatedly counted in the total number of users in the buried point, and are repeatedly counted in the total number of user behaviors in the buried point. Table 2 shows an example of the total user count and the total user behavior count at each buried point, and it is obvious that the total user behavior count is generally greater than the total user count, and the average number of behaviors at each buried point is obtained by dividing the total user behavior count and the total user behavior count, and the average number of behaviors at each buried point is generally greater than 1.
Period of time Buried point Total number of users Total number of actions Number of average behaviors
4 month and 18 days Sign-in page 3520 3850 1.1
4 month and 18 days Product page 2880 65200 22.6
4 month and 18 days Comment page 2560 83500 32.6
4 month and 18 days Transaction page 620 750 1.2
TABLE 2
And S13, determining the buried points with the number of the average behaviors of people larger than a first threshold value as abnormal buried points.
Often abnormal user behavior is concentrated on a few buried points, and abnormal behavior such as swiping comments will result in a far higher than normal amount of per-person behavior for commenting pages. Therefore, the first threshold value can be set according to experience, historical data and the like to be used as a distinguishing standard for screening out abnormal buried points. For example, the first threshold value may be set to 30 empirically, and the review page with the number of average person behaviors exceeding 30 may be determined as the abnormal buried point, taking the data of each buried point in table 2 as an example. Of course, the number of the abnormal buried points may not be limited to 1, and for example, if the first threshold is set to 20 in table 2, both the product page and the review page may be determined as the abnormal buried points.
And S14, counting the proportion of the number of the behaviors of each user at the abnormal buried point in the preset period to the total number of the behaviors of the user, and if the proportion is greater than a second threshold value, judging the behavior of the user at the abnormal buried point as the abnormal user behavior.
After the abnormal buried point is determined, not all the user behaviors occurring at the abnormal buried point are abnormal user behaviors, including some normal user behaviors. Taking table 2 as an example, the comment page is determined as an abnormal buried point, but the user comment behavior occurring on the comment page may include both normal comment behavior and abnormal comment behavior such as comment swiping, and therefore needs to be further distinguished. Since the behaviors of the abnormal users are usually concentrated on a few buried points, the number of the behaviors performed on the abnormal buried points should occupy the vast majority of the total number of the behaviors, so that the "number of the behaviors performed on the abnormal buried points/the total number of the behaviors" can be used to distinguish whether a user is abnormal or not, wherein a second threshold value serving as a distinguishing standard can be set according to experience or historical data, and when the ratio is greater than the second threshold value, the user can be judged to be an abnormal user, and the behavior of the user at the abnormal buried points is an abnormal behavior.
It should be noted that, in this embodiment, setting appropriate values for the first threshold and the second threshold has an important effect on accurately distinguishing the normal/abnormal buried point and the normal/abnormal user behavior. In practical application, initial values of the first threshold and the second threshold may be set empirically, and then the two thresholds are continuously modified through iteration, for example, in use, if it is found that a part of the buried points identified as abnormal are actually normal buried points, the first threshold may be appropriately increased, otherwise, the first threshold is decreased, and if it is found that a part of the users identified as abnormal user behaviors are actually normal users, the second threshold may be appropriately increased, otherwise, the second threshold is decreased, so as to finally obtain the ideal first threshold and second threshold.
According to the method, after user behavior logs of a plurality of buried points are obtained, the total number of users and the total number of user behaviors of each buried point in a preset period are counted, the number of per-capita behaviors is calculated, and abnormal buried points are determined by comparing the number of per-capita behaviors with a first threshold value; and then counting the proportion of the behavior quantity of each user at the abnormal buried point to the total behavior quantity of the user, and if the proportion is greater than a second threshold value, judging that the behavior of the user at the abnormal buried point is the abnormal user behavior. On one hand, since the abnormal user behavior is necessarily performed through the embedded points in the website or the App, the embodiment may analyze the user behavior data based on all the embedded points, so that various types of abnormal user behaviors that may occur in each embedded point can be identified, and the accuracy of the identification result is high. On the other hand, the calculation process of the embodiment is simple, the calculation amount is small, and after the user behavior logs are obtained, the user behavior logs are used for carrying out independent data analysis without accessing other databases, so that the efficiency of the identification process is improved.
Generally, a certain correlation exists between different buried points, abnormal user behaviors may occur simultaneously at a plurality of buried points having strong correlation, for example, in order to improve the heat degree of a product a, an abnormal user may perform various behaviors such as clicking, commenting, collecting and the like simultaneously for the product a, the abnormal user behaviors are equivalent to being distributed to the relevant buried points, and if data is counted for each buried point respectively, the data abnormality of each buried point may not be prominent enough and is not easy to identify. For this case, in an exemplary embodiment, as shown with reference to fig. 2, the abnormal user behavior recognition method may further include the steps of:
and S21, when the number of the per-capita behaviors of each buried point does not exceed a first threshold value, dividing each buried point into a plurality of buried point groups.
And S22, counting the total number of users and the total number of user behaviors of each embedded point group in a preset period, and calculating the number of the per-capita behaviors of each embedded point group.
And step S23, determining the buried points in the buried point group with the number of the per capita behaviors larger than the first correction threshold as abnormal buried points.
When the buried point groups are divided, related buried points can be divided into one group by taking products, functional modules, pages and the like as units according to the actual situation of an application scene. After the buried point groups are divided, the analysis of the user behavior data may be performed in units of buried point groups. Because the embedded point group comprises user behaviors of a plurality of embedded points, the number of the per-person behaviors is usually larger than that of a single embedded point, the first threshold value can be properly corrected (usually, the first threshold value is improved), the first corrected threshold value is obtained, and abnormal embedded points can be more accurately screened out through the first corrected threshold value.
For example, the first modified threshold may be calculated by the following equation:
tm = a · n · T/R; wherein Tm is a first correction threshold, T is a first threshold, n is the number of buried points in the buried point group, and a is a parameter, generally about 1, which can be determined empirically; r is a correlation coefficient of each buried point in the buried point group, and can be further calculated by the following formula:
Figure BDA0001827786920000071
wherein, pt is the total number of users of the buried point group, and P1, P2 … Pn are the difference between the total number of users of each buried point and the total number of users of the buried point group.
When the number of the per-capita behaviors of a certain buried point group is larger than a first correction threshold, all the buried points in the certain buried point group can be considered as abnormal buried points.
In practical applications, because the meaning and function of each embedded point are different, the number of the behaviors per person of each embedded point may not be at the same level, and it is difficult to distinguish whether the behaviors are abnormal or not by the uniform first threshold. For this case, in an exemplary embodiment, as shown with reference to fig. 3, step S13 may be implemented by:
and step S31, multiplying the number of the average human behaviors of each buried point by the equivalent coefficient of each buried point to obtain the number of the equivalent average human behaviors of each buried point.
And step S32, determining the buried points with the equivalent average human behavior quantity larger than the first threshold value as abnormal buried points.
For example, taking table 3 as an example, each user normally signs in 1 time per day, and the review is more than 1 time, so that the per-person behavior quantity of the review page is normally greater than the per-person behavior quantity of the sign-in page, and it is difficult to measure two values by the uniform first threshold. Therefore, the number of the per-capita behaviors of each embedded point can be corrected through the equivalent coefficient, and the corrected numerical values are on the same level. For example, according to experience, each user signs in 1 time per day, browses products 10 times, writes comments 6 times, and transacts 0.5 times, the equivalent coefficient of each buried point may be the reciprocal of the average number of times per day, so that the equivalent number of per-person behaviors may be calculated.
Figure BDA0001827786920000081
TABLE 3
It should be understood that the equivalent coefficients for different buried points may be the same or different. When the abnormal buried point is judged according to the equivalent average human behavior quantity, the first threshold value can be determined according to the numerical range of the equivalent average human behavior quantity. For example, in table 3, theoretically, the number of equivalent human-average behaviors calculated from the equivalent coefficient should be near 1, and the abnormality is described as the distance from 1 increases, and the comment page may be an abnormality buried point if the first threshold is set to 3.
In an exemplary embodiment, the equivalent coefficients of the buried points may also be adjusted according to the content variation of the buried points. The content change of the buried point may cause that the user behavior data on the buried point changes greatly, for example, when a new product is published on a product page, more users are usually attracted to click or browse, when a comment page organizes an activity of bonus comments, more users are attracted to comment, and therefore, the calculated number of the per-capita behaviors also changes greatly. The equivalent man-machine-shared behavior quantity can still keep the original level by adjusting the corresponding equivalent coefficient so as to distinguish whether the buried point is abnormal or not through the first threshold value.
It should be added that the method for calculating the number of equivalent per capita behaviors through the equivalent coefficients is also applicable to the case of analysis of the buried point groups, and the equivalent coefficients can be set for each buried point group according to the characteristics of the buried point group, and then the number of equivalent per capita behaviors of each buried point group is calculated and compared with the first correction threshold. When the content of the buried point groups changes, the equivalent coefficient can be correspondingly adjusted, so that the equivalent per capita behavior quantity of each buried point group is kept at the same or similar level.
In an exemplary embodiment, a plurality of abnormal buried points may be identified by a first threshold; when judging whether the behavior of the user at the abnormal buried point is abnormal user behavior, counting the behavior quantity of each user at each abnormal buried point in a preset period, and determining the abnormal buried point with the maximum behavior quantity of the user as a main abnormal buried point of the user; and then calculating the proportion of the behavior quantity of the user at the main abnormal buried point to the total behavior quantity of the user, and comparing the proportion with a second threshold value to judge. When the proportion of the number of the behaviors of the user at the main abnormal buried point is too high to exceed the second threshold, the behaviors of the user at all the abnormal buried points can be judged to be the abnormal user behaviors. Thereby providing criteria for identifying abnormal user behavior in the case of multiple abnormal buried points.
In an exemplary embodiment, a true confidence site may be included in the site or App's site, where a user that is behaving at the site may be deemed a true user, e.g., a real-name authenticated site, a high volume transaction site, etc., and a user who has performed real-name authentication or a high volume transaction may be deemed a true user. The abnormal user behavior recognition method may further include: marking the users who generate the behaviors at the real confident buried points as real users; and removing the behavior log of the real user from the user behavior log. All behaviors of the real user can be regarded as normal behaviors, the real user does not need to be analyzed and identified, and the behavior log of the real user is removed from the user behavior log to be analyzed, so that the subsequent data analysis amount is further reduced.
When abnormal user behavior is identified, abnormal users can be further identified. It should be noted that a user who does not make an abnormal user behavior is necessarily an abnormal user, and a certain judgment condition may be set in order to prevent a case where a normal user occasionally makes an abnormal user behavior and recognizes it as an abnormal user. In an exemplary embodiment, a user may be identified as an abnormal user if the cumulative number of abnormal user behaviors exceeds a third threshold. Similarly to the first threshold or the second threshold, the third threshold may also be set according to experience or historical data, and in actual use, if the third threshold is set to be low, the normal user is identified as an abnormal user, the third threshold may be appropriately increased, and if the third threshold is set to be high, the third threshold may be appropriately decreased, the abnormal user is not identified within a certain time. In the present embodiment, a specific setting method of the third threshold is not particularly limited.
In addition, other conditions for judging the abnormal user may be set, for example, the user is identified with the abnormal user behavior in a plurality of continuous periods (for example, three or five continuous days), or the proportion of the periods in which the abnormal user behavior is identified in a longer time is too high, for example, three days in a week occur with the abnormal user behavior, and the three days may be continuous or discontinuous, and the user may be identified as the abnormal user. For the abnormal user, measures such as warning, accountability, prohibition, shielding and the like can be implemented correspondingly.
An exemplary embodiment of the present disclosure also provides a device for identifying abnormal user behavior based on a buried point, and as shown in fig. 4, the device 40 may include: a user log obtaining module 41, configured to obtain user behavior logs of multiple buried points; the buried point data counting module 42 is used for counting the total number of users and the total number of user behaviors of each buried point in a preset period according to the user behavior log and calculating the per-capita behavior number of each buried point; an abnormal buried point determining module 43, configured to determine a buried point with a number of average human behaviors greater than a first threshold as an abnormal buried point; and the user behavior judging module 44 is configured to count a ratio of the number of behaviors of each user at the abnormal buried point in the preset period to the total number of the behaviors of the user, and judge the behavior of the user at the abnormal buried point as an abnormal user behavior when the ratio is greater than a second threshold. The specific details of each module have been described in detail in the embodiments of the method section, and thus are not described again.
Exemplary embodiments of the present disclosure also provide an electronic device capable of implementing the above method.
As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or program product. Accordingly, various aspects of the present disclosure may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.), or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 500 according to such an exemplary embodiment of the present disclosure is described below with reference to fig. 5. The electronic device 500 shown in fig. 5 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 5, the electronic device 500 is embodied in the form of a general purpose computing device. The components of the electronic device 500 may include, but are not limited to: the at least one processing unit 510, the at least one memory unit 520, a bus 530 connecting various system components (including the memory unit 520 and the processing unit 510), and a display unit 540.
Wherein the storage unit stores program code that is executable by the processing unit 510 to cause the processing unit 510 to perform steps according to various exemplary embodiments of the present disclosure as described in the above section "exemplary methods" of this specification. For example, processing section 510 may execute steps S11 to S14 shown in fig. 1, and may execute steps S21 to S23 shown in fig. 2.
The storage unit 520 may include readable media in the form of volatile storage units, such as a random access memory unit (RAM) 521 and/or a cache memory unit 522, and may further include a read only memory unit (ROM) 523.
The storage unit 520 may also include a program/utility 524 having a set (at least one) of program modules 525, such program modules 525 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which or some combination thereof may comprise an implementation of a network environment.
Bus 530 may be one or more of any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 500 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 500, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 500 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 550. Also, the electronic device 500 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 560. As shown, the network adapter 560 communicates with the other modules of the electronic device 500 over a bus 530. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 500, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, to name a few.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the exemplary embodiments of the present disclosure.
Exemplary embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, various aspects of the disclosure may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the disclosure described in the "exemplary methods" section above of this specification, when the program product is run on the terminal device.
Referring to fig. 6, a program product 600 for implementing the above method according to an exemplary embodiment of the present disclosure is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not so limited, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In situations involving remote computing devices, the remote computing devices may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to external computing devices (e.g., through the internet using an internet service provider).
Furthermore, the above-described drawings are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes illustrated in the above figures are not intended to indicate or limit the temporal order of the processes. In addition, it is also readily understood that these processes may be performed, for example, synchronously or asynchronously in multiple modules.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit according to an exemplary embodiment of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice in the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the terms of the appended claims.

Claims (9)

1. A method for recognizing abnormal user behaviors based on buried points is characterized by comprising the following steps:
acquiring user behavior logs of a plurality of buried points;
counting the total number of users and the total number of user behaviors of each buried point in a preset period according to the user behavior log, and calculating the number of per-capita behaviors of each buried point;
determining the buried points with the number of the per-capita behaviors larger than a first threshold value as abnormal buried points;
when the number of the per-capita behaviors of each buried point does not exceed the first threshold, dividing the plurality of buried points into a plurality of buried point groups;
counting the total number of users and the total number of user behaviors of each buried point group in a preset period, and calculating the number of per-capita behaviors of each buried point group;
determining buried points in the buried point group with the per-capita behavior quantity larger than a first correction threshold value as abnormal buried points; the first correction threshold is a threshold obtained by correcting the first threshold;
counting the proportion of the behavior quantity of each user at the abnormal buried point in the total behavior quantity of the users in the preset period, and if the proportion is larger than a second threshold value, judging the behavior of the user at the abnormal buried point as abnormal user behavior;
the first correction threshold is calculated by the following formula:
Tm=a·n·T/R;
wherein Tm is a first correction threshold, T is a first threshold, n is the number of buried points in the buried point group, and a is an empirical parameter; r is a correlation coefficient of each buried point in the buried point group, and can be further calculated by the following formula:
Figure FDA0003974816460000011
wherein, pt is the total number of users of the buried point group, and P1, P2, …, pn are the difference between the total number of users of each buried point in the buried point group and the total number of users of the buried point group, respectively.
2. The method of claim 1, wherein determining the buried points for which the number of human-average behaviors is greater than a first threshold as abnormal buried points comprises:
respectively multiplying the average human behavior quantity of each buried point by the equivalent coefficient of each buried point to obtain the equivalent average human behavior quantity of each buried point;
and determining the buried points with the equivalent number of the per-capita behaviors larger than a first threshold value as abnormal buried points.
3. The method of claim 2, further comprising:
and adjusting the equivalent coefficient of each buried point according to the content change of each buried point.
4. The method of claim 1, wherein the anomaly burial points comprise a plurality of anomaly burial points; counting the proportion of the behavior quantity of each user at the abnormal buried point in the preset period to the total behavior quantity of the users comprises the following steps:
counting the behavior quantity of each user at each abnormal buried point in the preset period, and determining the abnormal buried point with the maximum behavior quantity of the user as a main abnormal buried point of the user;
and calculating the proportion of the behavior quantity of the user at the main abnormal buried point to the total behavior quantity of the user.
5. The method of claim 1, wherein the plurality of buried points comprises true confident buried points; the method further comprises the following steps:
marking users who generate behaviors at the real confident buried points as real users;
removing the behavior log of the real user from the user behavior log.
6. The method of claim 1, further comprising:
identifying the user as an abnormal user if the cumulative number of abnormal user behaviors of the user exceeds a third threshold.
7. An abnormal user behavior recognition device based on a buried point is characterized by comprising:
the user log acquisition module is used for acquiring user behavior logs of a plurality of buried points;
the buried point data counting module is used for counting the total number of users and the total number of user behaviors of each buried point in a preset period according to the user behavior log and calculating the per-capita behavior quantity of each buried point;
the abnormal buried point determining module is used for determining the buried points of which the number of the per-capita behaviors is larger than a first threshold value as abnormal buried points; when the number of the per-capita behaviors of each buried point does not exceed the first threshold, dividing the plurality of buried points into a plurality of buried point groups; counting the total number of users and the total number of user behaviors of each buried point group in a preset period, and calculating the number of per-capita behaviors of each buried point group; determining buried points in the buried point group with the per-capita behavior quantity larger than a first correction threshold value as abnormal buried points; the first correction threshold is a threshold obtained by correcting the first threshold;
the user behavior judging module is used for counting the proportion of the behavior quantity of each user at the abnormal embedded point in the preset period to the total behavior quantity of the users, and judging the behavior of the user at the abnormal embedded point as abnormal user behavior when the proportion is larger than a second threshold value;
the first correction threshold is calculated by the following formula:
Tm=a·n·T/R;
wherein Tm is a first correction threshold, T is a first threshold, n is the number of buried points in the buried point group, and a is an empirical parameter; r is a correlation coefficient of each buried point in the buried point group, and can be further calculated by the following formula:
Figure FDA0003974816460000031
wherein, pt is the total number of users of the buried point group, and P1, P2, …, pn are the difference between the total number of users of each buried point in the buried point group and the total number of users of the buried point group, respectively.
8. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the method of any of claims 1-6 via execution of the executable instructions.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of any one of claims 1 to 6.
CN201811192193.XA 2018-10-12 2018-10-12 Abnormal user behavior identification method and device, electronic equipment and storage medium Active CN109522190B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811192193.XA CN109522190B (en) 2018-10-12 2018-10-12 Abnormal user behavior identification method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811192193.XA CN109522190B (en) 2018-10-12 2018-10-12 Abnormal user behavior identification method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN109522190A CN109522190A (en) 2019-03-26
CN109522190B true CN109522190B (en) 2023-02-03

Family

ID=65772353

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811192193.XA Active CN109522190B (en) 2018-10-12 2018-10-12 Abnormal user behavior identification method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN109522190B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110347582B (en) * 2019-05-21 2024-05-28 平安银行股份有限公司 Buried point testing method and device
CN111221722B (en) * 2019-09-23 2024-01-30 平安科技(深圳)有限公司 Behavior detection method, behavior detection device, electronic equipment and storage medium
CN110995687B (en) * 2019-11-26 2022-06-07 深圳市铭数信息有限公司 Cat pool equipment identification method, device, equipment and storage medium
CN111047433B (en) * 2019-12-16 2024-04-09 深圳市卡牛科技有限公司 Analysis method, analysis device, server and storage medium for user anomaly reasons
CN111563527B (en) * 2020-03-30 2024-02-09 北京金堤科技有限公司 Abnormal event detection method and device
CN112162918A (en) * 2020-09-07 2021-01-01 北京达佳互联信息技术有限公司 Application program testing method and device and electronic equipment
CN113641970B (en) * 2021-08-16 2022-08-26 深圳竹云科技有限公司 Risk detection method and device and computing equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778244A (en) * 2014-02-11 2014-05-07 五八同城信息技术有限公司 Automatic report analytical method based on user behavior logs
CN105868256A (en) * 2015-12-28 2016-08-17 乐视网信息技术(北京)股份有限公司 Method and system for processing user behavior data
CN106777244A (en) * 2016-12-27 2017-05-31 国网浙江象山县供电公司 A kind of power customer electricity consumption behavior analysis method and system
CN106815452A (en) * 2015-11-27 2017-06-09 苏宁云商集团股份有限公司 A kind of cheat detection method and device
CN107995283A (en) * 2017-11-29 2018-05-04 上海恺英网络科技有限公司 A kind of data bury the method, equipment and system of point analysis
CN108038130A (en) * 2017-11-17 2018-05-15 中国平安人寿保险股份有限公司 Automatic cleaning method, device, equipment and the storage medium of fictitious users

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106708899B (en) * 2015-11-17 2021-04-27 阿里巴巴集团控股有限公司 Automatic point burying method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778244A (en) * 2014-02-11 2014-05-07 五八同城信息技术有限公司 Automatic report analytical method based on user behavior logs
CN106815452A (en) * 2015-11-27 2017-06-09 苏宁云商集团股份有限公司 A kind of cheat detection method and device
CN105868256A (en) * 2015-12-28 2016-08-17 乐视网信息技术(北京)股份有限公司 Method and system for processing user behavior data
CN106777244A (en) * 2016-12-27 2017-05-31 国网浙江象山县供电公司 A kind of power customer electricity consumption behavior analysis method and system
CN108038130A (en) * 2017-11-17 2018-05-15 中国平安人寿保险股份有限公司 Automatic cleaning method, device, equipment and the storage medium of fictitious users
CN107995283A (en) * 2017-11-29 2018-05-04 上海恺英网络科技有限公司 A kind of data bury the method, equipment and system of point analysis

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
网站统计中的数据收集原理及实现-埋点统计;simonGeek;《https://blog.csdn.net/simongeek/article/details/53464005》;20161205;第1页至第8页 *

Also Published As

Publication number Publication date
CN109522190A (en) 2019-03-26

Similar Documents

Publication Publication Date Title
CN109522190B (en) Abnormal user behavior identification method and device, electronic equipment and storage medium
CN109241418B (en) Abnormal user identification method and device based on random forest, equipment and medium
CN107809331B (en) Method and device for identifying abnormal flow
US10171335B2 (en) Analysis of site speed performance anomalies caused by server-side issues
WO2019061994A1 (en) Electronic device, insurance product recommendation method and system, and computer readable storage medium
US20210035126A1 (en) Data processing method, system and computer device based on electronic payment behaviors
CN109461023B (en) Loss user retrieval method and device, electronic equipment and storage medium
US20170155537A1 (en) Root cause investigation of site speed performance anomalies
CN107895011B (en) Session information processing method, system, storage medium and electronic equipment
US20140006044A1 (en) System and method for preparing healthcare service bundles
US9330160B2 (en) Software application complexity analysis
CN111181757B (en) Information security risk prediction method and device, computing equipment and storage medium
CN110348471B (en) Abnormal object identification method, device, medium and electronic equipment
CN110162518B (en) Data grouping method, device, electronic equipment and storage medium
CN113780329A (en) Method, apparatus, server and medium for identifying data anomalies
US10504026B2 (en) Statistical detection of site speed performance anomalies
US20160062816A1 (en) Detection of outage in cloud based service using usage data based error signals
CN114493255A (en) Enterprise abnormity monitoring method based on knowledge graph and related equipment thereof
Li et al. Robust jump regressions
CN109408556B (en) Abnormal user identification method and device based on big data, electronic equipment and medium
CN112070564B (en) Advertisement pulling method, device and system and electronic equipment
CN111625587B (en) Data sharing apparatus
WO2019095569A1 (en) Financial analysis method based on financial and economic event on microblog, application server, and computer readable storage medium
CN110070383B (en) Abnormal user identification method and device based on big data analysis
CN116664306A (en) Intelligent recommendation method and device for wind control rules, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant