CN109936549A - Audit data processing method and device based on PKI platform - Google Patents

Audit data processing method and device based on PKI platform Download PDF

Info

Publication number
CN109936549A
CN109936549A CN201711366752.XA CN201711366752A CN109936549A CN 109936549 A CN109936549 A CN 109936549A CN 201711366752 A CN201711366752 A CN 201711366752A CN 109936549 A CN109936549 A CN 109936549A
Authority
CN
China
Prior art keywords
user
behavior
label
data
user behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711366752.XA
Other languages
Chinese (zh)
Inventor
孟媛媛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN201711366752.XA priority Critical patent/CN109936549A/en
Publication of CN109936549A publication Critical patent/CN109936549A/en
Pending legal-status Critical Current

Links

Abstract

The invention discloses the user behavior data data that a kind of audit data processing method and device based on Public Key Infrastructure PKI platform, this method pass through extraction user's operation generation;The user behavior data is handled, determines user role label and individual behavior label, obtains user behavior portrait;It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.The embodiment of the present invention by analysis user behavior portrait, can express delivery position user's abnormal behaviour, auxiliary carry out Network Safety Analysis, improve the efficiency and accuracy of audit data processing.

Description

Audit data processing method and device based on PKI platform
Technical field
The present invention relates to field of computer technology, more particularly to one kind to be based on Public Key Infrastructure (Public KeyInfrastructure, PKI) platform audit data processing method and device.
Background technique
Background that this section is intended to provide an explanation of the embodiments of the present invention set forth in the claims or context.Herein Description recognizes it is the prior art not because not being included in this section.
PKI platform is that a kind of carried out using public key cryptography for e-commerce provides technology and the rule of foundation for security platform Model.PKI platform relates generally to certified authority (CA), registration body (RA), digital certificate library, cipher key backup and restorer Multiple systems such as system, certificate calcellation system are built.In order to realize the integrated secure management mechanism of multiple systems, it will usually unite One records all security-related historical operation event informations as record of the audit, and a record of the audit generally includes to audit Successfully etc. whether time of event, user, type, elements, these Audit datas usually related to the operation such as key, certificate.It examines Enough information can be provided for Security Officer by counting, and enable them to that already present security breaches and tracking is accurately positioned Potential security risk.A large amount of Audit data can be generated on active PKI platform daily, but these data often only rise at present It is acted on to log, the preprocessing process of data is less, only with tabular form unique display, lacks effective analysis and depth is dug Pick causes many sensitive regular, characteristic data in platform operational process to be omitted.
Currently, all there is certain deficiency in the method for being used to handle Audit data, as expert system is too dependent in advance The knowledge base artificially established;The accuracy of pattern match depends on the system features library of predefined;" threshold in mathematical statistics Value " is often depending on the experience of administrator, causes inevitably to report by mistake and fail to report;Although immune system theoretically row has Effect, but verification and measurement ratio and accuracy rate are inadequate when practical application;Therefore providing that a kind of effective audit data processing method has very much must It wants.
Summary of the invention
The embodiment of the present invention provides a kind of audit data processing method and device based on PKI platform, can be improved audit The effective percentage of data processing and accuracy.
A kind of audit data processing method based on Public Key Infrastructure PKI platform, comprising:
Extract the user behavior data data that user's operation generates;
The user behavior data is handled, determines user role label and individual behavior label, obtains user behavior portrait;
It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.
Preferably, the method also includes:
User behavior label system is constructed, the user behavior label system includes multistage label.
Preferably, the processing user behavior data, determines user role label and individual behavior label, comprising:
Based on the user behavior label system, the user behavior data is pre-processed, user behavior is obtained Feature vector;
It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;
The processing of historical behavior labeling is carried out according to the user role, obtains individual behavior label.
It is preferably, described that the user behavior data is pre-processed, comprising:
To each user's operation, successively take all user's maximum operands, minimum operation number according to x'=(x-minA)/ (maxA-minA) maximum, minimum normalization is carried out;Wherein, x is initial data, and x' is corresponding standardized data, maximum operand MaxA, minimum operation number minA;
To the normalized user behavior data of completion according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、 c2、…、cnFor weighting coefficient, and c1+c2+…+cn=1, x, y ..., z be respectively to belong to three-level label under a second level label Corresponding user's operation.
Preferably, it is handled using feature vector of the clustering algorithm to user behavior, comprising:
It is handled using feature vector of the K- means clustering algorithm to user behavior.
It is preferably, described to carry out the processing of historical behavior labeling according to the user role, comprising:
Determine the behavior number of every kind of operation behavior in user behavior label;
In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine user behavior label Weight;Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all behaviour within the set time Make the specific gravity of behavior, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
A kind of audit data processing device based on PKI platform, comprising: extraction unit, processing unit and analytical unit;Its In,
The extraction unit, for extracting the user behavior data data of user's operation generation;
The processing unit determines user role label and individual behavior label for handling the user behavior data, Obtain user behavior portrait;
The analytical unit carries out safety analysis for drawing a portrait to the user behavior, identifies user's abnormal behaviour.
Preferably, described device further include: construction unit, for constructing user behavior label system, the user behavior Label system includes multistage label.
Preferably, the processing unit, is specifically used for:
Based on the user behavior label system, the user behavior data is pre-processed, user behavior is obtained Feature vector;It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;According to the use Family role carries out the processing of historical behavior labeling, obtains individual behavior label.
Preferably, the processing unit, is specifically used for: to each user's operation, all user's maximums successively being taken to operate Number, minimum operation number carry out maximum, minimum normalize according to x'=(x-minA)/(maxA-minA);Wherein, x is original number According to x' is corresponding standardized data, maximum operand maxA, minimum operation number minA;To the normalized user behavior number of completion According to according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、c2、…、cnFor weighting coefficient, and c1+c2+…+cn=1, X, y ..., z be respectively to belong to the corresponding user's operation of three-level label under a second level label.
Preferably, the processing unit, specifically for using K- means clustering algorithm to the feature vector of user behavior into Row processing.
Preferably, the processing unit, specifically for determining the behavior number of every kind of operation behavior in user behavior label; In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine the weight of user behavior label;Its In, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all operation behaviors within the set time Specific gravity, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
Audit data processing method and device provided in an embodiment of the present invention based on PKI platform, by extracting user behaviour The user behavior data data for making to generate are handled, and are determined user role label and individual behavior label, are obtained user behavior Portrait;It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour, PKI platform can be generated a large amount of Audit time data, go deep into mining analysis from the angle of user, by converting letter for complex data relevant to user behavior Single specific user behavior portrait, and then frequent retrieval can be avoided by quickly accessing database retrieval user behavior portrait With time delay caused by inquiry log, access log file or log database, and by analysis user behavior portrait, being capable of express delivery User's abnormal behaviour is positioned, auxiliary carries out Network Safety Analysis, improves the efficiency and accuracy of audit data processing.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the implementation process schematic diagram of the audit data processing method provided in an embodiment of the present invention based on PKI platform;
Fig. 2 is the structural schematic diagram of the audit data processing device provided in an embodiment of the present invention based on PKI platform.
Specific embodiment
To keep the purposes, technical schemes and advantages of the application clearer, below in conjunction with the application specific embodiment and Technical scheme is clearly and completely described in corresponding attached drawing.Obviously, described embodiment is only the application one Section Example, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing Every other embodiment obtained under the premise of creative work out, shall fall in the protection scope of this application.
The data mining knowledge discovering technologies general as one, can extract the interested number of people from mass data It is believed that breath, this matches with the demand of analytical auditing data, but how according to the suitable mining algorithm of concrete application scene proposition It is a difficult point.
The present invention starts with from user behavior, selects user's Portrait brand technology to understand user, converts user property to Rule, be conducive to computer storage accessible data format.User draws a portrait, and mainly there are two part, user roles for process With behavior property feature extraction, user base attribute tags, behavior property label, role attribute label are specifically included.Basis belongs to Property label include user's basic document, such as gender, the age, job information, tenure time attribute.The main root of user role label It clusters to obtain according to the analysis of the common operation of user, is different from the setting for having role (such as administrator, operator) on platform.
Fig. 1 shows the implementation process of the audit data processing method provided in an embodiment of the present invention based on PKI platform, tool Body is as shown in Figure 1, which comprises
Step 101, the user behavior data data that user's operation generates are extracted;
Step 102, the user behavior data is handled, user role label and individual behavior label is determined, obtains user Behavior portrait;
Step 103, it draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.
Preferably, the method also includes: building user behavior label system, the user behavior label system include it is more Grade label.
Here, safety analysis is carried out from user behavior angle, so, only relate to the user behavior of user's operation generation.With The core of family portrait is the foundation of user behavior label system, and associated user's behavior label system is as shown in table 1, mainly gives Level-one, second level tag architecture.User behavior portrait supports multistage label, including three-level and level Four label construction.It is at different levels all Dynamic is supported to adjust, including label increase or deletion, modification etc., it can flexible configuration as needed.
1 user behavior label system of table
Further, the step 102, specifically includes:
Based on the user behavior label system, the user behavior data is pre-processed, user behavior is obtained Feature vector;
It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;
The processing of historical behavior labeling is carried out according to the user role, obtains individual behavior label.
Wherein, described that the user behavior data is pre-processed, i.e., the primitive behavior data of user are located in advance Reason, comprising:
To each user's operation, successively take all user's maximum operands, minimum operation number according to x'=(x-minA)/ (maxA-minA) maximum, minimum normalization is carried out;Wherein, x is initial data, and x' is corresponding standardized data, maximum operand MaxA, minimum operation number minA;
To the normalized user behavior data of completion according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、 c2、…、cnFor weighting coefficient, and c1+c2+…+cn=1, x, y ..., z be respectively to belong to three-level label under a second level label Corresponding user's operation.
It is described to be handled using feature vector of the clustering algorithm to user behavior, comprising:
It is handled using feature vector of the K- means clustering algorithm to user behavior.
It is described to carry out the processing of historical behavior labeling according to the user role, comprising:
Determine the behavior number of every kind of operation behavior in user behavior label;
In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine user behavior label Weight;Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all behaviour within the set time Make the specific gravity of behavior, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
Preferably, the user behavior data is handled, determines user role label and individual behavior label, obtains user's row Include: for portrait
1, primitive behavior data are pre-processed by user, obtains user's operation behavioural characteristic vector.
With third level label for a behavioural characteristic, to each operation, all user's maximum operands, minimum are successively taken Operand carries out minimum, maximum normalization, obtains each user characteristics vector, normalized processing formula is as follows: x'=(x-minA)/ (maxA-minA)
Wherein, x is initial data, and x' is corresponding standardized data, for operating A, most value respectively minA, maxA。
Dimension is completed in the operation behavior data of the different attribute of user after standardization, that is, eliminates difference Incommensurability between attribute data can merge number that is closely related but not having comparativity by way of weighting later According to.The formula for normalizing weighting is as follows: S=c1x+c2y+…+cnz
Wherein c1、c2、…、cnFor weighting coefficient, and there is c1+c2+…+cn=1, x, y ..., z be respectively to need unified carry out The different attribute of analysis.Mainly the three-level tag behavior belonged under a second level label is merged in the processing.
2, user role division result is obtained using improved K- means clustering algorithm.
Need to be preset to improve cluster numbers K in K- mean algorithm, locally optimal solution, outlier data sensitive etc. no Foot, the embodiment of the present invention use the innovatory algorithm based on clustering of optimizing initial centers.
Specifically, data point can be regarded as the point in multidimensional coordinate, then the angle between two vectors may determine that this two Whether a vector belongs to the same cluster, therefore by pre-defining a concentration class threshold value Ω, can determination data point classification.
Due to user characteristics vector data multidimensional, then object vector Ni=(ai,bi,ci,…,ξi) and other certain vectors Nj =(aj,bj,cj,…,ξj) the distance between be calculated using the following equation:
θij=arccos | NiNj T|=arccos | xixj+yiyj+zizj+…+ξiξj|
Assuming that n representative meets condition θijThe number of the data point of≤Ω, then the concentration class of jth group be
Specific step is as follows for K- means clustering algorithm:
(1) presetting a concentration class threshold value Ω is 5 °;
(2) two data points are randomly selected, and find out the central point of the two data points;
(3) using central point as first initial cluster center, according to the concentration class threshold value of setting, less than the division of threshold value Into class belonging to this central point;
(4) the sample number strong point for belonging to cluster centre deleted and obtained from step (3) is concentrated from entire sample data;
(5) repeat step (2) to (4), until data set be sky, select remaining cluster centre, this creates the terminal K A cluster;
(6) processing of K- means clustering algorithm is given the K cluster generated by above step;
(7) cluster of K optimization initial center is obtained by algorithm process, algorithm terminates.
3, the work of historical behavior labeling is carried out by the user role divided.User behavior label include behavior number and Two parameters of weight.Weight needs that case history data and group of subscribers behavior equilibrium is combined to obtain, and weight calculation formula is as follows:
P=α × bperson+β×bgroup
Wherein α, β are weighting coefficient, and have alpha+beta=1, preferably take α=β=0.5, bpersonWithin the set time for user The operation behavior accounts for the specific gravity of all operation behaviors, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
Audit data processing method provided in an embodiment of the present invention based on PKI platform is generated by extracting user's operation User behavior data data handled, determine user role label and individual behavior label, obtain user behavior portrait;It is right The user behavior portrait carries out safety analysis, identifies user's abnormal behaviour, a large amount of audit times that can generate PKI platform Data go deep into mining analysis from the angle of user, by converting complex data relevant to user behavior to simply explicitly User behavior portrait, and then frequently retrieval and inquiry day can be avoided by quickly accessing database retrieval user behavior portrait Time delay caused by will, access log file or log database, and by analysis user behavior portrait, it being capable of express delivery positioning user Abnormal behaviour, auxiliary carry out Network Safety Analysis, improve the efficiency and accuracy of audit data processing.
Based on the same inventive concept, a kind of audit data processing based on PKI platform is additionally provided in the embodiment of the present invention Device, since the principle that above-mentioned apparatus solves the problems, such as is similar to the audit data processing method based on PKI platform, above-mentioned apparatus Implementation may refer to the implementation of method, overlaps will not be repeated.
Referring specifically to Fig. 2, the audit data processing device based on PKI platform includes: extraction unit 21, processing unit 22 and analytical unit 23;Wherein,
The extraction unit 21, for extracting the user behavior data data of user's operation generation;
The processing unit 22 determines user role label and individual behavior mark for handling the user behavior data Label obtain user behavior portrait;
The analytical unit 23 carries out safety analysis for drawing a portrait to the user behavior, identifies user's abnormal behaviour.
Optionally, described device further include: construction unit 24, for constructing user behavior label system, user's row It include multistage label for label system.
Optionally, the processing unit 22, is specifically used for:
Based on the user behavior label system, the user behavior data is pre-processed, user behavior is obtained Feature vector;It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;According to the use Family role carries out the processing of historical behavior labeling, obtains individual behavior label.
Optionally, the processing unit 22, is specifically used for: to each user's operation, all user's maximums successively being taken to grasp It counts, minimum operation number carries out maximum, minimum according to x'=(x-minA)/(maxA-minA) and normalizes;Wherein, x is original number According to x' is corresponding standardized data, maximum operand maxA, minimum operation number minA;To the normalized user behavior number of completion According to according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、c2、…、cnFor weighting coefficient, and c1+c2+…+cn=1, X, y ..., z be respectively to belong to the corresponding user's operation of three-level label under a second level label.
Optionally, the processing unit 22, specifically for the feature vector using K- means clustering algorithm to user behavior It is handled.
Optionally, the processing unit 22, specifically for determining the behavior time of every kind of operation behavior in user behavior label Number;In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine the weight of user behavior label; Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all operation behaviors within the set time Specific gravity, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, exist Implement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.
The audit data processing method and device based on PKI platform for describing exemplary embodiment of the invention it Afterwards, next, introducing the computing device of another exemplary embodiment according to the present invention.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or Program product.Therefore, various aspects of the invention can be embodied in the following forms, it may be assumed that complete hardware embodiment, complete The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.) or hardware and software, can unite here Referred to as circuit, " module " or " system ".
In some possible embodiments, it is single can to include at least at least one processing for computing device according to the present invention Member and at least one storage unit.Wherein, the storage unit is stored with program code, when said program code is described When processing unit executes, so that the processing unit executes the exemplary implementations various according to the present invention of this specification foregoing description Step in the audit data processing method based on Public Key Infrastructure PKI platform of mode.
The present invention also provides a kind of electronic equipment according to above method embodiment, the electronic equipment include memory and Processor.
Memory, in addition to this being mainly used for storage program may be alternatively configured as storing various other data to support Operation on electronic equipment.The example of these data includes contact data, telephone book data, message, picture, video etc..
Memory can be realized by any kind of volatibility or non-volatile memory device or their combination, such as quiet State random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), the read-only storage of erasable programmable Device (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or light Disk.
Processor is coupled with memory, for executing the program in memory, to be used for:
Extract the user behavior data data that user's operation generates;
The user behavior data is handled, determines user role label and individual behavior label, obtains user behavior portrait;
It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.
Wherein, processor other than function above, can also be achieved other function when executing the program in memory Can, for details, reference can be made to the descriptions in previous embodiments.
Further, the electronic equipment further include: other groups of communication component, display, power supply module, audio component etc. Part.
Audit data processing device provided in an embodiment of the present invention based on PKI platform is generated by extracting user's operation User behavior data data handled, determine user role label and individual behavior label, obtain user behavior portrait;It is right The user behavior portrait carries out safety analysis, identifies user's abnormal behaviour, a large amount of audit times that can generate PKI platform Data go deep into mining analysis from the angle of user, by converting complex data relevant to user behavior to simply explicitly User behavior portrait, and then frequently retrieval and inquiry day can be avoided by quickly accessing database retrieval user behavior portrait Time delay caused by will, access log file or log database, and by analysis user behavior portrait, it being capable of express delivery positioning user Abnormal behaviour, auxiliary carry out Network Safety Analysis, improve the efficiency and accuracy of audit data processing.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want There is also other identical elements in the process, method of element, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can provide as method, system or computer program product. Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application Form.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program code The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Formula.
The above description is only an example of the present application, is not intended to limit this application.For those skilled in the art For, various changes and changes are possible in this application.All any modifications made within the spirit and principles of the present application are equal Replacement, improvement etc., should be included within the scope of the claims of this application.

Claims (12)

1. a kind of audit data processing method based on Public Key Infrastructure PKI platform characterized by comprising
Extract the user behavior data data that user's operation generates;
The user behavior data is handled, determines user role label and individual behavior label, obtains user behavior portrait;
It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.
2. the method as described in claim 1, which is characterized in that the method also includes:
User behavior label system is constructed, the user behavior label system includes multistage label.
3. method according to claim 2, which is characterized in that the processing user behavior data determines user role Label and individual behavior label, comprising:
Based on the user behavior label system, the user behavior data is pre-processed, obtains the feature of user behavior Vector;
It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;
The processing of historical behavior labeling is carried out according to the user role, obtains individual behavior label.
4. method as claimed in claim 3, which is characterized in that described to be pre-processed to the user behavior data, comprising:
To each user's operation, successively take all user's maximum operands, minimum operation number according to x'=(x-minA)/ (maxA-minA) maximum, minimum normalization is carried out;Wherein, x is initial data, and x' is corresponding standardized data, maximum operand MaxA, minimum operation number minA;
To the normalized user behavior data of completion according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、c2、…、 cnFor weighting coefficient, and c1+c2+…+cn=1, x, y ..., z be respectively that the three-level label that belongs under a second level label is corresponding User's operation.
5. method as claimed in claim 3, which is characterized in that it is described using clustering algorithm to the feature vector of user behavior into Row processing, comprising:
It is handled using feature vector of the K- means clustering algorithm to user behavior.
6. method as claimed in claim 3, which is characterized in that described to carry out historical behavior labeling according to the user role Processing, comprising:
Determine the behavior number of every kind of operation behavior in user behavior label;
In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine the weight of user behavior label; Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all operation behaviors within the set time Specific gravity, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
7. a kind of audit data processing device based on PKI platform characterized by comprising extraction unit, processing unit and point Analyse unit;Wherein,
The extraction unit, for extracting the user behavior data data of user's operation generation;
The processing unit determines user role label and individual behavior label, obtains for handling the user behavior data User behavior portrait;
The analytical unit carries out safety analysis for drawing a portrait to the user behavior, identifies user's abnormal behaviour.
8. device as claimed in claim 7, which is characterized in that described device further include: construction unit, for constructing user's row For label system, the user behavior label system includes multistage label.
9. device as claimed in claim 8, which is characterized in that the processing unit is specifically used for:
Based on the user behavior label system, the user behavior data is pre-processed, obtains the feature of user behavior Vector;It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;According to the user angle Color carries out the processing of historical behavior labeling, obtains individual behavior label.
10. device as claimed in claim 9, which is characterized in that the processing unit is specifically used for: being grasped to each user Make, successively takes all user's maximum operands, minimum operation number according to x'=(x-minA)/(maxA-minA) progress maximum, most Small normalization;Wherein, x is initial data, and x' is corresponding standardized data, maximum operand maxA, minimum operation number minA;It is right Normalized user behavior data is completed according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、c2、…、cnTo add Weight coefficient, and c1+c2+…+cn=1, x, y ..., z be respectively to belong to the corresponding user behaviour of three-level label under a second level label Make.
11. device as claimed in claim 9, which is characterized in that the processing unit is specifically used for calculating using K- mean cluster Method handles the feature vector of user behavior.
12. device as claimed in claim 9, which is characterized in that the processing unit is specifically used for determining user behavior label In every kind of operation behavior behavior number;In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupReally Determine the weight of user behavior label;Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonWithin the set time should for user Operation behavior accounts for the specific gravity of all operation behaviors, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
CN201711366752.XA 2017-12-18 2017-12-18 Audit data processing method and device based on PKI platform Pending CN109936549A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711366752.XA CN109936549A (en) 2017-12-18 2017-12-18 Audit data processing method and device based on PKI platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711366752.XA CN109936549A (en) 2017-12-18 2017-12-18 Audit data processing method and device based on PKI platform

Publications (1)

Publication Number Publication Date
CN109936549A true CN109936549A (en) 2019-06-25

Family

ID=66982792

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711366752.XA Pending CN109936549A (en) 2017-12-18 2017-12-18 Audit data processing method and device based on PKI platform

Country Status (1)

Country Link
CN (1) CN109936549A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597549A (en) * 2020-04-17 2020-08-28 国网浙江省电力有限公司湖州供电公司 Network security behavior identification method and system based on big data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1349327A (en) * 2001-12-03 2002-05-15 上海交通大学 Hierarchical network information content managing method based on public key basic facilities
CN106341407A (en) * 2016-09-19 2017-01-18 成都知道创宇信息技术有限公司 Abnormal access log mining method based on website picture and apparatus thereof
CN106503015A (en) * 2015-09-07 2017-03-15 国家计算机网络与信息安全管理中心 A kind of method for building user's portrait
US9807105B2 (en) * 2015-11-11 2017-10-31 International Business Machines Corporation Adaptive behavior profiling and anomaly scoring through continuous learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1349327A (en) * 2001-12-03 2002-05-15 上海交通大学 Hierarchical network information content managing method based on public key basic facilities
CN106503015A (en) * 2015-09-07 2017-03-15 国家计算机网络与信息安全管理中心 A kind of method for building user's portrait
US9807105B2 (en) * 2015-11-11 2017-10-31 International Business Machines Corporation Adaptive behavior profiling and anomaly scoring through continuous learning
CN106341407A (en) * 2016-09-19 2017-01-18 成都知道创宇信息技术有限公司 Abnormal access log mining method based on website picture and apparatus thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
何学海等: ""网络安全用户行为画像方案设计"", 《通信技术》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597549A (en) * 2020-04-17 2020-08-28 国网浙江省电力有限公司湖州供电公司 Network security behavior identification method and system based on big data

Similar Documents

Publication Publication Date Title
US10656979B2 (en) Structural and temporal semantics heterogeneous information network (HIN) for process trace clustering
CN105074724B (en) Effective query processing is carried out using the histogram in columnar database
CN109074377A (en) Managed function for real-time processing data stream executes
WO2021259357A1 (en) Privacy-preserving asynchronous federated learning for vertical partitioned data
CN111831636A (en) Data processing method, device, computer system and readable storage medium
CN109255000B (en) Dimension management method and device for label data
CN111784528A (en) Abnormal community detection method and device, computer equipment and storage medium
CN104077723A (en) Social network recommending system and social network recommending method
CN113849848B (en) Data permission configuration method and system
CN112036483B (en) AutoML-based object prediction classification method, device, computer equipment and storage medium
Kumar et al. An information theoretic approach for feature selection
CN114186760A (en) Analysis method and system for stable operation of enterprise and readable storage medium
US20220004932A1 (en) Federated doubly stochastic kernel learning on vertical partitioned data
CN105117477B (en) A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back
CN112990583B (en) Method and equipment for determining model entering characteristics of data prediction model
Bhogal et al. A review on big data security and handling
US20180129963A1 (en) Apparatus and method of behavior forecasting in a computer infrastructure
CN109936549A (en) Audit data processing method and device based on PKI platform
CN106294115B (en) A kind of test method and device of application system migration
CN110969261B (en) Encryption algorithm-based model construction method and related equipment
CN115168848B (en) Interception feedback processing method based on big data analysis interception
CN114495137B (en) Bill abnormity detection model generation method and bill abnormity detection method
CN115099875A (en) Data classification method based on decision tree model and related equipment
CN115618859A (en) Research efficiency management method, device, equipment and storage medium based on big data
CN115378806A (en) Flow distribution method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190625

RJ01 Rejection of invention patent application after publication