CN109936549A - Audit data processing method and device based on PKI platform - Google Patents
Audit data processing method and device based on PKI platform Download PDFInfo
- Publication number
- CN109936549A CN109936549A CN201711366752.XA CN201711366752A CN109936549A CN 109936549 A CN109936549 A CN 109936549A CN 201711366752 A CN201711366752 A CN 201711366752A CN 109936549 A CN109936549 A CN 109936549A
- Authority
- CN
- China
- Prior art keywords
- user
- behavior
- label
- data
- user behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses the user behavior data data that a kind of audit data processing method and device based on Public Key Infrastructure PKI platform, this method pass through extraction user's operation generation;The user behavior data is handled, determines user role label and individual behavior label, obtains user behavior portrait;It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.The embodiment of the present invention by analysis user behavior portrait, can express delivery position user's abnormal behaviour, auxiliary carry out Network Safety Analysis, improve the efficiency and accuracy of audit data processing.
Description
Technical field
The present invention relates to field of computer technology, more particularly to one kind to be based on Public Key Infrastructure (Public
KeyInfrastructure, PKI) platform audit data processing method and device.
Background technique
Background that this section is intended to provide an explanation of the embodiments of the present invention set forth in the claims or context.Herein
Description recognizes it is the prior art not because not being included in this section.
PKI platform is that a kind of carried out using public key cryptography for e-commerce provides technology and the rule of foundation for security platform
Model.PKI platform relates generally to certified authority (CA), registration body (RA), digital certificate library, cipher key backup and restorer
Multiple systems such as system, certificate calcellation system are built.In order to realize the integrated secure management mechanism of multiple systems, it will usually unite
One records all security-related historical operation event informations as record of the audit, and a record of the audit generally includes to audit
Successfully etc. whether time of event, user, type, elements, these Audit datas usually related to the operation such as key, certificate.It examines
Enough information can be provided for Security Officer by counting, and enable them to that already present security breaches and tracking is accurately positioned
Potential security risk.A large amount of Audit data can be generated on active PKI platform daily, but these data often only rise at present
It is acted on to log, the preprocessing process of data is less, only with tabular form unique display, lacks effective analysis and depth is dug
Pick causes many sensitive regular, characteristic data in platform operational process to be omitted.
Currently, all there is certain deficiency in the method for being used to handle Audit data, as expert system is too dependent in advance
The knowledge base artificially established;The accuracy of pattern match depends on the system features library of predefined;" threshold in mathematical statistics
Value " is often depending on the experience of administrator, causes inevitably to report by mistake and fail to report;Although immune system theoretically row has
Effect, but verification and measurement ratio and accuracy rate are inadequate when practical application;Therefore providing that a kind of effective audit data processing method has very much must
It wants.
Summary of the invention
The embodiment of the present invention provides a kind of audit data processing method and device based on PKI platform, can be improved audit
The effective percentage of data processing and accuracy.
A kind of audit data processing method based on Public Key Infrastructure PKI platform, comprising:
Extract the user behavior data data that user's operation generates;
The user behavior data is handled, determines user role label and individual behavior label, obtains user behavior portrait;
It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.
Preferably, the method also includes:
User behavior label system is constructed, the user behavior label system includes multistage label.
Preferably, the processing user behavior data, determines user role label and individual behavior label, comprising:
Based on the user behavior label system, the user behavior data is pre-processed, user behavior is obtained
Feature vector;
It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;
The processing of historical behavior labeling is carried out according to the user role, obtains individual behavior label.
It is preferably, described that the user behavior data is pre-processed, comprising:
To each user's operation, successively take all user's maximum operands, minimum operation number according to x'=(x-minA)/
(maxA-minA) maximum, minimum normalization is carried out;Wherein, x is initial data, and x' is corresponding standardized data, maximum operand
MaxA, minimum operation number minA;
To the normalized user behavior data of completion according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、
c2、…、cnFor weighting coefficient, and c1+c2+…+cn=1, x, y ..., z be respectively to belong to three-level label under a second level label
Corresponding user's operation.
Preferably, it is handled using feature vector of the clustering algorithm to user behavior, comprising:
It is handled using feature vector of the K- means clustering algorithm to user behavior.
It is preferably, described to carry out the processing of historical behavior labeling according to the user role, comprising:
Determine the behavior number of every kind of operation behavior in user behavior label;
In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine user behavior label
Weight;Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all behaviour within the set time
Make the specific gravity of behavior, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
A kind of audit data processing device based on PKI platform, comprising: extraction unit, processing unit and analytical unit;Its
In,
The extraction unit, for extracting the user behavior data data of user's operation generation;
The processing unit determines user role label and individual behavior label for handling the user behavior data,
Obtain user behavior portrait;
The analytical unit carries out safety analysis for drawing a portrait to the user behavior, identifies user's abnormal behaviour.
Preferably, described device further include: construction unit, for constructing user behavior label system, the user behavior
Label system includes multistage label.
Preferably, the processing unit, is specifically used for:
Based on the user behavior label system, the user behavior data is pre-processed, user behavior is obtained
Feature vector;It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;According to the use
Family role carries out the processing of historical behavior labeling, obtains individual behavior label.
Preferably, the processing unit, is specifically used for: to each user's operation, all user's maximums successively being taken to operate
Number, minimum operation number carry out maximum, minimum normalize according to x'=(x-minA)/(maxA-minA);Wherein, x is original number
According to x' is corresponding standardized data, maximum operand maxA, minimum operation number minA;To the normalized user behavior number of completion
According to according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、c2、…、cnFor weighting coefficient, and c1+c2+…+cn=1,
X, y ..., z be respectively to belong to the corresponding user's operation of three-level label under a second level label.
Preferably, the processing unit, specifically for using K- means clustering algorithm to the feature vector of user behavior into
Row processing.
Preferably, the processing unit, specifically for determining the behavior number of every kind of operation behavior in user behavior label;
In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine the weight of user behavior label;Its
In, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all operation behaviors within the set time
Specific gravity, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
Audit data processing method and device provided in an embodiment of the present invention based on PKI platform, by extracting user behaviour
The user behavior data data for making to generate are handled, and are determined user role label and individual behavior label, are obtained user behavior
Portrait;It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour, PKI platform can be generated a large amount of
Audit time data, go deep into mining analysis from the angle of user, by converting letter for complex data relevant to user behavior
Single specific user behavior portrait, and then frequent retrieval can be avoided by quickly accessing database retrieval user behavior portrait
With time delay caused by inquiry log, access log file or log database, and by analysis user behavior portrait, being capable of express delivery
User's abnormal behaviour is positioned, auxiliary carries out Network Safety Analysis, improves the efficiency and accuracy of audit data processing.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the implementation process schematic diagram of the audit data processing method provided in an embodiment of the present invention based on PKI platform;
Fig. 2 is the structural schematic diagram of the audit data processing device provided in an embodiment of the present invention based on PKI platform.
Specific embodiment
To keep the purposes, technical schemes and advantages of the application clearer, below in conjunction with the application specific embodiment and
Technical scheme is clearly and completely described in corresponding attached drawing.Obviously, described embodiment is only the application one
Section Example, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Every other embodiment obtained under the premise of creative work out, shall fall in the protection scope of this application.
The data mining knowledge discovering technologies general as one, can extract the interested number of people from mass data
It is believed that breath, this matches with the demand of analytical auditing data, but how according to the suitable mining algorithm of concrete application scene proposition
It is a difficult point.
The present invention starts with from user behavior, selects user's Portrait brand technology to understand user, converts user property to
Rule, be conducive to computer storage accessible data format.User draws a portrait, and mainly there are two part, user roles for process
With behavior property feature extraction, user base attribute tags, behavior property label, role attribute label are specifically included.Basis belongs to
Property label include user's basic document, such as gender, the age, job information, tenure time attribute.The main root of user role label
It clusters to obtain according to the analysis of the common operation of user, is different from the setting for having role (such as administrator, operator) on platform.
Fig. 1 shows the implementation process of the audit data processing method provided in an embodiment of the present invention based on PKI platform, tool
Body is as shown in Figure 1, which comprises
Step 101, the user behavior data data that user's operation generates are extracted;
Step 102, the user behavior data is handled, user role label and individual behavior label is determined, obtains user
Behavior portrait;
Step 103, it draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.
Preferably, the method also includes: building user behavior label system, the user behavior label system include it is more
Grade label.
Here, safety analysis is carried out from user behavior angle, so, only relate to the user behavior of user's operation generation.With
The core of family portrait is the foundation of user behavior label system, and associated user's behavior label system is as shown in table 1, mainly gives
Level-one, second level tag architecture.User behavior portrait supports multistage label, including three-level and level Four label construction.It is at different levels all
Dynamic is supported to adjust, including label increase or deletion, modification etc., it can flexible configuration as needed.
1 user behavior label system of table
Further, the step 102, specifically includes:
Based on the user behavior label system, the user behavior data is pre-processed, user behavior is obtained
Feature vector;
It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;
The processing of historical behavior labeling is carried out according to the user role, obtains individual behavior label.
Wherein, described that the user behavior data is pre-processed, i.e., the primitive behavior data of user are located in advance
Reason, comprising:
To each user's operation, successively take all user's maximum operands, minimum operation number according to x'=(x-minA)/
(maxA-minA) maximum, minimum normalization is carried out;Wherein, x is initial data, and x' is corresponding standardized data, maximum operand
MaxA, minimum operation number minA;
To the normalized user behavior data of completion according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、
c2、…、cnFor weighting coefficient, and c1+c2+…+cn=1, x, y ..., z be respectively to belong to three-level label under a second level label
Corresponding user's operation.
It is described to be handled using feature vector of the clustering algorithm to user behavior, comprising:
It is handled using feature vector of the K- means clustering algorithm to user behavior.
It is described to carry out the processing of historical behavior labeling according to the user role, comprising:
Determine the behavior number of every kind of operation behavior in user behavior label;
In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine user behavior label
Weight;Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all behaviour within the set time
Make the specific gravity of behavior, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
Preferably, the user behavior data is handled, determines user role label and individual behavior label, obtains user's row
Include: for portrait
1, primitive behavior data are pre-processed by user, obtains user's operation behavioural characteristic vector.
With third level label for a behavioural characteristic, to each operation, all user's maximum operands, minimum are successively taken
Operand carries out minimum, maximum normalization, obtains each user characteristics vector, normalized processing formula is as follows: x'=(x-minA)/
(maxA-minA)
Wherein, x is initial data, and x' is corresponding standardized data, for operating A, most value respectively minA,
maxA。
Dimension is completed in the operation behavior data of the different attribute of user after standardization, that is, eliminates difference
Incommensurability between attribute data can merge number that is closely related but not having comparativity by way of weighting later
According to.The formula for normalizing weighting is as follows: S=c1x+c2y+…+cnz
Wherein c1、c2、…、cnFor weighting coefficient, and there is c1+c2+…+cn=1, x, y ..., z be respectively to need unified carry out
The different attribute of analysis.Mainly the three-level tag behavior belonged under a second level label is merged in the processing.
2, user role division result is obtained using improved K- means clustering algorithm.
Need to be preset to improve cluster numbers K in K- mean algorithm, locally optimal solution, outlier data sensitive etc. no
Foot, the embodiment of the present invention use the innovatory algorithm based on clustering of optimizing initial centers.
Specifically, data point can be regarded as the point in multidimensional coordinate, then the angle between two vectors may determine that this two
Whether a vector belongs to the same cluster, therefore by pre-defining a concentration class threshold value Ω, can determination data point classification.
Due to user characteristics vector data multidimensional, then object vector Ni=(ai,bi,ci,…,ξi) and other certain vectors Nj
=(aj,bj,cj,…,ξj) the distance between be calculated using the following equation:
θij=arccos | NiNj T|=arccos | xixj+yiyj+zizj+…+ξiξj|
Assuming that n representative meets condition θijThe number of the data point of≤Ω, then the concentration class of jth group be
Specific step is as follows for K- means clustering algorithm:
(1) presetting a concentration class threshold value Ω is 5 °;
(2) two data points are randomly selected, and find out the central point of the two data points;
(3) using central point as first initial cluster center, according to the concentration class threshold value of setting, less than the division of threshold value
Into class belonging to this central point;
(4) the sample number strong point for belonging to cluster centre deleted and obtained from step (3) is concentrated from entire sample data;
(5) repeat step (2) to (4), until data set be sky, select remaining cluster centre, this creates the terminal K
A cluster;
(6) processing of K- means clustering algorithm is given the K cluster generated by above step;
(7) cluster of K optimization initial center is obtained by algorithm process, algorithm terminates.
3, the work of historical behavior labeling is carried out by the user role divided.User behavior label include behavior number and
Two parameters of weight.Weight needs that case history data and group of subscribers behavior equilibrium is combined to obtain, and weight calculation formula is as follows:
P=α × bperson+β×bgroup
Wherein α, β are weighting coefficient, and have alpha+beta=1, preferably take α=β=0.5, bpersonWithin the set time for user
The operation behavior accounts for the specific gravity of all operation behaviors, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
Audit data processing method provided in an embodiment of the present invention based on PKI platform is generated by extracting user's operation
User behavior data data handled, determine user role label and individual behavior label, obtain user behavior portrait;It is right
The user behavior portrait carries out safety analysis, identifies user's abnormal behaviour, a large amount of audit times that can generate PKI platform
Data go deep into mining analysis from the angle of user, by converting complex data relevant to user behavior to simply explicitly
User behavior portrait, and then frequently retrieval and inquiry day can be avoided by quickly accessing database retrieval user behavior portrait
Time delay caused by will, access log file or log database, and by analysis user behavior portrait, it being capable of express delivery positioning user
Abnormal behaviour, auxiliary carry out Network Safety Analysis, improve the efficiency and accuracy of audit data processing.
Based on the same inventive concept, a kind of audit data processing based on PKI platform is additionally provided in the embodiment of the present invention
Device, since the principle that above-mentioned apparatus solves the problems, such as is similar to the audit data processing method based on PKI platform, above-mentioned apparatus
Implementation may refer to the implementation of method, overlaps will not be repeated.
Referring specifically to Fig. 2, the audit data processing device based on PKI platform includes: extraction unit 21, processing unit
22 and analytical unit 23;Wherein,
The extraction unit 21, for extracting the user behavior data data of user's operation generation;
The processing unit 22 determines user role label and individual behavior mark for handling the user behavior data
Label obtain user behavior portrait;
The analytical unit 23 carries out safety analysis for drawing a portrait to the user behavior, identifies user's abnormal behaviour.
Optionally, described device further include: construction unit 24, for constructing user behavior label system, user's row
It include multistage label for label system.
Optionally, the processing unit 22, is specifically used for:
Based on the user behavior label system, the user behavior data is pre-processed, user behavior is obtained
Feature vector;It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;According to the use
Family role carries out the processing of historical behavior labeling, obtains individual behavior label.
Optionally, the processing unit 22, is specifically used for: to each user's operation, all user's maximums successively being taken to grasp
It counts, minimum operation number carries out maximum, minimum according to x'=(x-minA)/(maxA-minA) and normalizes;Wherein, x is original number
According to x' is corresponding standardized data, maximum operand maxA, minimum operation number minA;To the normalized user behavior number of completion
According to according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、c2、…、cnFor weighting coefficient, and c1+c2+…+cn=1,
X, y ..., z be respectively to belong to the corresponding user's operation of three-level label under a second level label.
Optionally, the processing unit 22, specifically for the feature vector using K- means clustering algorithm to user behavior
It is handled.
Optionally, the processing unit 22, specifically for determining the behavior time of every kind of operation behavior in user behavior label
Number;In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine the weight of user behavior label;
Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all operation behaviors within the set time
Specific gravity, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, exist
Implement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.
The audit data processing method and device based on PKI platform for describing exemplary embodiment of the invention it
Afterwards, next, introducing the computing device of another exemplary embodiment according to the present invention.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or
Program product.Therefore, various aspects of the invention can be embodied in the following forms, it may be assumed that complete hardware embodiment, complete
The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.) or hardware and software, can unite here
Referred to as circuit, " module " or " system ".
In some possible embodiments, it is single can to include at least at least one processing for computing device according to the present invention
Member and at least one storage unit.Wherein, the storage unit is stored with program code, when said program code is described
When processing unit executes, so that the processing unit executes the exemplary implementations various according to the present invention of this specification foregoing description
Step in the audit data processing method based on Public Key Infrastructure PKI platform of mode.
The present invention also provides a kind of electronic equipment according to above method embodiment, the electronic equipment include memory and
Processor.
Memory, in addition to this being mainly used for storage program may be alternatively configured as storing various other data to support
Operation on electronic equipment.The example of these data includes contact data, telephone book data, message, picture, video etc..
Memory can be realized by any kind of volatibility or non-volatile memory device or their combination, such as quiet
State random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), the read-only storage of erasable programmable
Device (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or light
Disk.
Processor is coupled with memory, for executing the program in memory, to be used for:
Extract the user behavior data data that user's operation generates;
The user behavior data is handled, determines user role label and individual behavior label, obtains user behavior portrait;
It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.
Wherein, processor other than function above, can also be achieved other function when executing the program in memory
Can, for details, reference can be made to the descriptions in previous embodiments.
Further, the electronic equipment further include: other groups of communication component, display, power supply module, audio component etc.
Part.
Audit data processing device provided in an embodiment of the present invention based on PKI platform is generated by extracting user's operation
User behavior data data handled, determine user role label and individual behavior label, obtain user behavior portrait;It is right
The user behavior portrait carries out safety analysis, identifies user's abnormal behaviour, a large amount of audit times that can generate PKI platform
Data go deep into mining analysis from the angle of user, by converting complex data relevant to user behavior to simply explicitly
User behavior portrait, and then frequently retrieval and inquiry day can be avoided by quickly accessing database retrieval user behavior portrait
Time delay caused by will, access log file or log database, and by analysis user behavior portrait, it being capable of express delivery positioning user
Abnormal behaviour, auxiliary carry out Network Safety Analysis, improve the efficiency and accuracy of audit data processing.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability
It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap
Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want
There is also other identical elements in the process, method of element, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can provide as method, system or computer program product.
Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application
Form.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program code
The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
The above description is only an example of the present application, is not intended to limit this application.For those skilled in the art
For, various changes and changes are possible in this application.All any modifications made within the spirit and principles of the present application are equal
Replacement, improvement etc., should be included within the scope of the claims of this application.
Claims (12)
1. a kind of audit data processing method based on Public Key Infrastructure PKI platform characterized by comprising
Extract the user behavior data data that user's operation generates;
The user behavior data is handled, determines user role label and individual behavior label, obtains user behavior portrait;
It draws a portrait to the user behavior and carries out safety analysis, identify user's abnormal behaviour.
2. the method as described in claim 1, which is characterized in that the method also includes:
User behavior label system is constructed, the user behavior label system includes multistage label.
3. method according to claim 2, which is characterized in that the processing user behavior data determines user role
Label and individual behavior label, comprising:
Based on the user behavior label system, the user behavior data is pre-processed, obtains the feature of user behavior
Vector;
It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;
The processing of historical behavior labeling is carried out according to the user role, obtains individual behavior label.
4. method as claimed in claim 3, which is characterized in that described to be pre-processed to the user behavior data, comprising:
To each user's operation, successively take all user's maximum operands, minimum operation number according to x'=(x-minA)/
(maxA-minA) maximum, minimum normalization is carried out;Wherein, x is initial data, and x' is corresponding standardized data, maximum operand
MaxA, minimum operation number minA;
To the normalized user behavior data of completion according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、c2、…、
cnFor weighting coefficient, and c1+c2+…+cn=1, x, y ..., z be respectively that the three-level label that belongs under a second level label is corresponding
User's operation.
5. method as claimed in claim 3, which is characterized in that it is described using clustering algorithm to the feature vector of user behavior into
Row processing, comprising:
It is handled using feature vector of the K- means clustering algorithm to user behavior.
6. method as claimed in claim 3, which is characterized in that described to carry out historical behavior labeling according to the user role
Processing, comprising:
Determine the behavior number of every kind of operation behavior in user behavior label;
In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupDetermine the weight of user behavior label;
Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonFor user, the operation behavior accounts for all operation behaviors within the set time
Specific gravity, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
7. a kind of audit data processing device based on PKI platform characterized by comprising extraction unit, processing unit and point
Analyse unit;Wherein,
The extraction unit, for extracting the user behavior data data of user's operation generation;
The processing unit determines user role label and individual behavior label, obtains for handling the user behavior data
User behavior portrait;
The analytical unit carries out safety analysis for drawing a portrait to the user behavior, identifies user's abnormal behaviour.
8. device as claimed in claim 7, which is characterized in that described device further include: construction unit, for constructing user's row
For label system, the user behavior label system includes multistage label.
9. device as claimed in claim 8, which is characterized in that the processing unit is specifically used for:
Based on the user behavior label system, the user behavior data is pre-processed, obtains the feature of user behavior
Vector;It is handled using feature vector of the clustering algorithm to user behavior, determines user role label;According to the user angle
Color carries out the processing of historical behavior labeling, obtains individual behavior label.
10. device as claimed in claim 9, which is characterized in that the processing unit is specifically used for: being grasped to each user
Make, successively takes all user's maximum operands, minimum operation number according to x'=(x-minA)/(maxA-minA) progress maximum, most
Small normalization;Wherein, x is initial data, and x' is corresponding standardized data, maximum operand maxA, minimum operation number minA;It is right
Normalized user behavior data is completed according to S=c1x+c2y+…+cnZ is weighted merging, wherein c1、c2、…、cnTo add
Weight coefficient, and c1+c2+…+cn=1, x, y ..., z be respectively to belong to the corresponding user behaviour of three-level label under a second level label
Make.
11. device as claimed in claim 9, which is characterized in that the processing unit is specifically used for calculating using K- mean cluster
Method handles the feature vector of user behavior.
12. device as claimed in claim 9, which is characterized in that the processing unit is specifically used for determining user behavior label
In every kind of operation behavior behavior number;In conjunction with case history data and group behavior, according to p=α × bperson+β×bgroupReally
Determine the weight of user behavior label;Wherein, α, β are weighting coefficient, and have alpha+beta=1, bpersonWithin the set time should for user
Operation behavior accounts for the specific gravity of all operation behaviors, bgroupThe specific gravity of all user's operation behaviors is accounted for for the operation behavior.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711366752.XA CN109936549A (en) | 2017-12-18 | 2017-12-18 | Audit data processing method and device based on PKI platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711366752.XA CN109936549A (en) | 2017-12-18 | 2017-12-18 | Audit data processing method and device based on PKI platform |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109936549A true CN109936549A (en) | 2019-06-25 |
Family
ID=66982792
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711366752.XA Pending CN109936549A (en) | 2017-12-18 | 2017-12-18 | Audit data processing method and device based on PKI platform |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109936549A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111597549A (en) * | 2020-04-17 | 2020-08-28 | 国网浙江省电力有限公司湖州供电公司 | Network security behavior identification method and system based on big data |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1349327A (en) * | 2001-12-03 | 2002-05-15 | 上海交通大学 | Hierarchical network information content managing method based on public key basic facilities |
CN106341407A (en) * | 2016-09-19 | 2017-01-18 | 成都知道创宇信息技术有限公司 | Abnormal access log mining method based on website picture and apparatus thereof |
CN106503015A (en) * | 2015-09-07 | 2017-03-15 | 国家计算机网络与信息安全管理中心 | A kind of method for building user's portrait |
US9807105B2 (en) * | 2015-11-11 | 2017-10-31 | International Business Machines Corporation | Adaptive behavior profiling and anomaly scoring through continuous learning |
-
2017
- 2017-12-18 CN CN201711366752.XA patent/CN109936549A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1349327A (en) * | 2001-12-03 | 2002-05-15 | 上海交通大学 | Hierarchical network information content managing method based on public key basic facilities |
CN106503015A (en) * | 2015-09-07 | 2017-03-15 | 国家计算机网络与信息安全管理中心 | A kind of method for building user's portrait |
US9807105B2 (en) * | 2015-11-11 | 2017-10-31 | International Business Machines Corporation | Adaptive behavior profiling and anomaly scoring through continuous learning |
CN106341407A (en) * | 2016-09-19 | 2017-01-18 | 成都知道创宇信息技术有限公司 | Abnormal access log mining method based on website picture and apparatus thereof |
Non-Patent Citations (1)
Title |
---|
何学海等: ""网络安全用户行为画像方案设计"", 《通信技术》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111597549A (en) * | 2020-04-17 | 2020-08-28 | 国网浙江省电力有限公司湖州供电公司 | Network security behavior identification method and system based on big data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10656979B2 (en) | Structural and temporal semantics heterogeneous information network (HIN) for process trace clustering | |
CN105074724B (en) | Effective query processing is carried out using the histogram in columnar database | |
CN109074377A (en) | Managed function for real-time processing data stream executes | |
WO2021259357A1 (en) | Privacy-preserving asynchronous federated learning for vertical partitioned data | |
CN111831636A (en) | Data processing method, device, computer system and readable storage medium | |
CN109255000B (en) | Dimension management method and device for label data | |
CN111784528A (en) | Abnormal community detection method and device, computer equipment and storage medium | |
CN104077723A (en) | Social network recommending system and social network recommending method | |
CN113849848B (en) | Data permission configuration method and system | |
CN112036483B (en) | AutoML-based object prediction classification method, device, computer equipment and storage medium | |
Kumar et al. | An information theoretic approach for feature selection | |
CN114186760A (en) | Analysis method and system for stable operation of enterprise and readable storage medium | |
US20220004932A1 (en) | Federated doubly stochastic kernel learning on vertical partitioned data | |
CN105117477B (en) | A kind of the fictitious assets anomaly system and implementation method of adaptive self feed back | |
CN112990583B (en) | Method and equipment for determining model entering characteristics of data prediction model | |
Bhogal et al. | A review on big data security and handling | |
US20180129963A1 (en) | Apparatus and method of behavior forecasting in a computer infrastructure | |
CN109936549A (en) | Audit data processing method and device based on PKI platform | |
CN106294115B (en) | A kind of test method and device of application system migration | |
CN110969261B (en) | Encryption algorithm-based model construction method and related equipment | |
CN115168848B (en) | Interception feedback processing method based on big data analysis interception | |
CN114495137B (en) | Bill abnormity detection model generation method and bill abnormity detection method | |
CN115099875A (en) | Data classification method based on decision tree model and related equipment | |
CN115618859A (en) | Research efficiency management method, device, equipment and storage medium based on big data | |
CN115378806A (en) | Flow distribution method and device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190625 |
|
RJ01 | Rejection of invention patent application after publication |