CN109977272A - A kind of method and system based on Audit data identification key user - Google Patents
A kind of method and system based on Audit data identification key user Download PDFInfo
- Publication number
- CN109977272A CN109977272A CN201711449191.XA CN201711449191A CN109977272A CN 109977272 A CN109977272 A CN 109977272A CN 201711449191 A CN201711449191 A CN 201711449191A CN 109977272 A CN109977272 A CN 109977272A
- Authority
- CN
- China
- Prior art keywords
- user
- audit
- node
- range
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
- G06Q50/01—Social networking
Abstract
The present invention provides a kind of method and system based on Audit data identification key user, the described method includes: by the Audit data of Public Key Infrastructure PKI platform according to timeline sorting, if time window is T, take the Audit data in T range, and the Audit data in the T range is divided into i class according to the audit event being related to, constitute audit event set Q;Step 2 is classified according to the audit event in the T range, and building weights customer relationship figure and establishes the directive property of user frontier juncture system according to the sequencing of the execution time of every a kind of audit event between all users of the i-th class audit event;Step 3, setting community network figure find the set of k structural hole node using the maximum-flow algorithm based on minimal cut according to structural holes theory | VSH|, so that the minimal cut set reduction of community network figure G reaches maximum, then the k structural hole node is the key user of the Audit data in the T range after deleting the k node.
Description
Technical field
The present invention relates to Audit data analysis fields, and crucial based on Audit data identification more particularly, to one kind
The method and system of user.
Background technique
Public Key Infrastructure (Public Key Infrastructure, PKI) be it is a kind of using public key cryptography for electricity
The development of sub- commercial affairs provides the technology and specification of a set of foundation for security platform.Building for PKI platform relates generally to authenticating authority machine
Multiple systems such as structure, registration body, digital certificate library, cipher key backup and recovery system, certificate calcellation system are built.For reality
The integrated secure management mechanism of existing multiple systems, it will usually uniformly record all security-related historical operation event informations
As record of the audit, whether successfully etc. a record of the audit generally includes time of audit event, user, type, elements, this
A little Audit datas are usually related to the operation such as key, certificate.Audit data can provide enough information for Security Officer, make
They can be accurately positioned already present security breaches and track potential security risk.It can be produced daily on active PKI platform
Raw a large amount of Audit data, but these data often only serve log effect at present, and the preprocessing process of data is less, only with column
Sheet form unique display, lacks effective analysis and depth is excavated, cause in platform operational process many sensitive regularity,
Characteristic data are omitted.Therefore providing a kind of intelligent, automation security audit data analysing method is highly desirable.
Currently, all there is certain deficiency in the method for being used to analytical auditing data, as expert system is too dependent in advance
The knowledge base artificially established, the accuracy of pattern match depend on the system features library of predefined;" threshold in mathematical statistics
Value " is often depending on the experience of administrator, causes inevitably to report by mistake and fail to report;Although immune system theoretically row has
Effect, but verification and measurement ratio and accuracy rate are inadequate when practical application;The data mining knowledge discovering technologies general as one, can be from magnanimity
The interested data information of people is extracted in data, this matches with the demand of analytical auditing data, but how according to specific
Application scenarios propose that suitable mining algorithm is a difficult point.
Summary of the invention
In order to the method for solving existing analytical auditing data existing for background technique excessively rely in advance artificially establish know
Know library, audit information easily reports by mistake, fails to report, and to the verification and measurement ratio and accuracy rate of the Audit data technical problems such as not enough, the present invention
A kind of method based on Audit data identification key user is provided, which comprises
The Audit data of Public Key Infrastructure PKI platform is taken T if time window is T according to timeline sorting by step 1
Audit data in range, and the Audit data in the T range is divided into i class according to the audit event being related to, constitute audit
Event sets Q, wherein Q={ Q1 …… Qi, i is natural number;
Step 2 is classified according to the audit event in the T range, is constructed between all users of the i-th class audit event
Weight customer relationship figure Ci(VCi, ECi), and user frontier juncture is established according to the sequencing of the execution time of every a kind of audit event
The directive property of system, wherein VCiIndicate user's set in T range, ECiIndicate the frontier juncture system between user,And CiWith QiIt corresponds;
Community network figure G=(V, E) is arranged in step 3, and i community in G is C={ C1 …… Ci, the minimal cut set of G
ForWherein, V indicates that the user node in community network figure, E indicate the side between user node
Relationship, set D are to discriminate between the side collection with minimum number of the different communities in network, according to structural holes theory, using being based on
The maximum-flow algorithm of minimal cut finds the set of k structural hole node | VSH|, so that after deleting the k node, community network
The minimal cut set reduction of figure G reaches maximum, then the k structural hole node is that the crucial of the Audit data in the T range is used
Family, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
Structural holes theory described in this method refers in social relation network, if there is no direct between user's individual
Incidence relation or belong to different community networks, then different user individual between connection be also formed structural hole.
The structural hole is exactly to be present in " vacant lot " between the node set that two in network are not closely connected, constitutes the knot
The node that user's individual in structure hole indicates is exactly structural hole node.In terms of information exchange, structural hole node can obtain earlier
The information of multiple non-cross parts in automatic network is fetched, therefore, the structural hole node between the community network in no interactions,
Not only in these available communities all users information, also have an opportunity to integrate the information from different user.In network
Structural hole node control the transmitting of information, the accumulation of wealth and the interaction of different field.User's individual in network can be with
Connection is established with more structural hole nodes, then across structural hole, information exchange is carried out with more individuals of different field, makes
Individual is added in the communication process of network information flow, therefore structural hole node just becomes the tertium quid of information flow in network,
Leading position is occupied in community network, in Audit data, community's mesh is constructed using structural holes theory, is identified therein
Structural hole node is equivalent to identify the key user that can carry out information exchange with the user of each community, so as to
Preferably carry out data mining.
Further, classified according to the audit event in the T range, constructed between the user of the i-th class audit event
Weight customer relationship figure Ci(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time arrange
Sequence obtains user's set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, will
The side right value adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
Further, k structural hole node is found using the maximum-flow algorithm based on minimal cut according to structural holes theory
Set | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and stream is equal to side right value
The collection E when being added tof;
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf;
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH;
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
Further, when calculating the intercommunal max-flow of every two, increase a super source point and super meeting point, make to surpass
Grade source point is directed toward all source points, and all meeting points are directed toward super meeting point, and solve the community Liang Ge using Ford-Fulkerson algorithm
Between max-flow.
Further, pass through O (log2I) algorithm of time obtains seeking the minimal cut set MC's (G, C) of Web Community figure G
Time, wherein the algorithm includes carrying out certain division, i.e. G=G to Web Community figure G1∪G2, then respectively for two
Subset calculates the smallest cut set D, finally from the node deleted in cut set D in network structure, continuous recursive iteration subset G1With
G2, then the time complexity for calculating minimal cut set MC (G, C) is O (22i log2i)。
According to another aspect of the present invention, the present invention provides a kind of system based on Audit data identification key user, institute
The system of stating includes:
Audit event division unit is used for the Audit data of Public Key Infrastructure PKI platform according to timeline sorting,
If time window is T, the Audit data in T range is taken, and by the Audit data in the T range according to the audit event being related to
It is divided into i class, constitutes audit event set Q, wherein Q={ Q1 …… Qi, i is natural number;
Customer relationship figure construction unit is used for according to the audit event classification in the T range, in the i-th class audit thing
Building weighting customer relationship figure C between all users of parti(VCi, ECi), and according to the execution time of every a kind of audit event
Sequencing establishes the directive property of user frontier juncture system, wherein VCiIndicate user's set in T range, ECiIt indicates between user
Frontier juncture system, And CiWith QiIt corresponds;
Key user's recognition unit is used to be arranged community network figure G=(V, E), and i community in G is C={ C1
…… Ci, the minimal cut set of G isWherein, V indicates the user node in community network figure, E
Indicating the frontier juncture system between user node, set D is to discriminate between the side collection with minimum number of the different communities in network, according to
Structural holes theory finds the set of k structural hole node using the maximum-flow algorithm based on minimal cut | VSH|, so that deleting institute
After stating k node, the minimal cut set reduction of community network figure G reaches maximum, then the user of the k structural hole node on behalf is
The key user of Audit data in the T range, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
Further, the customer relationship figure construction unit is classified according to the audit event in the T range, in the i-th class
Building weighting customer relationship figure C between the user of audit eventi(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time arrange
Sequence obtains user's set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, will
The side right value adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
Further, key user's recognition unit is sought according to structural holes theory using the maximum-flow algorithm based on minimal cut
Look for the set of k structural hole node | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and stream is equal to side right value
The collection E when being added tof;
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf;
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH;
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
Further, when key user's recognition unit calculates every two intercommunal max-flow, increase a super source
Point and super meeting point make super source point be directed toward all source points, and all meeting points are directed toward super meeting point, and use Ford-Fulkerson
Algorithm solves two intercommunal max-flows.
Further, key user's recognition unit passes through O (log2I) algorithm of time obtains seeking Web Community figure G's
The time of minimal cut set MC (G, C), wherein the algorithm includes carrying out certain division, i.e. G=G to Web Community figure G1∪
G2, the smallest cut set D then is calculated respectively for two subsets, finally from the node deleted in cut set D in network structure, no
Disconnected recursive iteration subset G1And G2, then the time complexity for calculating minimal cut set MC (G, C) is O (22i log2i)。。
In conclusion the method for the invention and system combination PKI platform Audit data feature, from two side of time and behavior
The isolated user dispersed on platform is built into the customer relationship figure of weighting by face, and integrated structure hole is theoretical, from the letter of flow network
Breath diffusion angle sets out, and carries out the identification of structural hole node to relational graph by the MaxD algorithm of minimal cut set, had both reached in spy
The purpose of key user is identified in section of fixing time from Audit data, and then effectively helps Security Officer to differentiate and seems normal work
It is dynamic, to find the improper operation behavior carried out on platform.
Detailed description of the invention
By reference to the following drawings, exemplary embodiments of the present invention can be more fully understood by:
Fig. 1 is the flow chart of the method based on Audit data identification key user of the specific embodiment of the invention;
Fig. 2 is the structure chart of the system based on Audit data identification key user of the specific embodiment of the invention.
Specific embodiment
Exemplary embodiments of the present invention are introduced referring now to the drawings, however, the present invention can use many different shapes
Formula is implemented, and is not limited to the embodiment described herein, and to provide these embodiments be at large and fully disclose
The present invention, and the scope of the present invention is sufficiently conveyed to person of ordinary skill in the field.Show for what is be illustrated in the accompanying drawings
Term in example property embodiment is not limitation of the invention.In the accompanying drawings, identical cells/elements use identical attached
Icon note.
Unless otherwise indicated, term (including scientific and technical terminology) used herein has person of ordinary skill in the field
It is common to understand meaning.Further it will be understood that with the term that usually used dictionary limits, should be understood as and its
The context of related fields has consistent meaning, and is not construed as Utopian or too formal meaning.
Fig. 1 is the flow chart of the method based on Audit data identification key user of the specific embodiment of the invention.Such as Fig. 1
Shown, the method 100 of the present invention based on Audit data identification key user is since step 101.
In step 101, by the Audit data of Public Key Infrastructure PKI platform according to timeline sorting, if time window is
T takes the Audit data in T range, and the Audit data in the T range is divided into i class according to the audit event being related to, and constitutes
Audit event set Q, wherein Q={ Q1 …… Qi, i is natural number;
In step 102, classified according to the audit event in the T range, between all users of the i-th class audit event
Building weighting customer relationship figure Ci(VCi, ECi), and user is established according to the sequencing of the execution time of every a kind of audit event
The directive property of frontier juncture system, wherein VCiIndicate user's set in T range, ECiIndicate the frontier juncture system between user,And CiWith QiIt corresponds;
In step 103, it is arranged community network figure G=(V, E), i community in G is C={ C1 …… Ci, the minimum of G
Cut set isWherein, V indicates that the user node in community network figure, E indicate between user node
Frontier juncture system, set D is to discriminate between the side collection with minimum number of the different communities in network, according to structural holes theory, uses
Maximum-flow algorithm based on minimal cut finds the set of k structural hole node | VSH|, so that after deleting the k node, community
The minimal cut set reduction of network G reaches maximum, then the k structural hole node is the pass of the Audit data in the T range
Key user, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
Preferably, classified according to the audit event in the T range, building adds between the user of the i-th class audit event
Weigh customer relationship figure Ci(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time arrange
Sequence obtains user's set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by Ew(U→V)EC is addedi, conversely, will
The side right value adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
Preferably, k structural hole node is found using the maximum-flow algorithm based on minimal cut according to structural holes theory
Set | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and stream is equal to side right value
The collection E when being added tof;
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf;
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH;
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
Preferably, when calculating the intercommunal max-flow of every two, increase a super source point and super meeting point, make super
Source point is directed toward all source points, and all meeting points are directed toward super meeting point, and using Ford-Fulkerson algorithm solve the community Liang Ge it
Between max-flow.
Preferably, pass through O (log2I) algorithm of time obtain seeking the minimal cut set MC (G, C) of Web Community figure G when
Between, wherein the algorithm includes carrying out certain division, i.e. G=G to Web Community figure G1∪G2, then respectively for two sons
Collection calculates the smallest cut set D, finally from the node deleted in cut set D in network structure, continuous recursive iteration subset G1And G2,
The time complexity for then calculating minimal cut set MC (G, C) is O (22i log2i).Fig. 2 be the specific embodiment of the invention based on
Audit data identifies the structure chart of the system of key user.As shown in Fig. 2, of the present invention crucial based on Audit data identification
The system 200 of user includes:
Audit event division unit 201 is used to arrange the Audit data of Public Key Infrastructure PKI platform according to timeline
Sequence takes the Audit data in T range, and by the Audit data in the T range according to the audit being related to if time window is T
Event is divided into i class, constitutes audit event set Q, wherein Q={ Q1 …… Qi, i is natural number;
Customer relationship figure construction unit 202 is used to be audited according to the audit event classification in the T range in the i-th class
Building weighting customer relationship figure C between all users of eventi(VCi, ECi), and according to the execution time of every a kind of audit event
Sequencing establish the directive property of user frontier juncture system, wherein VCiIndicate user's set in T range, ECiIt indicates between user
Frontier juncture system, And CiWith QiIt corresponds;
Key user's recognition unit 203 is used to be arranged community network figure G=(V, E), and i community in G is C={ C1
…… Ci, the minimal cut set of G isWherein, V indicates the user node in community network figure, E
Indicating the frontier juncture system between user node, set D is to discriminate between the side collection with minimum number of the different communities in network, according to
Structural holes theory finds the set of k structural hole node using the maximum-flow algorithm based on minimal cut | VSH|, so that deleting institute
After stating k node, the minimal cut set reduction of community network figure G reaches maximum, then the user of the k structural hole node on behalf is
The key user of Audit data in the T range, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
Preferably, the customer relationship figure construction unit is classified according to the audit event in the T range, is examined in the i-th class
Building weighting customer relationship figure C between the user of meter eventi(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time arrange
Sequence obtains user's set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, will
The side right value adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
Preferably, key user's recognition unit is found according to structural holes theory using the maximum-flow algorithm based on minimal cut
The set of k structural hole node | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and stream is equal to side right value
The collection E when being added tof;
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf;
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH;
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
Preferably, when key user's recognition unit calculates every two intercommunal max-flow, increase a super source point
With super meeting point, super source point is set to be directed toward all source points, all meeting points are directed toward super meeting point, and calculate using Ford-Fulkerson
Method solves two intercommunal max-flows.
Preferably, key user's recognition unit passes through O (log2I) algorithm of time obtains seeking Web Community figure G most
The time of small cut set MC (G, C), wherein the algorithm includes carrying out certain division, i.e. G=G to Web Community figure G1∪G2,
Then the smallest cut set D is calculated respectively for two subsets, finally from the node deleted in cut set D in network structure, constantly
Recursive iteration subset G1And G2, then the time complexity for calculating minimal cut set MC (G, C) is 0 (22i log2i)。
Normally, all terms used in the claims are all solved according to them in the common meaning of technical field
It releases, unless in addition clearly being defined wherein.All references " one/described/be somebody's turn to do [device, component etc.] " are all opened ground
At least one example being construed in described device, component etc., unless otherwise expressly specified.Any method disclosed herein
Step need not all be run with disclosed accurate sequence, unless explicitly stated otherwise.
Claims (10)
1. a kind of method based on Audit data identification key user, which is characterized in that the described method includes:
The Audit data of Public Key Infrastructure PKI platform is taken T range if time window is T according to timeline sorting by step 1
Interior Audit data, and the Audit data in the T range is divided into i class according to the audit event being related to, constitute audit event
Set Q, wherein Q={ Q1……Qi, i is natural number;
Step 2 is classified according to the audit event in the T range, and weighting is constructed between all users of the i-th class audit event
Customer relationship figure Ci(VCi, ECi), and user frontier juncture system is established according to the sequencing of the execution time of every a kind of audit event
Directive property, wherein VCiIndicate user's set in T range, ECiIndicate the frontier juncture system between user,And CiWith QiIt corresponds;
Community network figure G=(V, E) is arranged in step 3, and i community in G is C={ C1……Ci, the minimal cut set of G isWherein, V indicates that the user node in community network figure, E indicate the frontier juncture between user node
System, set D are to discriminate between the side collection with minimum number of the different communities in network, according to structural holes theory, using based on most
The small maximum-flow algorithm cut finds the set of k structural hole node | VSH|, so that after deleting the k node, community network figure
The minimal cut set reduction of G reaches maximum, then the k structural hole node is the key user of the Audit data in the T range,
The calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
2. the method according to claim 1, wherein being classified according to the audit event in the T range, i-th
Building weighting customer relationship figure C between the user of class audit eventi(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time sequence obtain
Take family set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, by the side
Weight adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
3. according to the method described in claim 2, it is characterized in that, according to structural holes theory, using the maximum based on minimal cut
Flow algorithm finds the set of k structural hole node | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and the side that stream is equal to side right value is added
It is added to side collection Ef;
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf;
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH;
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
4. according to the method described in claim 3, it is characterized in that, increasing by one when calculating the intercommunal max-flow of every two
A super source point and super meeting point make super source point be directed toward all source points, and all meeting points are directed toward super meeting point, and use Ford-
Fulkerson algorithm solves two intercommunal max-flows.
5. according to the method described in claim 3, it is characterized in that, passing through O (log2I) algorithm of time obtains seeking network society
The time of the minimal cut set MC (G, C) of area figure G, wherein the algorithm includes carrying out certain division, i.e. G to Web Community figure G
=G1∪G2, the smallest cut set D then is calculated respectively for two subsets, finally from the section deleted in cut set D in network structure
Point, continuous recursive iteration subset G1And G2, then the time complexity for calculating minimal cut set MC (G, C) is O (22ilog2i)。
6. a kind of system based on Audit data identification key user, which is characterized in that the system comprises:
Audit event division unit is used for the Audit data of Public Key Infrastructure PKI platform according to timeline sorting, if when
Between window be T, take the Audit data in T range, and the Audit data in the T range is divided into according to the audit event being related to
I class constitutes audit event set Q, wherein Q={ Q1……Qi, i is natural number;
Customer relationship figure construction unit is used for according to the audit event classification in the T range, in the i-th class audit event
Building weighting customer relationship figure C between all usersi(VCi, ECi), and the successive of time is executed according to every a kind of audit event
Sequence establishes the directive property of user frontier juncture system, wherein VCiIndicate user's set in T range, ECiIndicate the frontier juncture between user
System, And CiWith QiIt corresponds;
Key user's recognition unit is used to be arranged community network figure G=(V, E), and i community in G is C={ C1……Ci,
The minimal cut set of G isWherein, V indicates that the user node in community network figure, E indicate user's section
Frontier juncture system between point, set D are to discriminate between the side collection with minimum number of the different communities in network, are managed according to structural hole
By finding the set of k structural hole node using the maximum-flow algorithm based on minimal cut | VSH|, so that deleting the k node
Afterwards, the minimal cut set reduction of community network figure G reaches maximum, then the user of the k structural hole node on behalf is the T range
The key user of interior Audit data, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
7. system according to claim 6, which is characterized in that the customer relationship figure construction unit is according to the T range
Interior audit event classification, the building weighting customer relationship figure C between the user of the i-th class audit eventi(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time sequence obtain
Take family set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, by the side
Weight adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
8. system according to claim 7, which is characterized in that key user's recognition unit is used according to structural holes theory
Maximum-flow algorithm based on minimal cut finds the set of k structural hole node | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and the side that stream is equal to side right value is added
It is added to side collection Ef;
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf;
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH;
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
9. system according to claim 8, which is characterized in that it is intercommunal that key user's recognition unit calculates every two
When max-flow, increase a super source point and super meeting point, super source point is made to be directed toward all source points, all meeting points are directed toward super remittance
Point, and two intercommunal max-flows are solved using Ford-Fulkerson algorithm.
10. system according to claim 8, which is characterized in that key user's recognition unit passes through O (log2I) calculation of time
Method obtains seeking the time of the minimal cut set MC (G, C) of Web Community figure G, wherein the algorithm include Web Community is schemed G into
The certain division of row, i.e. G=G1∪G2, the smallest cut set D then is calculated respectively for two subsets, finally from network structure
The middle node deleted in cut set D, continuous recursive iteration subset G1And G2, then the time complexity for calculating minimal cut set MC (G, C) is
O(22ilog2i)。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711449191.XA CN109977272A (en) | 2017-12-27 | 2017-12-27 | A kind of method and system based on Audit data identification key user |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711449191.XA CN109977272A (en) | 2017-12-27 | 2017-12-27 | A kind of method and system based on Audit data identification key user |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109977272A true CN109977272A (en) | 2019-07-05 |
Family
ID=67071291
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711449191.XA Pending CN109977272A (en) | 2017-12-27 | 2017-12-27 | A kind of method and system based on Audit data identification key user |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109977272A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111934938A (en) * | 2020-09-14 | 2020-11-13 | 中国人民解放军国防科技大学 | Flow network key node identification method and device based on multi-attribute information fusion |
CN111988178A (en) * | 2020-08-21 | 2020-11-24 | 南通大学 | Method for identifying important nodes of complex network with fusion node multi-attribute |
CN113298157A (en) * | 2021-05-28 | 2021-08-24 | 上海商汤智能科技有限公司 | Focus matching method and device, electronic equipment and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103503367A (en) * | 2011-04-28 | 2014-01-08 | 高通股份有限公司 | Social network based PKI authentication |
US20140067873A1 (en) * | 2012-06-26 | 2014-03-06 | International Business Machines Corporation | Efficient egonet computation in a weighted directed graph |
CN106330533A (en) * | 2016-01-21 | 2017-01-11 | 华南师范大学 | Real-time topology establishment method of large-scale network alarms |
-
2017
- 2017-12-27 CN CN201711449191.XA patent/CN109977272A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103503367A (en) * | 2011-04-28 | 2014-01-08 | 高通股份有限公司 | Social network based PKI authentication |
US20140067873A1 (en) * | 2012-06-26 | 2014-03-06 | International Business Machines Corporation | Efficient egonet computation in a weighted directed graph |
CN106330533A (en) * | 2016-01-21 | 2017-01-11 | 华南师范大学 | Real-time topology establishment method of large-scale network alarms |
Non-Patent Citations (1)
Title |
---|
孙永利: "面向中文微博的社区发现和结构洞挖掘的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111988178A (en) * | 2020-08-21 | 2020-11-24 | 南通大学 | Method for identifying important nodes of complex network with fusion node multi-attribute |
CN111934938A (en) * | 2020-09-14 | 2020-11-13 | 中国人民解放军国防科技大学 | Flow network key node identification method and device based on multi-attribute information fusion |
CN113298157A (en) * | 2021-05-28 | 2021-08-24 | 上海商汤智能科技有限公司 | Focus matching method and device, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Liu et al. | An integrated method for anomaly detection from massive system logs | |
Charrad et al. | NbClust: an R package for determining the relevant number of clusters in a data set | |
US10484413B2 (en) | System and a method for detecting anomalous activities in a blockchain network | |
US9268927B1 (en) | Method and system of identifying users based upon free text keystroke patterns | |
CN108593990B (en) | Electricity stealing detection method based on electricity consumption behavior mode of electric energy user and application | |
CN102184512B (en) | Method for discovering abnormal events among city activities by using mobile phone data | |
CN106375339B (en) | Attack mode detection method based on event sliding window | |
CN109977272A (en) | A kind of method and system based on Audit data identification key user | |
CN107992746A (en) | Malicious act method for digging and device | |
Ahmed et al. | Detecting Computer Intrusions Using Behavioral Biometrics. | |
CN116680704B (en) | Data security protection method and system for client | |
CN110120936A (en) | Distributed network attack detecting and security measurement system and method based on block chain | |
CN108629205A (en) | The monitoring and managing method and device of drug quality detection data | |
Bharti et al. | Intrusion detection using clustering | |
LaRock et al. | Hypa: Efficient detection of path anomalies in time series data on networks | |
CN110011990A (en) | Intranet security threatens intelligent analysis method | |
De Moor et al. | Assessing the missing data problem in criminal network analysis using forensic DNA data | |
CN107977386A (en) | A kind of method and device of sensitive users in identification audit event | |
Wang et al. | YATA: Yet Another Proposal for Traffic Analysis and Anomaly Detection. | |
Malkawi et al. | Blockchain based voting system for Jordan parliament elections | |
Cho et al. | Two sophisticated techniques to improve HMM-based intrusion detection systems | |
Kumar et al. | Mathematical modeling approaches for blockchain technology | |
Tao et al. | A metric model for trustworthiness of softwares | |
CN111797942A (en) | User information classification method and device, computer equipment and storage medium | |
CN114693307A (en) | Security futures programmed trading strategy risk pressure testing system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190705 |