CN109977272A - A kind of method and system based on Audit data identification key user - Google Patents

A kind of method and system based on Audit data identification key user Download PDF

Info

Publication number
CN109977272A
CN109977272A CN201711449191.XA CN201711449191A CN109977272A CN 109977272 A CN109977272 A CN 109977272A CN 201711449191 A CN201711449191 A CN 201711449191A CN 109977272 A CN109977272 A CN 109977272A
Authority
CN
China
Prior art keywords
user
audit
node
range
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711449191.XA
Other languages
Chinese (zh)
Inventor
孟媛媛
耿方
杜悦琨
梁宵
张梦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN201711449191.XA priority Critical patent/CN109977272A/en
Publication of CN109977272A publication Critical patent/CN109977272A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/01Social networking

Abstract

The present invention provides a kind of method and system based on Audit data identification key user, the described method includes: by the Audit data of Public Key Infrastructure PKI platform according to timeline sorting, if time window is T, take the Audit data in T range, and the Audit data in the T range is divided into i class according to the audit event being related to, constitute audit event set Q;Step 2 is classified according to the audit event in the T range, and building weights customer relationship figure and establishes the directive property of user frontier juncture system according to the sequencing of the execution time of every a kind of audit event between all users of the i-th class audit event;Step 3, setting community network figure find the set of k structural hole node using the maximum-flow algorithm based on minimal cut according to structural holes theory | VSH|, so that the minimal cut set reduction of community network figure G reaches maximum, then the k structural hole node is the key user of the Audit data in the T range after deleting the k node.

Description

A kind of method and system based on Audit data identification key user
Technical field
The present invention relates to Audit data analysis fields, and crucial based on Audit data identification more particularly, to one kind The method and system of user.
Background technique
Public Key Infrastructure (Public Key Infrastructure, PKI) be it is a kind of using public key cryptography for electricity The development of sub- commercial affairs provides the technology and specification of a set of foundation for security platform.Building for PKI platform relates generally to authenticating authority machine Multiple systems such as structure, registration body, digital certificate library, cipher key backup and recovery system, certificate calcellation system are built.For reality The integrated secure management mechanism of existing multiple systems, it will usually uniformly record all security-related historical operation event informations As record of the audit, whether successfully etc. a record of the audit generally includes time of audit event, user, type, elements, this A little Audit datas are usually related to the operation such as key, certificate.Audit data can provide enough information for Security Officer, make They can be accurately positioned already present security breaches and track potential security risk.It can be produced daily on active PKI platform Raw a large amount of Audit data, but these data often only serve log effect at present, and the preprocessing process of data is less, only with column Sheet form unique display, lacks effective analysis and depth is excavated, cause in platform operational process many sensitive regularity, Characteristic data are omitted.Therefore providing a kind of intelligent, automation security audit data analysing method is highly desirable.
Currently, all there is certain deficiency in the method for being used to analytical auditing data, as expert system is too dependent in advance The knowledge base artificially established, the accuracy of pattern match depend on the system features library of predefined;" threshold in mathematical statistics Value " is often depending on the experience of administrator, causes inevitably to report by mistake and fail to report;Although immune system theoretically row has Effect, but verification and measurement ratio and accuracy rate are inadequate when practical application;The data mining knowledge discovering technologies general as one, can be from magnanimity The interested data information of people is extracted in data, this matches with the demand of analytical auditing data, but how according to specific Application scenarios propose that suitable mining algorithm is a difficult point.
Summary of the invention
In order to the method for solving existing analytical auditing data existing for background technique excessively rely in advance artificially establish know Know library, audit information easily reports by mistake, fails to report, and to the verification and measurement ratio and accuracy rate of the Audit data technical problems such as not enough, the present invention A kind of method based on Audit data identification key user is provided, which comprises
The Audit data of Public Key Infrastructure PKI platform is taken T if time window is T according to timeline sorting by step 1 Audit data in range, and the Audit data in the T range is divided into i class according to the audit event being related to, constitute audit Event sets Q, wherein Q={ Q1 …… Qi, i is natural number;
Step 2 is classified according to the audit event in the T range, is constructed between all users of the i-th class audit event Weight customer relationship figure Ci(VCi, ECi), and user frontier juncture is established according to the sequencing of the execution time of every a kind of audit event The directive property of system, wherein VCiIndicate user's set in T range, ECiIndicate the frontier juncture system between user,And CiWith QiIt corresponds;
Community network figure G=(V, E) is arranged in step 3, and i community in G is C={ C1 …… Ci, the minimal cut set of G ForWherein, V indicates that the user node in community network figure, E indicate the side between user node Relationship, set D are to discriminate between the side collection with minimum number of the different communities in network, according to structural holes theory, using being based on The maximum-flow algorithm of minimal cut finds the set of k structural hole node | VSH|, so that after deleting the k node, community network The minimal cut set reduction of figure G reaches maximum, then the k structural hole node is that the crucial of the Audit data in the T range is used Family, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
Structural holes theory described in this method refers in social relation network, if there is no direct between user's individual Incidence relation or belong to different community networks, then different user individual between connection be also formed structural hole. The structural hole is exactly to be present in " vacant lot " between the node set that two in network are not closely connected, constitutes the knot The node that user's individual in structure hole indicates is exactly structural hole node.In terms of information exchange, structural hole node can obtain earlier The information of multiple non-cross parts in automatic network is fetched, therefore, the structural hole node between the community network in no interactions, Not only in these available communities all users information, also have an opportunity to integrate the information from different user.In network Structural hole node control the transmitting of information, the accumulation of wealth and the interaction of different field.User's individual in network can be with Connection is established with more structural hole nodes, then across structural hole, information exchange is carried out with more individuals of different field, makes Individual is added in the communication process of network information flow, therefore structural hole node just becomes the tertium quid of information flow in network, Leading position is occupied in community network, in Audit data, community's mesh is constructed using structural holes theory, is identified therein Structural hole node is equivalent to identify the key user that can carry out information exchange with the user of each community, so as to Preferably carry out data mining.
Further, classified according to the audit event in the T range, constructed between the user of the i-th class audit event Weight customer relationship figure Ci(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time arrange Sequence obtains user's set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, will The side right value adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
Further, k structural hole node is found using the maximum-flow algorithm based on minimal cut according to structural holes theory Set | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and stream is equal to side right value The collection E when being added tof
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH;
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
Further, when calculating the intercommunal max-flow of every two, increase a super source point and super meeting point, make to surpass Grade source point is directed toward all source points, and all meeting points are directed toward super meeting point, and solve the community Liang Ge using Ford-Fulkerson algorithm Between max-flow.
Further, pass through O (log2I) algorithm of time obtains seeking the minimal cut set MC's (G, C) of Web Community figure G Time, wherein the algorithm includes carrying out certain division, i.e. G=G to Web Community figure G1∪G2, then respectively for two Subset calculates the smallest cut set D, finally from the node deleted in cut set D in network structure, continuous recursive iteration subset G1With G2, then the time complexity for calculating minimal cut set MC (G, C) is O (22i log2i)。
According to another aspect of the present invention, the present invention provides a kind of system based on Audit data identification key user, institute The system of stating includes:
Audit event division unit is used for the Audit data of Public Key Infrastructure PKI platform according to timeline sorting, If time window is T, the Audit data in T range is taken, and by the Audit data in the T range according to the audit event being related to It is divided into i class, constitutes audit event set Q, wherein Q={ Q1 …… Qi, i is natural number;
Customer relationship figure construction unit is used for according to the audit event classification in the T range, in the i-th class audit thing Building weighting customer relationship figure C between all users of parti(VCi, ECi), and according to the execution time of every a kind of audit event Sequencing establishes the directive property of user frontier juncture system, wherein VCiIndicate user's set in T range, ECiIt indicates between user Frontier juncture system, And CiWith QiIt corresponds;
Key user's recognition unit is used to be arranged community network figure G=(V, E), and i community in G is C={ C1 …… Ci, the minimal cut set of G isWherein, V indicates the user node in community network figure, E Indicating the frontier juncture system between user node, set D is to discriminate between the side collection with minimum number of the different communities in network, according to Structural holes theory finds the set of k structural hole node using the maximum-flow algorithm based on minimal cut | VSH|, so that deleting institute After stating k node, the minimal cut set reduction of community network figure G reaches maximum, then the user of the k structural hole node on behalf is The key user of Audit data in the T range, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
Further, the customer relationship figure construction unit is classified according to the audit event in the T range, in the i-th class Building weighting customer relationship figure C between the user of audit eventi(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time arrange Sequence obtains user's set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, will The side right value adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
Further, key user's recognition unit is sought according to structural holes theory using the maximum-flow algorithm based on minimal cut Look for the set of k structural hole node | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and stream is equal to side right value The collection E when being added tof
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH;
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
Further, when key user's recognition unit calculates every two intercommunal max-flow, increase a super source Point and super meeting point make super source point be directed toward all source points, and all meeting points are directed toward super meeting point, and use Ford-Fulkerson Algorithm solves two intercommunal max-flows.
Further, key user's recognition unit passes through O (log2I) algorithm of time obtains seeking Web Community figure G's The time of minimal cut set MC (G, C), wherein the algorithm includes carrying out certain division, i.e. G=G to Web Community figure G1∪ G2, the smallest cut set D then is calculated respectively for two subsets, finally from the node deleted in cut set D in network structure, no Disconnected recursive iteration subset G1And G2, then the time complexity for calculating minimal cut set MC (G, C) is O (22i log2i)。。
In conclusion the method for the invention and system combination PKI platform Audit data feature, from two side of time and behavior The isolated user dispersed on platform is built into the customer relationship figure of weighting by face, and integrated structure hole is theoretical, from the letter of flow network Breath diffusion angle sets out, and carries out the identification of structural hole node to relational graph by the MaxD algorithm of minimal cut set, had both reached in spy The purpose of key user is identified in section of fixing time from Audit data, and then effectively helps Security Officer to differentiate and seems normal work It is dynamic, to find the improper operation behavior carried out on platform.
Detailed description of the invention
By reference to the following drawings, exemplary embodiments of the present invention can be more fully understood by:
Fig. 1 is the flow chart of the method based on Audit data identification key user of the specific embodiment of the invention;
Fig. 2 is the structure chart of the system based on Audit data identification key user of the specific embodiment of the invention.
Specific embodiment
Exemplary embodiments of the present invention are introduced referring now to the drawings, however, the present invention can use many different shapes Formula is implemented, and is not limited to the embodiment described herein, and to provide these embodiments be at large and fully disclose The present invention, and the scope of the present invention is sufficiently conveyed to person of ordinary skill in the field.Show for what is be illustrated in the accompanying drawings Term in example property embodiment is not limitation of the invention.In the accompanying drawings, identical cells/elements use identical attached Icon note.
Unless otherwise indicated, term (including scientific and technical terminology) used herein has person of ordinary skill in the field It is common to understand meaning.Further it will be understood that with the term that usually used dictionary limits, should be understood as and its The context of related fields has consistent meaning, and is not construed as Utopian or too formal meaning.
Fig. 1 is the flow chart of the method based on Audit data identification key user of the specific embodiment of the invention.Such as Fig. 1 Shown, the method 100 of the present invention based on Audit data identification key user is since step 101.
In step 101, by the Audit data of Public Key Infrastructure PKI platform according to timeline sorting, if time window is T takes the Audit data in T range, and the Audit data in the T range is divided into i class according to the audit event being related to, and constitutes Audit event set Q, wherein Q={ Q1 …… Qi, i is natural number;
In step 102, classified according to the audit event in the T range, between all users of the i-th class audit event Building weighting customer relationship figure Ci(VCi, ECi), and user is established according to the sequencing of the execution time of every a kind of audit event The directive property of frontier juncture system, wherein VCiIndicate user's set in T range, ECiIndicate the frontier juncture system between user,And CiWith QiIt corresponds;
In step 103, it is arranged community network figure G=(V, E), i community in G is C={ C1 …… Ci, the minimum of G Cut set isWherein, V indicates that the user node in community network figure, E indicate between user node Frontier juncture system, set D is to discriminate between the side collection with minimum number of the different communities in network, according to structural holes theory, uses Maximum-flow algorithm based on minimal cut finds the set of k structural hole node | VSH|, so that after deleting the k node, community The minimal cut set reduction of network G reaches maximum, then the k structural hole node is the pass of the Audit data in the T range Key user, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
Preferably, classified according to the audit event in the T range, building adds between the user of the i-th class audit event Weigh customer relationship figure Ci(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time arrange Sequence obtains user's set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by Ew(U→V)EC is addedi, conversely, will The side right value adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
Preferably, k structural hole node is found using the maximum-flow algorithm based on minimal cut according to structural holes theory Set | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and stream is equal to side right value The collection E when being added tof
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
Preferably, when calculating the intercommunal max-flow of every two, increase a super source point and super meeting point, make super Source point is directed toward all source points, and all meeting points are directed toward super meeting point, and using Ford-Fulkerson algorithm solve the community Liang Ge it Between max-flow.
Preferably, pass through O (log2I) algorithm of time obtain seeking the minimal cut set MC (G, C) of Web Community figure G when Between, wherein the algorithm includes carrying out certain division, i.e. G=G to Web Community figure G1∪G2, then respectively for two sons Collection calculates the smallest cut set D, finally from the node deleted in cut set D in network structure, continuous recursive iteration subset G1And G2, The time complexity for then calculating minimal cut set MC (G, C) is O (22i log2i).Fig. 2 be the specific embodiment of the invention based on Audit data identifies the structure chart of the system of key user.As shown in Fig. 2, of the present invention crucial based on Audit data identification The system 200 of user includes:
Audit event division unit 201 is used to arrange the Audit data of Public Key Infrastructure PKI platform according to timeline Sequence takes the Audit data in T range, and by the Audit data in the T range according to the audit being related to if time window is T Event is divided into i class, constitutes audit event set Q, wherein Q={ Q1 …… Qi, i is natural number;
Customer relationship figure construction unit 202 is used to be audited according to the audit event classification in the T range in the i-th class Building weighting customer relationship figure C between all users of eventi(VCi, ECi), and according to the execution time of every a kind of audit event Sequencing establish the directive property of user frontier juncture system, wherein VCiIndicate user's set in T range, ECiIt indicates between user Frontier juncture system, And CiWith QiIt corresponds;
Key user's recognition unit 203 is used to be arranged community network figure G=(V, E), and i community in G is C={ C1 …… Ci, the minimal cut set of G isWherein, V indicates the user node in community network figure, E Indicating the frontier juncture system between user node, set D is to discriminate between the side collection with minimum number of the different communities in network, according to Structural holes theory finds the set of k structural hole node using the maximum-flow algorithm based on minimal cut | VSH|, so that deleting institute After stating k node, the minimal cut set reduction of community network figure G reaches maximum, then the user of the k structural hole node on behalf is The key user of Audit data in the T range, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
Preferably, the customer relationship figure construction unit is classified according to the audit event in the T range, is examined in the i-th class Building weighting customer relationship figure C between the user of meter eventi(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time arrange Sequence obtains user's set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, will The side right value adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
Preferably, key user's recognition unit is found according to structural holes theory using the maximum-flow algorithm based on minimal cut The set of k structural hole node | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and stream is equal to side right value The collection E when being added tof
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH;
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
Preferably, when key user's recognition unit calculates every two intercommunal max-flow, increase a super source point With super meeting point, super source point is set to be directed toward all source points, all meeting points are directed toward super meeting point, and calculate using Ford-Fulkerson Method solves two intercommunal max-flows.
Preferably, key user's recognition unit passes through O (log2I) algorithm of time obtains seeking Web Community figure G most The time of small cut set MC (G, C), wherein the algorithm includes carrying out certain division, i.e. G=G to Web Community figure G1∪G2, Then the smallest cut set D is calculated respectively for two subsets, finally from the node deleted in cut set D in network structure, constantly Recursive iteration subset G1And G2, then the time complexity for calculating minimal cut set MC (G, C) is 0 (22i log2i)。
Normally, all terms used in the claims are all solved according to them in the common meaning of technical field It releases, unless in addition clearly being defined wherein.All references " one/described/be somebody's turn to do [device, component etc.] " are all opened ground At least one example being construed in described device, component etc., unless otherwise expressly specified.Any method disclosed herein Step need not all be run with disclosed accurate sequence, unless explicitly stated otherwise.

Claims (10)

1. a kind of method based on Audit data identification key user, which is characterized in that the described method includes:
The Audit data of Public Key Infrastructure PKI platform is taken T range if time window is T according to timeline sorting by step 1 Interior Audit data, and the Audit data in the T range is divided into i class according to the audit event being related to, constitute audit event Set Q, wherein Q={ Q1……Qi, i is natural number;
Step 2 is classified according to the audit event in the T range, and weighting is constructed between all users of the i-th class audit event Customer relationship figure Ci(VCi, ECi), and user frontier juncture system is established according to the sequencing of the execution time of every a kind of audit event Directive property, wherein VCiIndicate user's set in T range, ECiIndicate the frontier juncture system between user,And CiWith QiIt corresponds;
Community network figure G=(V, E) is arranged in step 3, and i community in G is C={ C1……Ci, the minimal cut set of G isWherein, V indicates that the user node in community network figure, E indicate the frontier juncture between user node System, set D are to discriminate between the side collection with minimum number of the different communities in network, according to structural holes theory, using based on most The small maximum-flow algorithm cut finds the set of k structural hole node | VSH|, so that after deleting the k node, community network figure The minimal cut set reduction of G reaches maximum, then the k structural hole node is the key user of the Audit data in the T range, The calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
2. the method according to claim 1, wherein being classified according to the audit event in the T range, i-th Building weighting customer relationship figure C between the user of class audit eventi(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time sequence obtain Take family set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, by the side Weight adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
3. according to the method described in claim 2, it is characterized in that, according to structural holes theory, using the maximum based on minimal cut Flow algorithm finds the set of k structural hole node | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and the side that stream is equal to side right value is added It is added to side collection Ef
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
4. according to the method described in claim 3, it is characterized in that, increasing by one when calculating the intercommunal max-flow of every two A super source point and super meeting point make super source point be directed toward all source points, and all meeting points are directed toward super meeting point, and use Ford- Fulkerson algorithm solves two intercommunal max-flows.
5. according to the method described in claim 3, it is characterized in that, passing through O (log2I) algorithm of time obtains seeking network society The time of the minimal cut set MC (G, C) of area figure G, wherein the algorithm includes carrying out certain division, i.e. G to Web Community figure G =G1∪G2, the smallest cut set D then is calculated respectively for two subsets, finally from the section deleted in cut set D in network structure Point, continuous recursive iteration subset G1And G2, then the time complexity for calculating minimal cut set MC (G, C) is O (22ilog2i)。
6. a kind of system based on Audit data identification key user, which is characterized in that the system comprises:
Audit event division unit is used for the Audit data of Public Key Infrastructure PKI platform according to timeline sorting, if when Between window be T, take the Audit data in T range, and the Audit data in the T range is divided into according to the audit event being related to I class constitutes audit event set Q, wherein Q={ Q1……Qi, i is natural number;
Customer relationship figure construction unit is used for according to the audit event classification in the T range, in the i-th class audit event Building weighting customer relationship figure C between all usersi(VCi, ECi), and the successive of time is executed according to every a kind of audit event Sequence establishes the directive property of user frontier juncture system, wherein VCiIndicate user's set in T range, ECiIndicate the frontier juncture between user System, And CiWith QiIt corresponds;
Key user's recognition unit is used to be arranged community network figure G=(V, E), and i community in G is C={ C1……Ci, The minimal cut set of G isWherein, V indicates that the user node in community network figure, E indicate user's section Frontier juncture system between point, set D are to discriminate between the side collection with minimum number of the different communities in network, are managed according to structural hole By finding the set of k structural hole node using the maximum-flow algorithm based on minimal cut | VSH|, so that deleting the k node Afterwards, the minimal cut set reduction of community network figure G reaches maximum, then the user of the k structural hole node on behalf is the T range The key user of interior Audit data, the calculation formula for seeking structural hole node k are as follows:
G(VSH, C)=MC (G, C)-MC (G VSH, C)), | VSH|=k
7. system according to claim 6, which is characterized in that the customer relationship figure construction unit is according to the T range Interior audit event classification, the building weighting customer relationship figure C between the user of the i-th class audit eventi(VCi, ECi) include:
Step 1, initialization Ci, makeAnd
Step 2 takes audit event QiIn arbitrary element ql, wherein ql∈Qi, by qlAssociated user by the operating time sequence obtain Take family set Nl={ n1, n2... ..., nm};
Step 3, from NlMiddle extraction side collection
E={ (nj, nj-1)│nj, nj-1∈Nl, j < m+1, and nj→nj-1};
Step 4, appoint take element e in the collection E of sidew(u→v)IfThen by ew(u→v)EC is addedi, conversely, by the side Weight adds 1;
If step 5, u,VC then is added in u, vi, conversely, being then not processed;
Step 6 repeats step 2 to step 5, until traversal set QiMiddle all elements;
Step 7, output Ci(VCi, ECi), complete event QiWeighting customer relationship figure building.
8. system according to claim 7, which is characterized in that key user's recognition unit is used according to structural holes theory Maximum-flow algorithm based on minimal cut finds the set of k structural hole node | VSH| include:
The stream on each side is 0 in step 1, initialization network;
Step 2 calculates the intercommunal max-flow of every two, updates the stream size on each side, and the side that stream is equal to side right value is added It is added to side collection Ef
Step 3 judges whether that all communities compare end two-by-two, if so, to step 4, otherwise to step 1;
Step 4, from side collection EfMiddle extraction point set Vf
Step 5, traversal point set Vf, calculate MC (G VSH, C)-MC (G (VSH∪{p}),C);
Step 6, node when taking calculated value maximum in step 5, are added to VSH
If step 7, | VSH| > k, algorithm terminate, | VSH|≤k-hop goes to step 1.
9. system according to claim 8, which is characterized in that it is intercommunal that key user's recognition unit calculates every two When max-flow, increase a super source point and super meeting point, super source point is made to be directed toward all source points, all meeting points are directed toward super remittance Point, and two intercommunal max-flows are solved using Ford-Fulkerson algorithm.
10. system according to claim 8, which is characterized in that key user's recognition unit passes through O (log2I) calculation of time Method obtains seeking the time of the minimal cut set MC (G, C) of Web Community figure G, wherein the algorithm include Web Community is schemed G into The certain division of row, i.e. G=G1∪G2, the smallest cut set D then is calculated respectively for two subsets, finally from network structure The middle node deleted in cut set D, continuous recursive iteration subset G1And G2, then the time complexity for calculating minimal cut set MC (G, C) is O(22ilog2i)。
CN201711449191.XA 2017-12-27 2017-12-27 A kind of method and system based on Audit data identification key user Pending CN109977272A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711449191.XA CN109977272A (en) 2017-12-27 2017-12-27 A kind of method and system based on Audit data identification key user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711449191.XA CN109977272A (en) 2017-12-27 2017-12-27 A kind of method and system based on Audit data identification key user

Publications (1)

Publication Number Publication Date
CN109977272A true CN109977272A (en) 2019-07-05

Family

ID=67071291

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711449191.XA Pending CN109977272A (en) 2017-12-27 2017-12-27 A kind of method and system based on Audit data identification key user

Country Status (1)

Country Link
CN (1) CN109977272A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111934938A (en) * 2020-09-14 2020-11-13 中国人民解放军国防科技大学 Flow network key node identification method and device based on multi-attribute information fusion
CN111988178A (en) * 2020-08-21 2020-11-24 南通大学 Method for identifying important nodes of complex network with fusion node multi-attribute
CN113298157A (en) * 2021-05-28 2021-08-24 上海商汤智能科技有限公司 Focus matching method and device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103503367A (en) * 2011-04-28 2014-01-08 高通股份有限公司 Social network based PKI authentication
US20140067873A1 (en) * 2012-06-26 2014-03-06 International Business Machines Corporation Efficient egonet computation in a weighted directed graph
CN106330533A (en) * 2016-01-21 2017-01-11 华南师范大学 Real-time topology establishment method of large-scale network alarms

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103503367A (en) * 2011-04-28 2014-01-08 高通股份有限公司 Social network based PKI authentication
US20140067873A1 (en) * 2012-06-26 2014-03-06 International Business Machines Corporation Efficient egonet computation in a weighted directed graph
CN106330533A (en) * 2016-01-21 2017-01-11 华南师范大学 Real-time topology establishment method of large-scale network alarms

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
孙永利: "面向中文微博的社区发现和结构洞挖掘的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111988178A (en) * 2020-08-21 2020-11-24 南通大学 Method for identifying important nodes of complex network with fusion node multi-attribute
CN111934938A (en) * 2020-09-14 2020-11-13 中国人民解放军国防科技大学 Flow network key node identification method and device based on multi-attribute information fusion
CN113298157A (en) * 2021-05-28 2021-08-24 上海商汤智能科技有限公司 Focus matching method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
Liu et al. An integrated method for anomaly detection from massive system logs
Charrad et al. NbClust: an R package for determining the relevant number of clusters in a data set
US10484413B2 (en) System and a method for detecting anomalous activities in a blockchain network
US9268927B1 (en) Method and system of identifying users based upon free text keystroke patterns
CN108593990B (en) Electricity stealing detection method based on electricity consumption behavior mode of electric energy user and application
CN102184512B (en) Method for discovering abnormal events among city activities by using mobile phone data
CN106375339B (en) Attack mode detection method based on event sliding window
CN109977272A (en) A kind of method and system based on Audit data identification key user
CN107992746A (en) Malicious act method for digging and device
Ahmed et al. Detecting Computer Intrusions Using Behavioral Biometrics.
CN116680704B (en) Data security protection method and system for client
CN110120936A (en) Distributed network attack detecting and security measurement system and method based on block chain
CN108629205A (en) The monitoring and managing method and device of drug quality detection data
Bharti et al. Intrusion detection using clustering
LaRock et al. Hypa: Efficient detection of path anomalies in time series data on networks
CN110011990A (en) Intranet security threatens intelligent analysis method
De Moor et al. Assessing the missing data problem in criminal network analysis using forensic DNA data
CN107977386A (en) A kind of method and device of sensitive users in identification audit event
Wang et al. YATA: Yet Another Proposal for Traffic Analysis and Anomaly Detection.
Malkawi et al. Blockchain based voting system for Jordan parliament elections
Cho et al. Two sophisticated techniques to improve HMM-based intrusion detection systems
Kumar et al. Mathematical modeling approaches for blockchain technology
Tao et al. A metric model for trustworthiness of softwares
CN111797942A (en) User information classification method and device, computer equipment and storage medium
CN114693307A (en) Security futures programmed trading strategy risk pressure testing system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190705