CN110222243A - Determine the method, apparatus and storage medium of abnormal behaviour - Google Patents

Determine the method, apparatus and storage medium of abnormal behaviour Download PDF

Info

Publication number
CN110222243A
CN110222243A CN201910447366.6A CN201910447366A CN110222243A CN 110222243 A CN110222243 A CN 110222243A CN 201910447366 A CN201910447366 A CN 201910447366A CN 110222243 A CN110222243 A CN 110222243A
Authority
CN
China
Prior art keywords
behavior sequence
user
users
object run
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910447366.6A
Other languages
Chinese (zh)
Other versions
CN110222243B (en
Inventor
李加佳
司马云瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xiaomi Mobile Software Co Ltd
Original Assignee
Beijing Xiaomi Mobile Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xiaomi Mobile Software Co Ltd filed Critical Beijing Xiaomi Mobile Software Co Ltd
Priority to CN201910447366.6A priority Critical patent/CN110222243B/en
Publication of CN110222243A publication Critical patent/CN110222243A/en
Application granted granted Critical
Publication of CN110222243B publication Critical patent/CN110222243B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

This disclosure relates to a kind of method of determining abnormal behaviour, device and storage medium, this method comprises: according to corresponding first behavior sequence of exceptional sample user and preset frequent path mining algorithm, the second abnormal behavior sequence is determined in the first behavior sequence, it obtains in the second behavior sequence, the targeted number that object run information occurs within a preset period of time, according to object run information and targeted number, determining the first number of users with the matched exceptional sample user of the second behavior sequence, with the second user quantity with the matched normal sample user of the second behavior sequence, if the first number of users and the ratio of second user quantity are greater than or equal to preset proportion threshold value, determine that the second behavior sequence is abnormal behaviour.The disclosure determines whether user behavior is abnormal, can be improved the accuracy of abnormal user detection, is effectively prevented from the erroneous judgement to normal users by the order of occurrence in conjunction with user behavior and frequency of occurrence within a preset period of time.

Description

Determine the method, apparatus and storage medium of abnormal behaviour
Technical field
This disclosure relates to network safety filed more particularly to a kind of method, apparatus and storage medium of determining abnormal behaviour.
Background technique
In the related art, with the continuous development of Internet technology and extensive use, people can it is convenient by network, Neatly obtain and publish various information.Internet is while offering convenience, also because of the opening and dispersion etc. that itself have Feature, be easy by various attacks, make troubles to user, or even cause economic loss, therefore, network security increasingly by The attention of people.For the various attacks that internet is subject to, risky use can be analyzed by abnormal behaviour mode excavation The abnormal behaviour mode that family has, to improve the degree of safety of network, is avoided to user so as to identify risky user Loss is brought, the order of accuarcy of identification abnormal behaviour mode determines the degree of safety of network.
Summary of the invention
To overcome the problems in correlation technique, the disclosure provides a kind of method, apparatus of determining abnormal behaviour and deposits Storage media.
According to the first aspect of the embodiments of the present disclosure, a kind of method of determining abnormal behaviour is provided, which comprises
According to corresponding first behavior sequence of exceptional sample user and preset frequent path mining algorithm, described first The second abnormal behavior sequence is determined in behavior sequence, first behavior sequence includes: operation information and the operation information Corresponding operating time information;
It obtains in second behavior sequence, the targeted number that object run information occurs within a preset period of time is described Object run information is a kind of operation information selected in second behavior sequence according to preset rules;
According to the object run information and the targeted number, the matched abnormal sample of determining and second behavior sequence The first number of users of this user, and the second user quantity with the matched normal sample user of second behavior sequence;
If first number of users and the ratio of the second user quantity are greater than or equal to preset proportion threshold value, really Fixed second behavior sequence is abnormal behaviour.
Optionally, described according to the object run information and the targeted number, determining and second behavior sequence The first number of users of matched exceptional sample user, and second with the matched normal sample user of second behavior sequence Number of users, comprising:
According to the object run information and the targeted number, determine that sample of users is concentrated and second behavior sequence Matched at least one target sample user;
Determine first number of users for the exceptional sample user that at least one target sample user includes, and just The second user quantity of normal sample of users.
Optionally, described according to the object run information and the targeted number, determine sample of users concentrate with it is described Matched at least one target sample user of second behavior sequence, comprising:
If second behavior sequence is that the sample of users concentrates the corresponding third behavior sequence of any sample of users Subsequence, and in the third behavior sequence, the object run information occurs in the preset time period number and institute It states targeted number and meets the first preset condition, determine that any sample of users is the target sample user;
First preset condition are as follows: the number that the object run information occurs in the preset time period be greater than or Equal to the targeted number;Or, the object run information occurs in the preset time period number and the target time Several ratio is greater than or equal to first threshold.
Optionally, the method also includes:
After getting the corresponding goal behavior sequence of target user, if second behavior sequence is the goal behavior The subsequence of sequence, and in the goal behavior sequence, the object run information occurs secondary in the preset time period It is several to meet the second preset condition with the targeted number, determine that the target user is abnormal user;
Second preset condition are as follows: the number that the object run information occurs in the preset time period be greater than or Equal to the targeted number;Or, the object run information occurs in the preset time period number and the target time Several ratio is greater than or equal to second threshold.
According to the second aspect of an embodiment of the present disclosure, a kind of device of determining abnormal behaviour is provided, described device includes:
First determining module is configured as according to corresponding first behavior sequence of exceptional sample user and preset frequent road Diameter mining algorithm determines that the second abnormal behavior sequence, first behavior sequence include: behaviour in first behavior sequence Make information and the corresponding operating time information of the operation information;
Module is obtained, is configured as obtaining in second behavior sequence, object run information goes out within a preset period of time Existing targeted number, the object run information are a kind of operation selected in second behavior sequence according to preset rules Information;
Second determining module is configured as according to the object run information and the targeted number, determining with described the The first number of users of the matched exceptional sample user of two behavior sequences, and with the matched normal sample of the second behavior sequence The second user quantity of user;
Judgment module, if being configured as first number of users and the ratio of the second user quantity is greater than or equal to Preset proportion threshold value determines that second behavior sequence is abnormal behaviour.
Optionally, second determining module includes:
First determines submodule, is configured as determining that sample is used according to the object run information and the targeted number It concentrates and matched at least one target sample user of second behavior sequence at family;
Second determines submodule, is configured to determine that the exceptional sample user that at least one target sample user includes First number of users and normal sample user the second user quantity.
Optionally, if described first determines that submodule is configured as second behavior sequence as sample of users concentration The subsequence of the corresponding third behavior sequence of any sample of users, and in the third behavior sequence, in the preset time period The number and the targeted number that the interior object run information occurs meet the first preset condition, determine that any sample is used Family is the target sample user;
First preset condition are as follows: the number that the object run information occurs in the preset time period be greater than or Equal to the targeted number;Or, the object run information occurs in the preset time period number and the target time Several ratio is greater than or equal to first threshold.
Optionally, described device further include:
Third determining module is configured as after getting the corresponding goal behavior sequence of target user, if described second Behavior sequence is the subsequence of the goal behavior sequence, and in the goal behavior sequence, the institute in the preset time period The number and the targeted number for stating the appearance of object run information meet the second preset condition, determine that the target user is abnormal User;
Second preset condition are as follows: the number that the object run information occurs in the preset time period be greater than or Equal to the targeted number;Or, the object run information occurs in the preset time period number and the target time Several ratio is greater than or equal to second threshold.
According to the third aspect of an embodiment of the present disclosure, a kind of device of determining abnormal behaviour is provided, described device includes:
Processor;
Memory for storage processor executable instruction;
Wherein, the processor is configured to:
According to corresponding first behavior sequence of exceptional sample user and preset frequent path mining algorithm, described first The second abnormal behavior sequence is determined in behavior sequence, first behavior sequence includes: operation information and the operation information Corresponding operating time information;
It obtains in second behavior sequence, the targeted number that object run information occurs within a preset period of time is described Object run information is a kind of operation information selected in second behavior sequence according to preset rules;
According to the object run information and the targeted number, the matched abnormal sample of determining and second behavior sequence The first number of users of this user, and the second user quantity with the matched normal sample user of second behavior sequence;
If first number of users and the ratio of the second user quantity are greater than or equal to preset proportion threshold value, really Fixed second behavior sequence is abnormal behaviour.
According to a fourth aspect of embodiments of the present disclosure, a kind of computer readable storage medium is provided, calculating is stored thereon with Machine program instruction realizes the side that abnormal behaviour is determined provided by the disclosure first aspect when program instruction is executed by processor The step of method.
The technical scheme provided by this disclosed embodiment can include the following benefits:
First according to corresponding first behavior sequence of exceptional sample user and preset frequent path mining algorithm, first The second abnormal behavior sequence is determined in behavior sequence, wherein the first behavior sequence includes: that operation information and operation information are corresponding Operating time information, then obtain in the second behavior sequence, the targeted number that object run information occurs within a preset period of time, Later according to object run information and targeted number, determining the first user with the matched exceptional sample user of the second behavior sequence Quantity, and the second user quantity with the matched normal sample user of the second behavior sequence, if the first number of users and second is used The ratio of amount amount is greater than or equal to preset proportion threshold value, determines that the second behavior sequence is abnormal behaviour.The disclosure passes through knot The order of occurrence and frequency of occurrence within a preset period of time for closing user behavior determine whether extremely user behavior, can be improved The accuracy of abnormal user detection, is effectively prevented from the erroneous judgement to normal users.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not The disclosure can be limited.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the disclosure Example, and together with specification for explaining the principles of this disclosure.
Fig. 1 is a kind of flow chart of the method for determining abnormal behaviour shown according to an exemplary embodiment.
Fig. 2 is a kind of flow chart of step 103 shown in embodiment illustrated in fig. 1.
Fig. 3 is the flow chart of another method for determining abnormal behaviour shown according to an exemplary embodiment.
Fig. 4 is a kind of block diagram of the device of determining abnormal behaviour shown according to an exemplary embodiment.
Fig. 5 is the block diagram of the second determining module of one kind shown in embodiment illustrated in fig. 4.
Fig. 6 is the block diagram of another device for determining abnormal behaviour shown according to an exemplary embodiment.
Fig. 7 is a kind of block diagram of the device of determining abnormal behaviour shown according to an exemplary embodiment.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all implementations consistent with this disclosure.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the disclosure.
Before introducing the method, apparatus of determination abnormal behaviour of disclosure offer and storage medium, first to the disclosure Application scenarios involved by each embodiment are introduced.The application scenarios may include: server, and server can be a variety of clothes Business platform or application program (English: Application, abbreviation: APP) provide data service, and user can be put down by servicing Platform or application program access server.Wherein, server can be local server, be also possible to cloud server.
Fig. 1 is a kind of flow chart of the method for determining abnormal behaviour shown according to an exemplary embodiment, such as Fig. 1 institute Show, method includes the following steps:
In a step 101, it is excavated and is calculated according to corresponding first behavior sequence of exceptional sample user and preset frequent path Method determines the second abnormal behavior sequence in the first behavior sequence, and the first behavior sequence includes: operation information and operation information Corresponding operating time information.
For example, the exceptional sample user being stored in advance on the server can be obtained from the database on server And corresponding first behavior sequence of exceptional sample user.Each exceptional sample user may include that account data (such as can be with It is user name or CUSTOMER ID), the first behavior sequence may include that (operation information can be each of user's execution to operation information Kind of operation, such as the operation such as log in, exit, change password) and the corresponding operating time information of operation information, for example, exception sample The in chronological sequence sequence t of this user 11、t2、t3Operation α, β, γ have been carried out respectively, then the corresponding the first row of exceptional sample user 1 It is [α (t for sequence1), β (t2), γ (t3)].It is determined in the first behavior sequence according to preset frequent path mining algorithm later The second abnormal behavior sequence, it is total that frequent path mining algorithm can find out corresponding first behavior sequence of exceptional sample user The multiple subsequences having, i.e., the second behavior sequence to be determined.
In a step 102, it obtains in the second behavior sequence, the target time that object run information occurs within a preset period of time Number, object run information is a kind of operation information selected in the second behavior sequence according to preset rules.
It is exemplary, it after determining the second behavior sequence, then obtains in the second behavior sequence, object run within a preset period of time The targeted number that information occurs, object run information can be any in all operation informations for including in the second behavior sequence Kind operation information.The rule of selection target operation information, such as can be and rule of thumb choose, it is also possible to server according to pre- If a kind of operation information that rule selects in the second behavior sequence.Preset rules, which for example can be, to be chosen in the second behavior sequence The highest operation information of the frequency of occurrences.For example, object run information is login failure, preset time period is nearest 12 hours, that Targeted number is the number of login failure occur in nearest 12 hours in the second behavior sequence.
In step 103, according to object run information and targeted number, the matched abnormal sample of determining and the second behavior sequence The first number of users of this user, and the second user quantity with the matched normal sample user of the second behavior sequence.
At step 104, if the first number of users and the ratio of second user quantity are greater than or equal to preset ratio threshold Value determines that the second behavior sequence is abnormal behaviour.
For example, it after getting targeted number, can be determined and second according to object run information and targeted number The first number of users of the matched exceptional sample user of behavior sequence, and with the matched normal sample user's of the second behavior sequence Second user quantity.According to object run information and targeted number, a certain sample of users (exceptional sample user or normal sample are determined This user) with the whether matched mode of the second behavior sequence may is that determine the second behavior sequence and the sample of users it is corresponding Whether behavior sequence meets preset condition, when meeting preset condition, determines that the sample of users is matched with the second behavior sequence.
It determines whether the second behavior sequence is abnormal behaviour according to the first number of users and second user quantity later, determines Whether the second behavior sequence is that the mode of abnormal behaviour can be the ratio of the first number of users and second user quantity, and pre- If proportion threshold value be compared, if the first number of users and the ratio of second user quantity are greater than or equal to preset ratio threshold Value determines that the second behavior sequence is abnormal behaviour, if the first number of users and the ratio of second user quantity are less than preset ratio Example threshold value, determines that the second behavior sequence is not abnormal behaviour.For example, preset proportion threshold value is 4, matched with the second behavior sequence Exceptional sample user the first number of users be 100, the second user with the matched normal sample user of the second behavior sequence Quantity is 20, then the first number of users and the ratio of second user quantity are greater than 4, determines that the second behavior sequence is abnormal behaviour. It is to be understood that when more with the matched normal sample user of the second behavior sequence, i.e. the behaviour that includes in the second behavior sequence Making information and does not have representativeness, more normal sample user can also execute the operation information for including in the second behavior sequence, that Second behavior sequence is not abnormal behaviour, to avoid the erroneous judgement to normal users.When matched different with the second behavior sequence When often sample of users is more, i.e. representative, the more exceptional sample user of the operation information for including in the second behavior sequence The operation information for including in the second behavior sequence can be executed, then the second behavior sequence is abnormal behaviour, to improve detection Accuracy.
It should be noted that in the prior art, if only determining the second row by number that object run information occurs For sequence, then just cannot be distinguished, the number that object run information occurs is identical, but operation information execution sequence it is different the Two behavior sequences.And this programme by frequent path mining algorithm can according in behavior sequence operation information execution sequence come The second behavior sequence is identified, in conjunction with the number that object run information in the second behavior sequence occurs, to improve the standard of detection Exactness.For example, having obtained two the second behavior sequence (I by frequent path mining algorithm1, I2, I2, I2) and (I2, I2, I2, I1), object run information is I2, I in two the second behavior sequences2The number of appearance is also identical, but I2Execution sequence it is different, Therefore two the second behavior sequences are not identical.
It is calculated in conclusion being excavated first according to corresponding first behavior sequence of exceptional sample user and preset frequent path Method determines the second abnormal behavior sequence, wherein the first behavior sequence includes: operation information and behaviour in the first behavior sequence Make the corresponding operating time information of information, then obtain in the second behavior sequence, object run information occurs within a preset period of time Targeted number, it is determining to be used with the matched exceptional sample of the second behavior sequence later according to object run information and targeted number First number of users at family, and the second user quantity with the matched normal sample user of the second behavior sequence, if the first user The ratio of quantity and second user quantity is greater than or equal to preset proportion threshold value, determines that the second behavior sequence is abnormal behaviour. Whether the disclosure determines user behavior by the order of occurrence in conjunction with user behavior and frequency of occurrence within a preset period of time It is abnormal, it can be improved the accuracy of abnormal user detection, be effectively prevented from the erroneous judgement to normal users.
It should be noted that the implementation of frequent Path mining algorithm may include: in step 101
It illustrates so that exceptional sample user is multiple, corresponding there are multiple first behavior sequences.By multiple first behaviors The input of sequence and preset support threshold as frequent path mining algorithm, and obtain the output of frequent path mining algorithm At least one second behavior sequence.Wherein, the frequency that the second behavior sequence occurs in the first behavior sequence is both greater than or is equal to Support threshold.
Frequent path mining algorithm is to carry out layer-by-layer iteration to multiple first behavior sequences according to preset support threshold, The frequent item set for meeting preset support threshold is obtained, and is chosen from obtained multiple frequent item sets and meets default item number The frequent item set of (quantity that can be understood as the operation information for including in frequent item set is greater than or equal to default item number) is as extremely Few second behavior sequence.Wherein, frequent path mining algorithm for example can be Apriori (Chinese: correlation rule) algorithm, GSP (English: Generalized Sequential Pattern, Chinese: broad sense sequence pattern) algorithm and FreeSpan algorithm.
Wherein, support threshold can be pre-set, can also be adjusted flexibly according to specific requirements, when support threshold When being worth too low, i.e., frequent path mining algorithm can export the second more behavior sequence, be easy to cause erroneous judgement, work as support threshold When excessively high, i.e., frequent path mining algorithm can export the second less behavior sequence, be easy to cause missing inspection.Therefore support threshold It first can rule of thumb be configured, export how many pairs of supports of the second behavior sequence further according to frequent path mining algorithm later Degree threshold value is adjusted.To there is 4 the first behavior sequence (I1, I2, I3), (I1, I2), (I1) and (I2, I3), I1, I2, I3Respectively Corresponding three different operation informations, preset support threshold are 2, and default item number (i.e. includes in the second behavior sequence for 2 The quantity of operation information be at least 2) for, using 4 the first behavior sequences and preset support threshold as frequent road The input of diameter mining algorithm, obtained frequent item set are (I1), (I2), (I3), (I1, I2) and (I2, I3), from obtained multiple frequencies Frequent item set that default item number is 2 is chosen in numerous item collection as the second behavior sequence, then the of frequent path mining algorithm output Two behavior sequences are (I1, I2) and (I2, I3)。
Fig. 2 is a kind of flow chart of step 103 shown in embodiment illustrated in fig. 1.As shown in Fig. 2, step 103 includes following Step:
In step 1031, according to object run information and targeted number, determine that sample of users is concentrated and the second behavior sequence Arrange matched at least one target sample user.
In step 1032, the first number of users for the exceptional sample user that at least one target sample user includes is determined The second user quantity of amount and normal sample user.
Specifically, it (includes that multiple samples are used that sample of users collection can be previously stored in database on the server Family) and sample of users concentrate the corresponding behavior sequence of each sample of users, multiple sample of users can be divided into normal sample user With exceptional sample user.After getting targeted number, it can determine and be used in sample according to object run information and targeted number Family is concentrated, with matched at least one target sample user of the second behavior sequence.According to object run information and targeted number, really The sample of users that sets the goal and the whether matched mode of the second behavior sequence, which may is that, determines the corresponding behavior sequence of any sample of users Whether column meet preset condition with the second behavior sequence, when meeting preset condition, determine any sample of users and second Behavior sequence matching, as target sample user.According to the exceptional sample user that includes at least one target sample user and The quantity of normal sample user determines the first number of users and second user quantity.
Optionally, step 1031 can be accomplished by the following way:
If the second behavior sequence is the subsequence that sample of users concentrates the corresponding third behavior sequence of any sample of users, and In third behavior sequence, the number and targeted number that object run information occurs within a preset period of time meet the first default item Part determines that any sample of users is target sample user.
First preset condition are as follows: the number that object run information occurs within a preset period of time is greater than or equal to target time Number, or, the number that object run information occurs and the ratio of targeted number are greater than or equal to first threshold within a preset period of time.
For example, if the second behavior sequence is that sample of users concentrates the corresponding third behavior sequence of any sample of users Subsequence (in the multiple operation informations for including in third behavior sequence, not only contains each behaviour in the second behavior sequence Make information, it is also possible to contain other operation informations), and in third behavior sequence, object run information within a preset period of time When the number and targeted number of appearance meet the first preset condition, determine that any sample of users is target sample user.
Fig. 3 is the flow chart of another method for determining abnormal behaviour shown according to an exemplary embodiment.Such as Fig. 3 institute Show, this method further include:
In step 105, after getting the corresponding goal behavior sequence of target user, if the second behavior sequence is target The subsequence of behavior sequence, and in goal behavior sequence, object run information occurs within a preset period of time number and target Number meets the second preset condition, determines that target user is abnormal user.
Second preset condition are as follows: the number that object run information occurs within a preset period of time is greater than or equal to target time Number, or, the number that object run information occurs and the ratio of targeted number are greater than or equal to second threshold within a preset period of time.
It is exemplary, it, can be by the second behavior sequence, object run information when determining the second behavior sequence is abnormal behaviour Foundation in the database of targeted number deposit server, as detection abnormal user.When target user accesses database, The operation information and the corresponding operating time information of operation information of target user is recorded, to obtain the corresponding target of target user Behavior sequence.After getting the corresponding goal behavior sequence of target user, judge whether the second behavior sequence is goal behavior The subsequence of sequence, if the second behavior sequence be goal behavior sequence subsequence, further judge in goal behavior sequence, Whether the number and targeted number that object run information occurs in preset time period meet the second preset condition.If the second behavior sequence It is classified as the subsequence of goal behavior sequence, and in goal behavior sequence, time that object run information occurs within a preset period of time It is several to meet the second preset condition with targeted number, determine that target user is abnormal user.
For example, the second behavior sequence is (I1, I2, I1, I1, I3, I1, I1, I1), object run information is I1, in 3 hours I1The number (i.e. targeted number) of appearance is 4, and the corresponding goal behavior sequence of target user is (I1, I2, I1, I1, I3, I1, I1, I1, I1, I1), in goal behavior sequence, the I in 3 hours1The number of appearance is 6, the second preset condition are as follows: in preset time period The number that interior object run information occurs is greater than or equal to targeted number.Second behavior sequence is the sub- sequence of goal behavior sequence Column, and in goal behavior sequence, in preset time period (3 hours) interior I1The number (6) of appearance is greater than targeted number (4), then mesh Mark user is abnormal user.
Further, when determining target user is abnormal user, server can carry out authority managing and controlling to target user (such as: compulsory withdrawal inputs identifying code or possesses browse right, no editing authority etc.), to guarantee server and access clothes The safety of the other users of business device.
It should be noted that if the number for only object run information occur as detection target user foundation, no Consider the order of occurrence between the multiple operation informations for including in goal behavior sequence, normal users may be manslaughtered.For example, mesh Marking in the corresponding goal behavior sequence 1 of user 1 includes I1, I2, I2, I2, in the corresponding goal behavior sequence 2 of target user 2 It include I2, I2, I2, I1.Wherein, operation information I1Expression logins successfully operation, operation information I2Indicate login failure operation, I1 And I2Corresponding operating time information corresponds to operate all in the appearance sequence in nearest 1 day, operated in goal behavior sequence Execute sequence, i.e. target user 1 executes sequence are as follows: I1, I2, I2, I2, target user's 2 executes sequence are as follows: I2, I2, I2, I1.In the prior art, if only meeting preset condition by the number that object run information occurs to detect abnormal user, work as mesh Mark operation information is I2When, preset condition is I in nearest 1 day2It, can be by 1 He of target user when the number of appearance is greater than or equal to 3 Target user 2 is used as abnormal user.And in reality scene, target user 1 may be it is normal (such as: target user 1 After success logs in, password has been inputed when logging on by mistake), target user 2 may be abnormal (such as: hitting library behavior).This programme Determine whether user behavior is abnormal by the number of order of occurrence and the appearance of object run information in conjunction with user behavior, first It, can be by (I when determining the second behavior sequence2, I2, I2, I1) and (I1, I2, I2, I2) the second behavior sequence different as two Column combine in two the second behavior sequences later, the number that object run information occurs within a preset period of time, then determine sample User concentrates can according to the first number of users and second user quantity with the two matched sample of users of the second behavior sequence With determination (I2, I2, I2, I1) it is abnormal behaviour, (I1, I2, I2, I2) it is not abnormal behaviour, therefore can judge that target user 1 is Normal users, target user 2 are abnormal user, to reduce the probability for manslaughtering normal users.
It is calculated in conclusion being excavated first according to corresponding first behavior sequence of exceptional sample user and preset frequent path Method determines the second abnormal behavior sequence, wherein the first behavior sequence includes: operation information and behaviour in the first behavior sequence Make the corresponding operating time information of information, then obtain in the second behavior sequence, object run information occurs within a preset period of time Targeted number, it is determining to be used with the matched exceptional sample of the second behavior sequence later according to object run information and targeted number First number of users at family, and the second user quantity with the matched normal sample user of the second behavior sequence, if the first user The ratio of quantity and second user quantity is greater than or equal to preset proportion threshold value, determines that the second behavior sequence is abnormal behaviour. Whether the disclosure determines user behavior by the order of occurrence in conjunction with user behavior and frequency of occurrence within a preset period of time It is abnormal, it can be improved the accuracy of abnormal user detection, be effectively prevented from the erroneous judgement to normal users.
Fig. 4 is a kind of block diagram of the device of determining abnormal behaviour shown according to an exemplary embodiment.As shown in figure 4, Device 200 includes:
First determining module 201 is configured as according to corresponding first behavior sequence of exceptional sample user and preset frequency Numerous Path mining algorithm determines that the second abnormal behavior sequence, the first behavior sequence include: operation letter in the first behavior sequence Cease operating time information corresponding with operation information.
Module 202 is obtained, is configured as obtaining in the second behavior sequence, object run information occurs within a preset period of time Targeted number, object run information is a kind of operation information selected in the second behavior sequence according to preset rules.
Second determining module 203 is configured as according to object run information and targeted number, determining and the second behavior sequence The first number of users of matched exceptional sample user, and the second user with the matched normal sample user of the second behavior sequence Quantity.
Judgment module 204, if being configured as the ratio of the first number of users and second user quantity more than or equal to default Proportion threshold value, determine the second behavior sequence be abnormal behaviour.
Fig. 5 is the block diagram of the second determining module of one kind shown in embodiment illustrated in fig. 4.As shown in figure 5, the second determining module 203 include:
First determines submodule 2031, is configured as determining sample of users collection according to object run information and targeted number In with matched at least one target sample user of the second behavior sequence.
Second determines submodule 2032, is configured to determine that the exceptional sample user that at least one target sample user includes The first number of users and normal sample user second user quantity.
Optionally, if first determines that submodule 2031 is configured as the second behavior sequence and concentrates any sample for sample of users The subsequence of the corresponding third behavior sequence of user, and in third behavior sequence, object run information goes out within a preset period of time Existing number and targeted number meets the first preset condition, determines that any sample of users is target sample user.
First preset condition are as follows: the number that object run information occurs within a preset period of time is greater than or equal to target time Number, or, the number that object run information occurs and the ratio of targeted number are greater than or equal to first threshold within a preset period of time.
Fig. 6 is the block diagram of another device for determining abnormal behaviour shown according to an exemplary embodiment.Such as Fig. 6 institute Show, device 200 further include:
Third determining module 205 is configured as after getting the corresponding goal behavior sequence of target user, if the second row It is the subsequence of goal behavior sequence for sequence, and in goal behavior sequence, object run information occurs within a preset period of time Number and targeted number meet the second preset condition, determine target user be abnormal user.
Second preset condition are as follows: the number that object run information occurs within a preset period of time is greater than or equal to target time Number, or, the number that object run information occurs and the ratio of targeted number are greater than or equal to second threshold within a preset period of time.
About the device in above-described embodiment, wherein modules execute the concrete mode of operation in related this method Embodiment in be described in detail, no detailed explanation will be given here.
It is calculated in conclusion being excavated first according to corresponding first behavior sequence of exceptional sample user and preset frequent path Method determines the second abnormal behavior sequence, wherein the first behavior sequence includes: operation information and behaviour in the first behavior sequence Make the corresponding operating time information of information, then obtain in the second behavior sequence, object run information occurs within a preset period of time Targeted number, it is determining to be used with the matched exceptional sample of the second behavior sequence later according to object run information and targeted number First number of users at family, and the second user quantity with the matched normal sample user of the second behavior sequence, if the first user The ratio of quantity and second user quantity is greater than or equal to preset proportion threshold value, determines that the second behavior sequence is abnormal behaviour. Whether the disclosure determines user behavior by the order of occurrence in conjunction with user behavior and frequency of occurrence within a preset period of time It is abnormal, it can be improved the accuracy of abnormal user detection, be effectively prevented from the erroneous judgement to normal users.
Fig. 7 is a kind of block diagram of the device of determining abnormal behaviour shown according to an exemplary embodiment.For example, device 300 may be provided as a server.Referring to Fig. 7, it further comprises one or more that device 300, which includes processing component 322, Processor, and the memory resource as representated by memory 332, for store can by the instruction of the execution of processing component 322, Such as application program.The application program stored in memory 332 may include it is one or more each correspond to one The module of group instruction.In addition, processing component 322 is configured as executing instruction, the method to execute above-mentioned determining abnormal behaviour.
Device 300 can also include the power management that a power supply module 326 is configured as executive device 300, and one has Line or radio network interface 350 are configured as device 300 being connected to network and input and output (I/O) interface 358.Dress Setting 300 can operate based on the operating system for being stored in memory 332, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM or similar.
The disclosure also provides a kind of computer readable storage medium, is stored thereon with computer program instructions, which refers to The step of enabling the method for the determination abnormal behaviour for realizing that the disclosure provides when being executed by processor.
It is calculated in conclusion being excavated first according to corresponding first behavior sequence of exceptional sample user and preset frequent path Method determines the second abnormal behavior sequence, wherein the first behavior sequence includes: operation information and behaviour in the first behavior sequence Make the corresponding operating time information of information, then obtain in the second behavior sequence, object run information occurs within a preset period of time Targeted number, it is determining to be used with the matched exceptional sample of the second behavior sequence later according to object run information and targeted number First number of users at family, and the second user quantity with the matched normal sample user of the second behavior sequence, if the first user The ratio of quantity and second user quantity is greater than or equal to preset proportion threshold value, determines that the second behavior sequence is abnormal behaviour. Whether the disclosure determines user behavior by the order of occurrence in conjunction with user behavior and frequency of occurrence within a preset period of time It is abnormal, it can be improved the accuracy of abnormal user detection, be effectively prevented from the erroneous judgement to normal users.
Those skilled in the art will readily occur to other embodiment party of the disclosure after considering specification and practicing the disclosure Case.This application is intended to cover any variations, uses, or adaptations of the disclosure, these modifications, purposes or adaptability Variation follows the general principles of this disclosure and including the undocumented common knowledge or usual skill in the art of the disclosure Art means.The description and examples are only to be considered as illustrative, and the true scope and spirit of the disclosure are by following claim It points out.
It should be understood that the present disclosure is not limited to the precise structures that have been described above and shown in the drawings, and And various modifications and changes may be made without departing from the scope thereof.The scope of the present disclosure is only limited by the accompanying claims.

Claims (10)

1. a kind of method of determining abnormal behaviour, which is characterized in that the described method includes:
According to corresponding first behavior sequence of exceptional sample user and preset frequent path mining algorithm, in first behavior Determine that the second abnormal behavior sequence, first behavior sequence include: that operation information and the operation information are corresponding in sequence Operating time information;
It obtains in second behavior sequence, the targeted number that object run information occurs within a preset period of time, the target Operation information is a kind of operation information selected in second behavior sequence according to preset rules;
It is determining to be used with the matched exceptional sample of second behavior sequence according to the object run information and the targeted number First number of users at family, and the second user quantity with the matched normal sample user of second behavior sequence;
If first number of users and the ratio of the second user quantity are greater than or equal to preset proportion threshold value, institute is determined Stating the second behavior sequence is abnormal behaviour.
2. the method according to claim 1, wherein described according to the object run information and the target time Number, determining the first number of users with the matched exceptional sample user of second behavior sequence, and with the second behavior sequence Arrange the second user quantity of matched normal sample user, comprising:
According to the object run information and the targeted number, determine that sample of users concentration is matched with second behavior sequence At least one target sample user;
Determine first number of users and normal sample of the exceptional sample user that at least one target sample user includes The second user quantity of this user.
3. according to the method described in claim 2, it is characterized in that, described according to the object run information and the target time Number determines that sample of users is concentrated and matched at least one target sample user of second behavior sequence, comprising:
If second behavior sequence is the sub- sequence that the sample of users concentrates the corresponding third behavior sequence of any sample of users Column, and in the third behavior sequence, the object run information occurs in the preset time period number and the mesh It marks number and meets the first preset condition, determine that any sample of users is the target sample user;
First preset condition are as follows: the number that the object run information occurs in the preset time period is greater than or equal to The targeted number;Or, the number that the object run information occurs in the preset time period and the targeted number Ratio is greater than or equal to first threshold.
4. the method according to claim 1, wherein the method also includes:
After getting the corresponding goal behavior sequence of target user, if second behavior sequence is the goal behavior sequence Subsequence, and in the goal behavior sequence, the object run information occurs in the preset time period number with The targeted number meets the second preset condition, determines that the target user is abnormal user;
Second preset condition are as follows: the number that the object run information occurs in the preset time period is greater than or equal to The targeted number;Or, the number that the object run information occurs in the preset time period and the targeted number Ratio is greater than or equal to second threshold.
5. a kind of device of determining abnormal behaviour, which is characterized in that described device includes:
First determining module is configured as being dug according to corresponding first behavior sequence of exceptional sample user and preset frequent path Algorithm is dug, determines that the second abnormal behavior sequence, first behavior sequence include: operation letter in first behavior sequence Cease operating time information corresponding with the operation information;
Module is obtained, is configured as obtaining in second behavior sequence, object run information occurs within a preset period of time Targeted number, the object run information are that a kind of operation selected in second behavior sequence according to preset rules is believed Breath;
Second determining module is configured as according to the object run information and the targeted number, determining and second row For the first number of users of the exceptional sample user of sequences match, and with the matched normal sample user of second behavior sequence Second user quantity;
Judgment module, if being configured as the ratio of first number of users and the second user quantity more than or equal to default Proportion threshold value, determine second behavior sequence be abnormal behaviour.
6. device according to claim 5, which is characterized in that second determining module includes:
First determines submodule, is configured as determining sample of users collection according to the object run information and the targeted number In with matched at least one target sample user of second behavior sequence;
Second determines submodule, is configured to determine that the institute for the exceptional sample user that at least one target sample user includes State the first number of users and the second user quantity of normal sample user.
7. device according to claim 6, which is characterized in that if described first determines that submodule is configured as described second Behavior sequence concentrates the subsequence of the corresponding third behavior sequence of any sample of users, and described the third line for the sample of users Meet first in advance for number and the targeted number that in sequence, the object run information occurs in the preset time period If condition, determine that any sample of users is the target sample user;
First preset condition are as follows: the number that the object run information occurs in the preset time period is greater than or equal to The targeted number;Or, the number that the object run information occurs in the preset time period and the targeted number Ratio is greater than or equal to first threshold.
8. device according to claim 5, which is characterized in that described device further include:
Third determining module is configured as after getting the corresponding goal behavior sequence of target user, if second behavior Sequence is the subsequence of the goal behavior sequence, and in the goal behavior sequence, the mesh in the preset time period The number and the targeted number the second preset condition of satisfaction that operation information occurs are marked, determines that the target user uses to be abnormal Family;
Second preset condition are as follows: the number that the object run information occurs in the preset time period is greater than or equal to The targeted number;Or, the number that the object run information occurs in the preset time period and the targeted number Ratio is greater than or equal to second threshold.
9. a kind of device of determining abnormal behaviour, which is characterized in that described device includes:
Processor;
Memory for storage processor executable instruction;
Wherein, the processor is configured to:
According to corresponding first behavior sequence of exceptional sample user and preset frequent path mining algorithm, in first behavior Determine that the second abnormal behavior sequence, first behavior sequence include: that operation information and the operation information are corresponding in sequence Operating time information;
It obtains in second behavior sequence, the targeted number that object run information occurs within a preset period of time, the target Operation information is a kind of operation information selected in second behavior sequence according to preset rules;
It is determining to be used with the matched exceptional sample of second behavior sequence according to the object run information and the targeted number First number of users at family, and the second user quantity with the matched normal sample user of second behavior sequence;
If first number of users and the ratio of the second user quantity are greater than or equal to preset proportion threshold value, institute is determined Stating the second behavior sequence is abnormal behaviour.
10. a kind of computer readable storage medium, is stored thereon with computer program instructions, which is characterized in that the program instruction The step of any one of Claims 1 to 4 the method is realized when being executed by processor.
CN201910447366.6A 2019-05-27 2019-05-27 Method, device and storage medium for determining abnormal behavior Active CN110222243B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910447366.6A CN110222243B (en) 2019-05-27 2019-05-27 Method, device and storage medium for determining abnormal behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910447366.6A CN110222243B (en) 2019-05-27 2019-05-27 Method, device and storage medium for determining abnormal behavior

Publications (2)

Publication Number Publication Date
CN110222243A true CN110222243A (en) 2019-09-10
CN110222243B CN110222243B (en) 2021-08-31

Family

ID=67818428

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910447366.6A Active CN110222243B (en) 2019-05-27 2019-05-27 Method, device and storage medium for determining abnormal behavior

Country Status (1)

Country Link
CN (1) CN110222243B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110609783A (en) * 2019-09-24 2019-12-24 京东数字科技控股有限公司 Method and device for identifying abnormal behavior user
CN111459797A (en) * 2020-02-27 2020-07-28 上海交通大学 Method, system and medium for detecting abnormity of developer behaviors in open source community
CN113726814A (en) * 2021-09-09 2021-11-30 中国电信股份有限公司 User abnormal behavior identification method, device, equipment and storage medium
CN117614724A (en) * 2023-12-06 2024-02-27 北京东方通科技股份有限公司 Industrial Internet access control method based on system fine granularity processing

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104615936A (en) * 2015-03-04 2015-05-13 哈尔滨工业大学 Behavior monitoring method for VMM (virtual machine monitor) layer of cloud platform
CN105187242A (en) * 2015-08-20 2015-12-23 中国人民解放军国防科学技术大学 Method for detecting abnormal user behaviours mined on the basis of variable-length sequence mode
CN108021932A (en) * 2017-11-22 2018-05-11 北京奇虎科技有限公司 Data detection method, device and electronic equipment
CN108055281A (en) * 2017-12-27 2018-05-18 百度在线网络技术(北京)有限公司 Account method for detecting abnormality, device, server and storage medium
CN108156166A (en) * 2017-12-29 2018-06-12 百度在线网络技术(北京)有限公司 Abnormal access identification and connection control method and device
US20190156160A1 (en) * 2017-11-21 2019-05-23 Group Ib, Ltd Method for classifying user action sequence

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104615936A (en) * 2015-03-04 2015-05-13 哈尔滨工业大学 Behavior monitoring method for VMM (virtual machine monitor) layer of cloud platform
CN105187242A (en) * 2015-08-20 2015-12-23 中国人民解放军国防科学技术大学 Method for detecting abnormal user behaviours mined on the basis of variable-length sequence mode
US20190156160A1 (en) * 2017-11-21 2019-05-23 Group Ib, Ltd Method for classifying user action sequence
CN108021932A (en) * 2017-11-22 2018-05-11 北京奇虎科技有限公司 Data detection method, device and electronic equipment
CN108055281A (en) * 2017-12-27 2018-05-18 百度在线网络技术(北京)有限公司 Account method for detecting abnormality, device, server and storage medium
CN108156166A (en) * 2017-12-29 2018-06-12 百度在线网络技术(北京)有限公司 Abnormal access identification and connection control method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
田新广: "一种基于隐马尔可夫模型的IDS异常检测新方法", 《信号处理》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110609783A (en) * 2019-09-24 2019-12-24 京东数字科技控股有限公司 Method and device for identifying abnormal behavior user
CN110609783B (en) * 2019-09-24 2023-08-04 京东科技控股股份有限公司 Method and device for identifying abnormal behavior user
CN111459797A (en) * 2020-02-27 2020-07-28 上海交通大学 Method, system and medium for detecting abnormity of developer behaviors in open source community
CN113726814A (en) * 2021-09-09 2021-11-30 中国电信股份有限公司 User abnormal behavior identification method, device, equipment and storage medium
CN113726814B (en) * 2021-09-09 2022-09-02 中国电信股份有限公司 User abnormal behavior identification method, device, equipment and storage medium
CN117614724A (en) * 2023-12-06 2024-02-27 北京东方通科技股份有限公司 Industrial Internet access control method based on system fine granularity processing

Also Published As

Publication number Publication date
CN110222243B (en) 2021-08-31

Similar Documents

Publication Publication Date Title
CN110222243A (en) Determine the method, apparatus and storage medium of abnormal behaviour
Fu et al. Execution anomaly detection in distributed systems through unstructured log analysis
Hemmati et al. An industrial investigation of similarity measures for model-based test case selection
Böhme STADS: Software testing as species discovery
CN110442712B (en) Risk determination method, risk determination device, server and text examination system
CN110928772A (en) Test method and device
CN103984626B (en) A kind of method and device for generating test case script
US20110161486A1 (en) Detecting and monitoring server side states during web application scanning
KR101588027B1 (en) Method and apparatus for generating test case to support localization of software
CN110515830A (en) Operation trace method for visualizing, device, equipment and storage medium
US11366745B2 (en) Testing program code created in a development system
WO2019061664A1 (en) Electronic device, user's internet surfing data-based product recommendation method, and storage medium
US10365995B2 (en) Composing future application tests including test action data
CN114218568B (en) Big data attack processing method and system applied to cloud service
US11290325B1 (en) System and method for change reconciliation in information technology systems
CN114237466B (en) Inspection point configuration method and device
US20200310952A1 (en) Comparable user interface object identifications
Cheng et al. Handling uncertainty in autonomic systems
US10089463B1 (en) Managing security of source code
US8090994B2 (en) System, method, and computer readable media for identifying a log file record in a log file
CN105825130B (en) A kind of information security method for early warning and device
US11816112B1 (en) Systems and methods for automated process discovery
Alagrash et al. Machine learning and recognition of user tasks for malware detection
Li et al. Dynamic gas estimation of loops using machine learning
CN106708558B (en) Method and device for closing application program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant