CN110365634A - Abnormal data monitoring method, device, medium and electronic equipment - Google Patents
Abnormal data monitoring method, device, medium and electronic equipment Download PDFInfo
- Publication number
- CN110365634A CN110365634A CN201910435057.7A CN201910435057A CN110365634A CN 110365634 A CN110365634 A CN 110365634A CN 201910435057 A CN201910435057 A CN 201910435057A CN 110365634 A CN110365634 A CN 110365634A
- Authority
- CN
- China
- Prior art keywords
- data
- identified
- abnormal data
- monitoring
- monitoring model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
This disclosure relates to network monitoring field, a kind of abnormal data monitoring method, device, medium and electronic equipment are disclosed.This method comprises: obtaining data to be identified;Data to be identified are inputted into established first monitoring model, the second monitoring model and third monitoring model respectively, whether the data to be identified are identified as abnormal data with each monitoring model of determination, the accuracy rate of each monitoring model identification abnormal data is different, and it is corresponding that each monitoring model generates object handles strategy from different data respectively;For each abnormal data, according to the model for identifying the abnormal data, determination will generate the data that object executes to data corresponding with the abnormal data and generate object handles strategy;Object is generated to data corresponding with each abnormal data, the data corresponding with data generation object determined is executed and generates object handles strategy.Under the method, the accurate monitoring to abnormal data is realized, internet security is improved.
Description
Technical field
This disclosure relates to Network Monitoring Technology field, in particular to a kind of abnormal data monitoring method, device, medium and electricity
Sub- equipment.
Background technique
With the arrival of mobile Internet and the internet of things era, the population and terminal of the network coverage are more and more, network
Security postures become increasingly complex.For example, just occurring again and again using flow attacking as the assault of representative, attacker is usually grasped
A large amount of attack source device is indulged, the network service of normal operation is broken with big flow, this class behavior can generate a large amount of different
Regular data.Therefore how to abnormal data carry out the accurate generation for monitoring and taking precautions against in time similar to abnormal data be the prior art urgently
Problem to be solved.
Summary of the invention
In network monitoring field, the disclosure is designed to provide a kind of abnormal data monitoring method, device, medium and electricity
Sub- equipment, accurately to monitor abnormal data and take precautions against the generation of abnormal data.
According to the one side of the application, a kind of abnormal data monitoring method is provided, which comprises
At least one data to be identified is obtained, each data to be identified are corresponding with a data generation object;
Each data to be identified are inputted to established first monitoring model, the second monitoring model and the simultaneously respectively
Whether three monitoring models are identified as abnormal data, the first monitoring mould for the data to be identified with each monitoring model of determination
Type, the second monitoring model are different with the accuracy rate of third monitoring model identification abnormal data, first monitoring model, the second prison
It is corresponding from different data generation object handles strategies respectively to control model and third monitoring model;
For each abnormal data, mould is monitored according in first monitoring model, the second monitoring model and third
The model of the abnormal data is identified in type, determination will generate the data that object executes to data corresponding with the abnormal data and produce
Raw object handles strategy;
Object is generated to data corresponding with each abnormal data, execute determine generate object pair with the data
The data answered generate object handles strategy.
According to the another aspect of the application, a kind of abnormal data monitoring device is provided, described device includes:
Module is obtained, is configured as obtaining at least one data to be identified, each data to be identified and a data
It is corresponding to generate object;
Input module is configured as each data to be identified respectively while inputting established first monitoring mould
Whether type, the second monitoring model and third monitoring model are identified as exception for the data to be identified with each monitoring model of determination
Data, first monitoring model, the second monitoring model are different with the accuracy rate of third monitoring model identification abnormal data, described
It is corresponding that first monitoring model, the second monitoring model and third monitoring model generate object handles strategy from different data respectively;
Determining module is configured as each abnormal data, according in first monitoring model, the second monitoring
The model of the abnormal data is identified in model and third monitoring model, determination will generate data corresponding with the abnormal data
The data that object executes generate object handles strategy;
Execution module is configured as generating object to data corresponding with each abnormal data, executes and determines
Data corresponding with data generation object generate object handles strategy.
According to the another aspect of the application, a kind of computer-readable program medium is provided, computer program is stored with
Instruction makes computer execute foregoing method when the computer program instructions are computer-executed.
According to the another aspect of the application, a kind of electronic equipment is provided, the electronic equipment includes:
Processor;
Memory is stored with computer-readable instruction on the memory, and the computer-readable instruction is by the processing
When device executes, foregoing method is realized.
The technical solution that the embodiment of the present invention provides can include the following benefits:
Abnormal data monitoring method provided by the present invention includes the following steps: to obtain at least one data to be identified, often
One data to be identified are corresponding with a data generation object;By each data to be identified, input is had been established simultaneously respectively
The first monitoring model, the second monitoring model and third monitoring model, with each monitoring model of determination whether by the number to be identified
According to abnormal data is identified as, first monitoring model, the second monitoring model and third monitoring model identify the standard of abnormal data
True rate is different, and first monitoring model, the second monitoring model and third monitoring model generate object from different data respectively
Processing strategie is corresponding;For each abnormal data, supervised according in first monitoring model, the second monitoring model and third
The model of the abnormal data is identified in control model, determination will generate the number that object executes to data corresponding with the abnormal data
According to generation object handles strategy;Object is generated to data corresponding with each abnormal data, execute determine with the number
Object handles strategy is generated according to the corresponding data of object are generated.
Under the method, by the way that data to be identified to be inputted to three monitoring models different to disorder data recognition accuracy rate,
It can use this triple accurate monitoring for ensureing realization to abnormal data, the model of abnormal data then identified by basis,
Object is generated to data corresponding with abnormal data and executes specific object handles strategy, exception can be reduced to a certain extent
The generation of data can limit the behavior that data generate object, to improve internet security in time.
It should be understood that the above general description and the following detailed description are merely exemplary, this can not be limited
Invention.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows and meets implementation of the invention
Example, and be used to explain the principle of the present invention together with specification.
Fig. 1 is the system of abnormal data monitoring method under a kind of flow attacking scene shown according to an exemplary embodiment
Architecture diagram;
Fig. 2 is that a kind of puppet shown according to an exemplary embodiment emits account and opens an account extremely abnormal data monitoring side under scene
The system architecture diagram of method;
Fig. 3 is a kind of flow chart of abnormal data monitoring method shown according to an exemplary embodiment;
Fig. 4 is to establish the first monitoring model and utilization described first according to the embodiment shown in Fig. 3 corresponding embodiment
Monitoring model identifies the flow chart of the method for abnormal data;
Fig. 5 is to establish the second monitoring model and utilization described second according to the embodiment shown in Fig. 3 corresponding embodiment
Monitoring model identifies the flow chart of the method for abnormal data;
Fig. 6 is to establish third monitoring model and the utilization third according to the embodiment shown in Fig. 3 corresponding embodiment
Monitoring model identifies the flow chart of the method for abnormal data;
Fig. 7 is a kind of block diagram of abnormal data monitoring device shown according to an exemplary embodiment;
Fig. 8 is that a kind of electronic equipment for realizing above-mentioned abnormal data monitoring method shown according to an exemplary embodiment shows
Example block diagram;
Fig. 9 is shown according to an exemplary embodiment a kind of to realize the computer-readable of above-mentioned abnormal data monitoring method
Storage medium.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistented with the present invention.On the contrary, they be only with it is such as appended
The example of device and method being described in detail in claims, some aspects of the invention are consistent.
In addition, attached drawing is only the schematic illustrations of the disclosure, it is not necessarily drawn to scale.Identical attached drawing mark in figure
Note indicates same or similar part, thus will omit repetition thereof.Some block diagrams shown in the drawings are function
Energy entity, not necessarily must be corresponding with physically or logically independent entity.
The disclosure provides firstly a kind of abnormal data monitoring method.Abnormal data herein, which can be, belongs to various fields
Data, for example, the data of production procedure, external device access data, business processing data and application logon data etc..It is different
Regular data refers to the data for not meeting the requirement of the processes such as normal business, production, service, such as can be illegitimate traffic number
According to, abnormal login data, exception object operation data etc..The monitoring of abnormal data is referred to, identifies possible abnormal data,
The corresponding entity of abnormal data can also be limited or be handled.The implementation terminal of the disclosure can be it is any have operation,
The equipment of processing and communication function, the equipment can be connected with external equipment, for receiving or issuing information, can be portable
Mobile device, such as smart phone, tablet computer, laptop, PDA (Personal Digital Assistant) etc.,
It is also possible to fixed apparatus, for example, computer equipment, on-site terminal, desktop computer, server, work station etc., can also be
The set of multiple equipment, such as server cluster or the physical infrastructure of cloud computing etc..
Fig. 1 is the system of abnormal data monitoring method under a kind of flow attacking scene shown according to an exemplary embodiment
Architecture diagram.As shown in Figure 1, including server 110 and multiple terminal devices 120, server 110 and terminal device 120 pass through logical
Letter link is attached.Under flow attacking scene, criminal can manipulate great amount of terminals equipment 120 simultaneously, to server
110 initiate access request, if the processing capacity of server 110 cannot bear these access requests, the property of server 110
It can will decline and even paralyse;However these terminal devices 120 access when can generate data on flows, by data on flows into
Row monitoring, can reduce flow attacking bring risk to a certain extent.
Fig. 2 is that a kind of puppet shown according to an exemplary embodiment emits account and opens an account extremely abnormal data monitoring side under scene
The system architecture diagram of method.Puppet, which emits account and opens an account extremely, refers to that illegal user opens an account, for example, by steal come personal information carry out
The behavior of opening an account opened an account or carried out by information such as cell-phone number, the mailboxes of back door acquisition.As shown in Fig. 2, including service
Device 210, router 220, smart phone 230 and base station 240.In the embodiment shown in fig. 2, the technical solution of the disclosure
Executing subject, i.e. implementation terminal can be server 210.Under normal circumstances, router 210 is wide area network (Wide Area
Network, WAN) and local area network (Local Area Network, LAN) between carry out information exchange bridge, be able to achieve not
With the information communication between network.In Fig. 2, server 210 is located among wide area network, intelligence for router 220
Energy mobile phone 230 is located among local area network, smart phone 230 can be produced by router 220 for router 220
Raw WI-FI local area network or base station 240 is communicated with server 210.When some smart phones 230 are mounted with one or more
After a App (Application, application program) managed by server 210, which can be used App and passes through road
It is communicated by device or 220 base stations 240 with server 210, completes the registration of App, the user of subsequent smart phone 230 can
To operate the App, the service more provided by App operator is used.However, registration this process of App is often by criminal's benefit
With criminal activity is engaged in, for example, thering is user to need to provide a loan from loan platform, but amount is inadequate, then there is offender's meeting
Poison and bewitch the user for being intended to provide a loan, as long as informing that the flowing water of user's bank card is big, loan platform will improve user's loan
Amount, then trick consumers offer bank card account carrys out brush flowing water, eventually results in user's monetary losses.Therefore it is used in user
Smart phone 230 carries out puppet and emits when opening an account of account, can be to this by using the abnormal data monitoring method that the disclosure provides
A little behaviors are monitored, so as to reduce financial risks to a certain extent.
Fig. 3 is a kind of flow chart of abnormal data monitoring method shown according to an exemplary embodiment.As shown in figure 3,
The following steps are included:
Step 310, at least one data to be identified is obtained;
Step 320, each data to be identified are inputted to established first monitoring model, the second monitoring simultaneously respectively
Whether model and third monitoring model are identified as abnormal data for the data to be identified with each monitoring model of determination;
Step 330, for each abnormal data, according in first monitoring model, the second monitoring model and
The model of the abnormal data is identified in three monitoring models, determination will generate object to data corresponding with the abnormal data and execute
Data generate object handles strategy;
Step 340, object is generated to data corresponding with each abnormal data, executes producing with the data of determining
The corresponding data of life object generate object handles strategy.The step in above-mentioned Fig. 3 is described in detail below.
In the step 310, at least one data to be identified is obtained.
Each data to be identified are corresponding with a data generation object.Data to be identified are to need to judge whether it is different
The data of regular data.Under the scene of embodiment shown in Fig. 1, data to be identified are datas on flows, embodiment shown in Fig. 2
Scene under, data to be identified are data of opening an account.It is the entity for generating data to be identified that data, which generate object, such as in Fig. 1 reality
It applies in example, data, which generate object, can be account, IP address or cell-phone number etc., and in Fig. 2 embodiment, data generate object can
To be account, cell-phone number etc..
When data on flows is terminal access local terminal or other terminals, the data related with terminal access behavior of generation.
In one embodiment, data on flows includes access time, the IP address of user terminal, is accessed under same IP address
Account, Account Logon record of same mobile phone number section etc..
Data of opening an account be when opening an account any form of data that terminal of opening an account generates when interacting with local terminal or with open
The related data of family behavior, each data of opening an account are corresponding with account.
In one embodiment, data of opening an account include opening an account time, IP address of opening an account (Internet Protocol
Address, internet protocol address), the cell-phone number for binding of opening an account etc..
In one embodiment, the data of opening an account of acquisition are the data generated in predetermined amount of time.
In step 320, each data to be identified are inputted into established first monitoring model, second simultaneously respectively
Whether monitoring model and third monitoring model are identified as abnormal data for the data to be identified with each monitoring model of determination.
Wherein, the accuracy rate of first monitoring model, the second monitoring model and third monitoring model identification abnormal data
Difference, first monitoring model, the second monitoring model and third monitoring model generate object handles from different data respectively
Strategy is corresponding.
Data generate object handles strategy and refer to that processing data generate the mode of object, for example detection data generation object is
No certain behaviors that are legal, whether should limiting data generation object etc..For example, data generate under the scene of Fig. 1 embodiment
Object handles strategy can be disabling IP, disable IP etc. within given time;And under the scene of Fig. 2 embodiment, data
Generating object handles strategy can be account freezing of opening an account, the login for limiting account of opening an account etc..
Monitoring model is the mathematical model of abnormal data for identification, may include the elements such as algorithm, judgment rule.The
In one monitoring model, the second monitoring model and third monitoring model between any two it is at least a part of composition be it is inconsistent, this
Sample could make first monitoring model, the second monitoring model and third monitoring model to the accuracy rate of disorder data recognition not
Together.
Below with 3 groups of embodiments, respectively to the possible of the first monitoring model, the second monitoring model and third monitoring model
It establishes mode and usage mode is illustrated.
In one embodiment, as shown in figure 4, establishing first monitoring model in the following way and utilizing described the
One monitoring model identifies abnormal data:
Step 410, the union feature group for obtaining multiple data to be identified and being made of multiple union features.
Wherein, each data to be identified include that each union feature in multiple union features with union feature group is corresponding
Joint eigenvalue.Union feature is the title of union feature, in data, can show as a field.Union feature is
To joint eigenvalue, there are the general introductions of meaning.The relationship of union feature and joint eigenvalue is similar to the pass of parameter and parameter value
System.Union feature is rule of thumb preset feature.For example, union feature is WI-FI title, then joint eigenvalue can be
The title of the various WI-FI such as CMCC.
" multiple " of data to be identified can be identical multiple with " multiple " of union feature, be also possible to different more
A, the disclosure is not construed as limiting this.
Step 420, it according to multiple union features in the union feature group, determines in the multiple data to be identified
Each data to be identified multiple joint eigenvalues corresponding with the multiple union feature, to obtain the connection of each data to be identified
Close eigenvalue cluster.
In one embodiment, multiple union features in the union feature group all have a union feature mark, and to
Each joint eigenvalue is all and the union feature of union feature corresponding with joint eigenvalue mark is corresponding in identification data deposits
Storage determines in the multiple data to be identified each data to be identified and the multiple by identifying according to union feature
Close the corresponding multiple joint eigenvalues of feature.
Step 430, for each joint eigenvalue group of acquisition, determine the joint eigenvalue group in all of all acquisitions
Number in joint eigenvalue group.
Each data to be identified all correspond to a joint eigenvalue group, the corresponding joint eigenvalue group of each data to be identified
Can be it is identical, be also possible to it is different, therefore in all joint eigenvalue groups of acquisition, it is understood that there may be the joint having is special
The case where value indicative group more than one.In one embodiment, it is equipped with counter in the implementation terminal of the disclosure, can obtain each
Number of the joint eigenvalue group in all joint eigenvalue groups of all acquisitions.
Step 440, the corresponding data to be identified of joint eigenvalue group that the number is greater than predetermined threshold are obtained, as the
One abnormal data.
For flow attacking scene, data to be identified are data on flows.In one embodiment, union feature group includes:
The access time of access equipment IP address, access equipment connection WI-FI title, access equipment.Such as the connection of a data on flows
Closing eigenvalue cluster can be 192.168.1.156, NET-001 and 18:20.
It emits account for puppet to open an account extremely scene, data to be identified are data of opening an account.In one embodiment, it opens an account and sets
Standby is smart phone, and union feature group includes: the title of the IP address of account opening device, account opening device connection WI-FI, account opening device
Mobile phone model, the host name (net.hostname) of account opening device.The joint eigenvalue and union feature that data of opening an account include
Correspond, for example, a data of opening an account joint eigenvalue group can be 171.168.131.27.6, HUAWEI-E7753,
Redmi 5A, Redmi5A-hongmishouji.
In one embodiment, predetermined threshold 5, if joint eigenvalue group is 171.168.131.27.6, HUAWEI-
E7753, Redmi 5A, Redmi5A-hongmishouji, then if the joint eigenvalue group appears in more than 5 data of opening an account
In, then explanation at the WI-FI of same WI-FI title, under same IP address, has more than 5 times on same red rice mobile phone
Behavior of opening an account, can thus illustrate to may be that the puppet of clique's property emits account and opens an account extremely behavior, for example clique is from illegal
Approach obtains large quantities of cell-phone numbers, then due to mobile phone higher cost, and since campus network is high, so offender is general
In high volume open an account using a large amount of cell-phone numbers connection WI-FI with same mobile phone, is thus that puppet emits account and opens an account extremely behavior.
Step 450, data to be identified are received, and judge joint eigenvalue group that the data to be identified are included whether with
The joint eigenvalue group of first abnormal data is consistent.
In one embodiment, in data to be identified each joint eigenvalue of joint eigenvalue group all with corresponding joint
The corresponding storage of the mark of feature.Judge joint eigenvalue group that the data to be identified are included whether with it is described first abnormal
When the joint eigenvalue group of data is consistent, firstly, obtaining the joint of storage corresponding with the joint eigenvalue group of the first abnormal data
The mark of feature;Then obtained in the joint eigenvalue group that the data to be identified are included according to the mark of union feature with
The joint eigenvalue group of the corresponding storage of the mark of the union feature;Finally by storage corresponding with the mark of same union feature
Two joint eigenvalue groups in joint eigenvalue be compared according to the corresponding relationship of the mark of union feature, realization judge institute
Whether consistent with the joint eigenvalue group of first abnormal data state the joint eigenvalue group that data to be identified are included.
Step 460, if so, the abnormal data that the data to be identified are identified as first monitoring model.
In conclusion embodiment illustrated in fig. 3 is advantageous in that, by according to union feature group and multiple numbers of opening an account
According to, summary and induction has gone out the joint eigenvalue group for determining abnormal data, so that when similar abnormal data occurs again,
It can be realized and timely be monitored, effectively reduce network risks.
In one embodiment, as shown in figure 5, establishing second monitoring model in the following way and utilizing described the
Two monitoring models identify abnormal data:
Step 510, it is obtained in the first predetermined amount of time in the abnormal data identified by first monitoring model
The abnormal data of generation.
Wherein, each abnormal data is corresponding with identity information, and the abnormal data meets the first pre-defined rule.
First predetermined amount of time arbitrarily produces the period of abnormal data before can be current time, such as can be and work as
The first trimester of preceding time.
In one embodiment, the time for generating abnormal data is time that the first monitoring model identifies abnormal data.
Step 520, the second preset judgment rule is determined according to the abnormal data of acquisition and the second pre-defined rule.
Second preset judgment rule is the rule relevant with the second pre-defined rule.
In one embodiment, it emits account for puppet to open an account extremely scene, the second preset judgment rule is for filtering
Fraud clique opens an account data.
In one embodiment, for flow attacking scene, the second preset judgment rule is for filtering the stream gathered
Measure attack source.
In one embodiment, the second pre-defined rule is determined according to the abnormal data of acquisition first, it is then pre- according to second
Set pattern then, determines the second preset judgment rule.
It in one embodiment, further include feature corresponding with feature other than joint eigenvalue in data to be identified
Value, determines the second pre-defined rule according to the feature in the abnormal data of acquisition.It opens an account extremely scene for example, emitting account for puppet,
Abnormal data is data of opening an account, it is characterized in that the longitude and latitude for IP address of opening an account, then corresponding second pre-defined rule can for IP
In the longitude and latitude concentration range of location, the second preset judgment rule can be country or ground level belonging to IP address longitude and latitude range
City.
In one embodiment, IP address longitude and latitude concentration range be accommodate the corresponding IP address of data of opening an account number it is super
The range of predetermined number threshold value is crossed, absolute value of the difference of longitude is less than in the corresponding IP address of data of wherein respectively opening an account within the scope of this
The difference threshold value of predetermined longitude and the absolute value of the difference of latitude are less than the difference threshold value of predetermined latitude.For example the difference threshold value of predetermined longitude is
5 degree, the difference threshold value of predetermined latitude is 3 degree, and predetermined number threshold value is 3, if then longitude and latitude is respectively (20.5 degree of north latitude, east longitude
116.7 degree), (20.2 degree of north latitude, 116.0 degree of east longitude) and (21 degree of north latitude, 117 degree of east longitude) three with opening an account the corresponding IP of data
Location longitude and latitude, and the city these IP address longitude and latitude Dou Shu A, then the second preset judgment rule can be the corresponding IP of data that opens an account
Longitude and latitude belongs in A borough domain.
In one embodiment, feature, the second pre-defined rule and the second preset judgment rule correspondence are stored in prior root
In the mapping table set up according to experience, the second pre-defined rule and the second preset judgment rule are determined respectively by tabling look-up.
Step 530, the abnormal data for meeting the second preset judgment rule is determined from the abnormal data of acquisition, as the
Two abnormal datas.
In one embodiment, account is emitted for puppet to open an account extremely scene, as in the foregoing embodiment, the second preset judgment
Rule can be that the corresponding IP longitude and latitude of data of opening an account belongs in A borough domain;It, can be with then when determining the second abnormal data
It first obtains each suspicion to open an account the corresponding IP address longitude and latitude of data, each IP address is then obtained according to IP address longitude and latitude and is passed through
City belonging to latitude or country, if the corresponding IP longitude and latitude of data of judging to open an account belongs to the city A, by the data of opening an account
As fraud, clique opens an account data, i.e. the second abnormal data.
Step 540, the identity information in second abnormal data is verified, to be verified result.
In one embodiment, for flow attacking scene, identity information is IP address, then by testing IP address
Card is to realize the verifying to identity information.Specific verification mode can be the visitation frequency of monitoring IP within a specified time.
In one embodiment, it emits account for puppet to open an account extremely scene, identity information is cell-phone number, then to cell-phone number shape
The mode of the identity information verifying of formula, which can be, carries out verifying dynamic password to cell-phone number.Dynamic password refers to using dynamic password
Or the mode of dynamic verification code is verified.
In one embodiment, cell-phone number is verified in the way of speech identifying code.For example, dialing fraud clique
Then cell-phone number in data of opening an account broadcasts identifying code to cell-phone number user with the mode of voice broadcast, thus can be to opening an account
It is verified.
Step 550, according to the second abnormal data of second abnormal data being proved to be successful and authentication failed, is determined
The ancillary rules of one pre-defined rule, to obtain the third being made of first pre-defined rule and ancillary rules rule.
As previously mentioned, each data to be identified include joint eigenvalue, in addition, it can include feature corresponding with feature
Value, can determine the ancillary rules of the first pre-defined rule by the characteristic value of each data to be identified.
In one embodiment, the ancillary rules of the first pre-defined rule are determined as follows: first by all features
Characteristic value normalization between [0,1], for each feature, obtain and normalized in second abnormal data being proved to be successful
The average value of the characteristic value of this feature afterwards, as the first average value;Then it is directed to this feature, obtains the of all authentication faileds
The average value of the characteristic value of this feature after normalization in two abnormal datas, as the second average value;Then it is directed to each spy
Sign, obtains second average value of this feature and the absolute value of the difference of first average value;Then according to the absolute value
To determine the ancillary rules of the first pre-defined rule.
Since the dimension of the characteristic value of each feature may be different, so if obtaining average value using characteristic value, so
Ancillary rules are determined afterwards, then the characteristic value obtained for each feature may be widely different, so as to cause determining additional rule
It is then unreasonable, and in the present embodiment, by the way that being applicable in for the ancillary rules determined by characteristic value normalization, can be improved
Property.
In one embodiment, the feature for obtaining the maximum absolute value first, judge second average value with it is described
The size of first average value;If the first average value is greater than the second average value, the ancillary rules of the first pre-defined rule are determined as
The characteristic value of this feature after normalization is greater than median, wherein the median is that first average value and described second are flat
Mean of mean.The absolute value of the difference of second average value and first average value is bigger, can more illustrate this feature
Characteristic value be more obvious in the difference of second abnormal data being proved to be successful and second abnormal data of authentication failed,
Using the characteristic value of this feature as ancillary rules, identification abnormal data precision can be improved.
Step 560, data to be identified are received, and judge the data to be identified whether and meanwhile meet the second preset judgment rule
It is then regular with third.
Step 570, if so, the abnormal data that the data to be identified are identified as second monitoring model.
Second preset judgment rule screens data to be identified from one side, and third rule is treated from another point of view
Identification data are further screened, and each rule can illustrate that the data to be identified for meeting the rule may to a certain extent
Abnormal data, if as soon as therefore data to be identified simultaneously two rules, illustrate the data to be identified be abnormal data can
Energy property greatly increases.So this have the advantage that, improve the accuracy rate of identification abnormal data.
In one embodiment, as shown in fig. 6, establishing the third monitoring model in the following way and utilizing described the
Three monitoring models identify abnormal data:
Step 610, the abnormal data generated in the second predetermined amount of time exported by first monitoring model is obtained.
Wherein, the abnormal data meets the first pre-defined rule.
Second time period arbitrarily produces the period of abnormal data before can be current time, can be and first time
The section identical period, it can also be the period different from first time period.
Step 620, third preset judgment rule is determined according to the abnormal data of acquisition and third pre-defined rule.
Wherein the third pre-defined rule belongs to second pre-defined rule.The third pre-defined rule belongs to described second
Pre-defined rule specifically refers to: the range limited by third pre-defined rule is smaller than the second pre-defined rule, i.e. the second pre-defined rule
Be include third pre-defined rule multiple rules combination, can be limited by more rule combinations makes through the rule of combination
The abnormal data filtered out it is more accurate.
In one embodiment, it emits account for puppet to open an account extremely scene, third pre-defined rule refers to IP address longitude and latitude
The number of all identical data of opening an account of aggregation, WI-FI title and mobile phone model, the difference of specially each IP address longitude it is absolute
The absolute value of the difference that value is less than the difference threshold value of predetermined longitude and latitude is less than the difference threshold value and WI-FI title and mobile phone of predetermined latitude
The all identical suspicion of model open an account data number be greater than predetermined number threshold value.
In one embodiment, third preset judgment rule refers to the combination of rule corresponding with third pre-defined rule.Than
As the open an account IP address longitude and latitude of data of multiple suspicion concentrates near 25.19 degree of north latitude, 101 degree of east longitude, and use when opening an account
WI-FI title be all HUAWEI-E5573, mobile phone model is all Redmi 5A, and these suspicion open an account data number it is big
In predetermined number threshold value, then third preset judgment rule is the open an account corresponding IP address longitude and latitude of data and the IP address longitude and latitude
Within a predetermined range, and the entitled HUAWEI-E5573 of WI-FI, mobile phone model is Redmi 5A to distance;If there are also multiple suspicion
The IP address longitude and latitude for doubting data of opening an account concentrates near 15.9 degree of north latitude, 107 degree of east longitude, and WI-FI title is all HUAWEI-
E5573, mobile phone model are all Redmi 5A, and the open an account number of data of these suspicion is greater than predetermined number threshold value, then third
Preset judgment rule further includes the open an account corresponding IP address longitude and latitude of data and 15.9 degree of north latitude, and the distance that 107 degree of east longitude is pre-
Determine in range, and the entitled HUAWEI-E5573 of WI-FI, mobile phone model is Redmi 5A.
In one embodiment, it can determine that third is established rules in advance according to third pre-defined rule by preset mapping table
Then.
Step 630, data to be identified are received, and judge the data to be identified whether and meanwhile meet third preset judgment rule
It is then regular with third.
Step 640, if so, the abnormal data that the data to be identified are identified as the third monitoring model.
In conclusion in the embodiment illustrated in fig. 5, by true according to the abnormal data and third pre-defined rule of acquisition
Third preset judgment rule is determined, and since third pre-defined rule belongs to the second pre-defined rule, so that via pre- according to the third
The third preset judgment rule then determined of establishing rules is higher to the accuracy rate of the identification of abnormal data, eventually by predetermined to third
Judgment rule and third rule combine the judgement for carrying out abnormal data, substantially increase the accuracy of identification abnormal data.
The step 330 in Fig. 3 is returned to below, for each abnormal data, according in first monitoring model,
The model of the abnormal data is identified in two monitoring models and third monitoring model, determination will be to number corresponding with the abnormal data
Object handles strategy is generated according to the data that object executes are generated.
In one embodiment, it is generated in object handles strategy in the corresponding data of model for identifying the abnormal data,
Obtain the corresponding data of the identification highest model of abnormal data accuracy rate and generate object handles strategy, as determine will to
The corresponding data of the abnormal data generate the data that object executes and generate object handles strategy.In one embodiment, for stream
Attack Scenarios are measured, data to be identified are data on flows, and it is IP address, the first monitoring that the corresponding data of data to be identified, which generate object,
It is that the first monitoring model is forbidden to identify in daily first time period that the corresponding data of model, which generate object handles strategy,
The corresponding IP address of abnormal data accesses local terminal, and it is daily that the corresponding data of the second monitoring model, which generate object handles strategy,
The corresponding IP address of the abnormal data for forbidding the second monitoring model to identify in second time period accesses local terminal, third monitoring model
It is the corresponding IP address of abnormal data completely forbidding third monitoring model and identifying that corresponding data, which generate object handles strategy,
Access local terminal.In one embodiment, it emits account for puppet to open an account extremely scene, data to be identified are data of opening an account, to be identified
It is cell-phone number and account that the corresponding data of data, which generate object, and the corresponding data of the first monitoring model, which generate object handles strategy, is
Refer to the corresponding cell-phone number of abnormal data identified to first monitoring model, carries out verifying dynamic password, the second monitoring model
Corresponding data generation object handles strategy, which refers to, is opening the corresponding account of abnormal data that second monitoring model identifies
Recognition of face verifying is carried out when family, the corresponding data of third monitoring model generate object handles strategy and refer to that refusing the third monitors
The account opening request of the corresponding account of the abnormal data that model identifies.
In step 340, object is generated to data corresponding with each abnormal data, execute determine with the number
Object handles strategy is generated according to the corresponding data of object are generated.
Corresponding data generation object handles strategy is executed by generating object to data, can be reduced to a certain extent
The generation of abnormal data, to improve the safety of network.
In one embodiment, after step 340, further includes: determine the meet the 4th pre-defined rule first abnormal number
According to as target abnormal data;Every the first predetermined amount of time, generate comprising target exception number in first predetermined amount of time
According to monitoring and reminding information.
In one embodiment, it emits account for puppet to open an account extremely scene, the first abnormal data further includes characteristic value, each
Data to be identified all correspond to a cell-phone number, which can bind business personnel or not bind business personnel.Characteristic value packet
It includes: having with first abnormal data unbound in the corresponding cell-phone number of all first abnormal datas of identical joint eigenvalue group
The cell-phone number number of business personnel, and the 4th pre-defined rule refers to that the first abnormal data with identical joint eigenvalue group is corresponding
The cell-phone number number of unbound business personnel is greater than predetermined cell-phone number number threshold value in cell-phone number.
Prompting message is the information for reminding user monitoring situation, to the implementation for being presented to the user prompting message
It can be short message, mail, notice, the display screen connecting with disclosure executing subject and show or be sent to particular terminal, projection
Display etc..
In the present embodiment, by being filtered to the first abnormal data using the 4th rule further limited, thus
Target abnormal data is obtained, identification target abnormal data accuracy is further ensured;Meanwhile every prescribed time period generates prison
Prompting message is controlled, perception of the user to abnormal data developing state is helped to improve.
In one embodiment, the data to be identified further include: multiple scoring characteristics, every the first pre- timing
Between section, before generating the monitoring and reminding information comprising target abnormal data in first predetermined amount of time, the method is also wrapped
It includes: being greater than each joint eigenvalue group of predetermined threshold for the number, being determined according to the multiple scoring characteristic should
The scoring of joint eigenvalue group;
It is described every the first predetermined amount of time, generate the monitoring comprising target abnormal data in first predetermined amount of time
Prompting message, comprising: every the first predetermined amount of time, generate the prison comprising target abnormal data in first predetermined amount of time
Prompting message is controlled, wherein in the monitoring and reminding information, each target abnormal data commenting according to corresponding joint eigenvalue group
Divide and is ranked up from big to small.
Joint eigenvalue group is corresponding with data of opening an account, and data of opening an account are corresponding with scoring characteristic, therefore can use
Scoring characteristic determines the scoring of joint eigenvalue group.
In one embodiment, each scoring characteristic is artificially defined, and each scoring characteristic has corresponding
Code of points and scoring;For each scoring characteristic, according to all data to be identified under each joint eigenvalue group
In the scoring characteristic obtain scoring feature extraction data, the scoring acquisition of each joint eigenvalue group is using corresponding
Code of points judges scoring feature extraction data, if judgement meets code of points, just sets for the joint eigenvalue group
Scoring corresponding with the code of points;For each joint eigenvalue group, obtaining for all code of points is the union feature
The sum of the scoring of value group setting, the scoring as the joint eigenvalue group.
In one embodiment, it emits account for puppet to open an account extremely scene, account opening device is mobile phone, is opened an account every time all corresponding
One cell-phone number, data to be identified are data of opening an account, and the scoring characteristic that data of opening an account include is the corresponding mobile phone of cell-phone number
International mobile equipment identification number (International Mobile Equipment Identity, IMEI);Then for each
Joint eigenvalue group, corresponding scoring feature extraction data can be the same IMEI of the data of opening an account under the joint eigenvalue group
The cell-phone number number of code.For example, an item rating rule can be the same IMEI code of the data of opening an account under joint eigenvalue group
Cell-phone number number is greater than 5, and corresponding scoring can be 0.1, then if data of opening an account under a joint eigenvalue group are corresponding same
When the cell-phone number number of one IMEI code is 6, so that it may for joint eigenvalue group setting scoring 0.1.
The scoring of joint eigenvalue group is bigger, and the security risk that may cause in the short time is bigger, so the present embodiment
It is advantageous in that, by preferentially showing the biggish abnormal data of scoring of corresponding joint eigenvalue group, is conducive to improve
The corresponding data of abnormal data are generated with monitoring and the prevention ability of object.In one embodiment, the data to be identified are also
It is generated every the first predetermined amount of time comprising target abnormal data in first predetermined amount of time including condition data
After monitoring and reminding information, the method also includes: judge whether the condition data in each data to be identified meets predetermined item
Part;In the data to be identified generated in the second predetermined amount of time, obtain the condition data for including meet the predetermined condition or
The consistent data to be identified of joint eigenvalue group of joint eigenvalue group and first abnormal data that person includes;Every third
Predetermined amount of time generates the monitoring and reminding information of the data to be identified of acquisition.
The advantage of this embodiment is that obtaining possible abnormal data from another angle and generating monitoring and reminding letter
Breath can realize abnormal data and more fully monitor.
In one embodiment, it emits account for puppet to open an account extremely scene, condition data includes returning for registration cell-phone number
Possession and IP address ownership place, the predetermined condition include: registration cell-phone number ownership place and IP address ownership place it is inconsistent.
In conclusion abnormal data monitoring method provided by according to fig. 2, by inputting three using by data to be identified
The different monitoring model of recognition accuracy is identified three times, improves the precision of monitoring abnormal data;In addition, by according to knowledge
Not Chu abnormal data model, come determine data generate object handles strategy and to corresponding data generate object execute the data
Object handles strategy is generated, the behavior that data generate object can be limited in time, to improve the safety of network.
The disclosure additionally provides a kind of abnormal data monitoring device, is the Installation practice of the disclosure below.
Fig. 7 is a kind of block diagram of abnormal data monitoring device shown according to an exemplary embodiment.As shown in fig. 7, dress
Setting 700 includes:
Module 710 is obtained, is configured as obtaining at least one data to be identified, each data to be identified and a number
It is corresponding according to object is generated;
Input module 720 is configured as each data to be identified respectively while inputting established first monitoring
Model, the second monitoring model and third monitoring model, it is different with whether each monitoring model of determination is identified as the data to be identified
Regular data, first monitoring model, the second monitoring model are different with the accuracy rate of third monitoring model identification abnormal data, institute
It states the first monitoring model, the second monitoring model and third monitoring model and generates object handles strategy pair from different data respectively
It answers;
Determining module 730 is configured as each abnormal data, according in first monitoring model, second
The model of the abnormal data is identified in monitoring model and third monitoring model, determination will be to data corresponding with the abnormal data
It generates the data that object executes and generates object handles strategy;
Execution module 740 is configured as generating object to data corresponding with each abnormal data, and execution is determined
Generate the corresponding data of object with the data and generate object handles strategy.
According to the third aspect of the disclosure, a kind of electronic equipment that can be realized the above method is additionally provided.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or
Program product.Therefore, various aspects of the invention can be embodied in the following forms, it may be assumed that complete hardware embodiment, complete
The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.) or hardware and software, can unite here
Referred to as circuit, " module " or " system ".
The electronic equipment 800 of this embodiment according to the present invention is described referring to Fig. 8.The electronics that Fig. 8 is shown
Equipment 800 is only an example, should not function to the embodiment of the present invention and use scope bring any restrictions.
As shown in figure 8, electronic equipment 800 is showed in the form of universal computing device.The component of electronic equipment 900 can wrap
It includes but is not limited to: at least one above-mentioned processing unit 810, at least one above-mentioned storage unit 820, the different system components of connection
The bus 830 of (including storage unit 820 and processing unit 810).
Wherein, the storage unit is stored with program code, and said program code can be held by the processing unit 810
Row, so that various according to the present invention described in the execution of the processing unit 810 above-mentioned " embodiment method " part of this specification
The step of illustrative embodiments.
Storage unit 820 may include the readable medium of volatile memory cell form, such as Random Access Storage Unit
(RAM) 821 and/or cache memory unit 822, it can further include read-only memory unit (ROM) 823.
Storage unit 820 can also include program/utility 824 with one group of (at least one) program module 825,
Such program module 825 includes but is not limited to: operating system, one or more application program, other program modules and
It may include the realization of network environment in program data, each of these examples or certain combination.
Bus 830 can be to indicate one of a few class bus structures or a variety of, including storage unit bus or storage
Cell controller, peripheral bus, graphics acceleration port, processing unit use any bus structures in a variety of bus structures
Local bus.
Electronic equipment 800 can also be with one or more external equipments 1000 (such as keyboard, sensing equipment, bluetooth equipment
Deng) communication, can also be enabled a user to one or more equipment interact with the electronic equipment 800 communicate, and/or with make
Any equipment (such as the router, modulation /demodulation that the electronic equipment 800 can be communicated with one or more of the other calculating equipment
Device etc.) communication.This communication can be carried out by input/output (I/O) interface 850.Also, electronic equipment 800 can be with
By network adapter 860 and one or more network (such as local area network (LAN), wide area network (WAN) and/or public network,
Such as internet) communication.As shown, network adapter 860 is communicated by bus 830 with other modules of electronic equipment 800.
It should be understood that although not shown in the drawings, other hardware and/or software module can not used in conjunction with electronic equipment 800, including but not
Be limited to: microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and
Data backup storage system etc..
Through the above description of the embodiments, those skilled in the art is it can be readily appreciated that example described herein is implemented
Mode can also be realized by software realization in such a way that software is in conjunction with necessary hardware.Therefore, according to the disclosure
The technical solution of embodiment can be embodied in the form of software products, which can store non-volatile at one
Property storage medium (can be CD-ROM, USB flash disk, mobile hard disk etc.) in or network on, including some instructions are so that a calculating
Equipment (can be personal computer, server, terminal installation or network equipment etc.) is executed according to disclosure embodiment
Method.
According to the fourth aspect of the disclosure, a kind of computer readable storage medium is additionally provided, being stored thereon with can be real
The program product of existing this specification above method.In some possible embodiments, various aspects of the invention can also be real
It is now a kind of form of program product comprising program code, when described program product is run on the terminal device, the journey
Sequence code is each according to the present invention described in above-mentioned " illustrative methods " part of this specification for executing the terminal device
The step of kind illustrative embodiments.
Refering to what is shown in Fig. 9, describing the program product for realizing the above method of embodiment according to the present invention
900, can using portable compact disc read only memory (CD-ROM) and including program code, and can in terminal device,
Such as it is run on PC.However, program product of the invention is without being limited thereto, in this document, readable storage medium storing program for executing can be with
To be any include or the tangible medium of storage program, the program can be commanded execution system, device or device use or
It is in connection.
Described program product can be using any combination of one or more readable mediums.Readable medium can be readable letter
Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example can be but be not limited to electricity, magnetic, optical, electromagnetic, infrared ray or
System, device or the device of semiconductor, or any above combination.The more specific example of readable storage medium storing program for executing is (non exhaustive
List) include: electrical connection with one or more conducting wires, portable disc, hard disk, random access memory (RAM), read-only
Memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read only memory
(CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
Computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal,
In carry readable program code.The data-signal of this propagation can take various forms, including but not limited to electromagnetic signal,
Optical signal or above-mentioned any appropriate combination.Readable signal medium can also be any readable Jie other than readable storage medium storing program for executing
Matter, the readable medium can send, propagate or transmit for by instruction execution system, device or device use or and its
The program of combined use.
The program code for including on readable medium can transmit with any suitable medium, including but not limited to wirelessly, have
Line, optical cable, RF etc. or above-mentioned any appropriate combination.
The program for executing operation of the present invention can be write with any combination of one or more programming languages
Code, described program design language include object oriented program language-Java, C++ etc., further include conventional
Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user
It calculates and executes in equipment, partly executes on a user device, being executed as an independent software package, partially in user's calculating
Upper side point is executed on a remote computing or is executed in remote computing device or server completely.It is being related to far
Journey calculates in the situation of equipment, and remote computing device can pass through the network of any kind, including local area network (LAN) or wide area network
(WAN), it is connected to user calculating equipment, or, it may be connected to external computing device (such as utilize ISP
To be connected by internet).
In addition, above-mentioned attached drawing is only the schematic theory of processing included by method according to an exemplary embodiment of the present invention
It is bright, rather than limit purpose.It can be readily appreciated that the time that above-mentioned processing shown in the drawings did not indicated or limited these processing is suitable
Sequence.In addition, be also easy to understand, these processing, which can be, for example either synchronously or asynchronously to be executed in multiple modules.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and
And various modifications and change can executed without departing from the scope.The scope of the present invention is limited only by the attached claims.
Claims (10)
1. a kind of abnormal data monitoring method, which is characterized in that the described method includes:
At least one data to be identified is obtained, each data to be identified are corresponding with a data generation object;
The data to be identified are inputted to established first monitoring model, the second monitoring model and third monitoring mould simultaneously respectively
Whether type is identified as abnormal data, first monitoring model, the second prison for the data to be identified with each monitoring model of determination
The accuracy rate for controlling model and third monitoring model identification abnormal data is different, first monitoring model, the second monitoring model and
It is corresponding that third monitoring model generates object handles strategy from different data respectively;
For each abnormal data, according in first monitoring model, the second monitoring model and third monitoring model
Identify the model of the abnormal data, determination will generate the data generation pair that object executes to data corresponding with the abnormal data
As processing strategie;
Object is generated to data corresponding with each abnormal data, execute determine to generate object with the data corresponding
Data generate object handles strategy.
2. the method according to claim 1, wherein establishing first monitoring model and benefit in the following way
Abnormal data is identified with first monitoring model:
The union feature group for obtaining multiple data to be identified and being made of multiple union features, wherein each data packet to be identified
Include the corresponding joint eigenvalue of each union feature in multiple union features with union feature group;
According to multiple union features in the union feature group, each number to be identified in the multiple data to be identified is determined
According to multiple joint eigenvalues corresponding with the multiple union feature, to obtain the joint eigenvalue group of each data to be identified;
For each joint eigenvalue group of acquisition, determine the joint eigenvalue group in all joint eigenvalue groups of all acquisitions
In number;
The corresponding data to be identified of joint eigenvalue group that the number is greater than predetermined threshold are obtained, as the first abnormal data;
Receive data to be identified, and judge joint eigenvalue group that the data to be identified are included whether with it is described first abnormal
The joint eigenvalue group of data is consistent;
If so, the abnormal data that the data to be identified are identified as first monitoring model.
3. method according to claim 1 or 2, which is characterized in that establish second monitoring model in the following way
And abnormal data is identified using second monitoring model:
The abnormal number generated in the first predetermined amount of time is obtained in the abnormal data identified by first monitoring model
According to, wherein each abnormal data is corresponding with identity information, and the abnormal data meets the first pre-defined rule;
The second preset judgment rule is determined according to the abnormal data of acquisition and the second pre-defined rule;
The abnormal data for meeting the second preset judgment rule is determined from the abnormal data of acquisition, as the second abnormal data;
Identity information in second abnormal data is verified, to be verified as a result, the verification result include verifying at
Function and authentication failed;
According to second abnormal data of second abnormal data and authentication failed that are proved to be successful, the first pre- set pattern is determined
Ancillary rules then, to obtain the third being made of first pre-defined rule and ancillary rules rule;
Receive data to be identified, and judge the data to be identified whether and meanwhile meet the second preset judgment rule and third rule
Then;
If so, the abnormal data that the data to be identified are identified as second monitoring model.
4. method according to claim 1 or 2, which is characterized in that establish the third monitoring model in the following way
And abnormal data is identified using the third monitoring model:
Obtain the abnormal data generated in the second predetermined amount of time exported by first monitoring model, wherein described different
Regular data meets the first pre-defined rule;
Third preset judgment rule is determined according to the abnormal data of acquisition and third pre-defined rule, wherein the third pre-defined rule
Belong to second pre-defined rule;
Receive data to be identified, and judge the data to be identified whether and meanwhile meet third preset judgment rule and third rule
Then;
If so, the abnormal data that the data to be identified are identified as the third monitoring model.
5. according to the method described in claim 2, it is characterized in that, in the joint for obtaining the number and being greater than predetermined threshold
The corresponding data to be identified of eigenvalue cluster, after the first abnormal data, the method also includes:
The first abnormal data for meeting the 4th pre-defined rule is determined, as target abnormal data;
Every the first predetermined amount of time, the monitoring and reminding letter comprising target abnormal data in first predetermined amount of time is generated
Breath.
6. according to the method described in claim 5, it is characterized in that, the data of opening an account further include: multiple scoring characteristics,
Every the first predetermined amount of time, generate the monitoring and reminding information comprising target abnormal data in first predetermined amount of time it
Before, the method also includes:
It is greater than each joint eigenvalue group of predetermined threshold for the number, determining according to the multiple scoring characteristic should
The scoring of joint eigenvalue group;
It is described every the first predetermined amount of time, generate the monitoring and reminding comprising target abnormal data in first predetermined amount of time
Information includes:
Every the first predetermined amount of time, the monitoring and reminding letter comprising target abnormal data in first predetermined amount of time is generated
Breath, wherein in the monitoring and reminding information, each target abnormal data according to corresponding joint eigenvalue group scoring from greatly to
It is small to be ranked up.
7. method according to claim 5 or 6, which is characterized in that the data to be identified further include condition data, every
Every the first predetermined amount of time, after generating the monitoring and reminding information comprising target abnormal data in first predetermined amount of time,
The method also includes:
Judge whether the condition data in each data of opening an account meets predetermined condition;
In the data to be identified generated in the second predetermined amount of time, obtain the condition data for including meet the predetermined condition or
Joint eigenvalue group that person includes and the puppet undetermined emit account and open an account the consistent data to be identified of joint eigenvalue group of data;
Every third predetermined amount of time, the monitoring and reminding information of the data to be identified of acquisition is generated.
8. a kind of abnormal data monitoring device, which is characterized in that described device includes:
Module is obtained, is configured as obtaining at least one data to be identified, each data to be identified are generated with a data
Object is corresponding;
Input module is configured as each data to be identified respectively while inputting established first monitoring model,
Whether two monitoring models and third monitoring model are identified as abnormal data for the data to be identified with each monitoring model of determination,
First monitoring model, the second monitoring model are different with the accuracy rate of third monitoring model identification abnormal data, and described first
It is corresponding that monitoring model, the second monitoring model and third monitoring model generate object handles strategy from different data respectively;
Determining module is configured as each abnormal data, according in first monitoring model, the second monitoring model
With the model for identifying the abnormal data in third monitoring model, determination will generate object to data corresponding with the abnormal data
The data of execution generate object handles strategy;
Execution module is configured as generating object to data corresponding with each abnormal data, execute determine with this
Data generate the corresponding data of object and generate object handles strategy.
9. a kind of computer-readable program medium, which is characterized in that it is stored with computer program instructions, when the computer journey
When sequence instruction is computer-executed, computer is made to execute method according to any one of claim 1 to 7.
10. a kind of electronic equipment, which is characterized in that the electronic equipment includes:
Processor;
Memory is stored with computer-readable instruction on the memory, and the computer-readable instruction is held by the processor
When row, method as described in any one of claim 1 to 7 is realized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910435057.7A CN110365634B (en) | 2019-05-23 | 2019-05-23 | Abnormal data monitoring method, device, medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910435057.7A CN110365634B (en) | 2019-05-23 | 2019-05-23 | Abnormal data monitoring method, device, medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110365634A true CN110365634A (en) | 2019-10-22 |
| CN110365634B CN110365634B (en) | 2022-07-08 |
Family
ID=68215296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910435057.7A Active CN110365634B (en) | 2019-05-23 | 2019-05-23 | Abnormal data monitoring method, device, medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110365634B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111049838A (en) * | 2019-12-16 | 2020-04-21 | 随手(北京)信息技术有限公司 | Black product equipment identification method and device, server and storage medium |
| CN112839008A (en) * | 2019-11-22 | 2021-05-25 | 北京沃东天骏信息技术有限公司 | Access monitoring method, device and system |
| CN112988728A (en) * | 2021-03-26 | 2021-06-18 | 云南电网有限责任公司电力科学研究院 | Power distribution network data cleaning method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471819A (en) * | 2014-08-19 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Account abnormity detection method and account abnormity detection device |
| CN105554007A (en) * | 2015-12-25 | 2016-05-04 | 北京奇虎科技有限公司 | web anomaly detection method and device |
| CN105791255A (en) * | 2014-12-23 | 2016-07-20 | 阿里巴巴集团控股有限公司 | Method and system for identifying computer risks based on account clustering |
| CN107256257A (en) * | 2017-06-12 | 2017-10-17 | 上海携程商务有限公司 | Abnormal user generation content identification method and system based on business datum |
| CN108875388A (en) * | 2018-05-31 | 2018-11-23 | 康键信息技术(深圳)有限公司 | Real-time risk control method, device and computer readable storage medium |
-
2019
- 2019-05-23 CN CN201910435057.7A patent/CN110365634B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471819A (en) * | 2014-08-19 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Account abnormity detection method and account abnormity detection device |
| CN105791255A (en) * | 2014-12-23 | 2016-07-20 | 阿里巴巴集团控股有限公司 | Method and system for identifying computer risks based on account clustering |
| CN105554007A (en) * | 2015-12-25 | 2016-05-04 | 北京奇虎科技有限公司 | web anomaly detection method and device |
| CN107256257A (en) * | 2017-06-12 | 2017-10-17 | 上海携程商务有限公司 | Abnormal user generation content identification method and system based on business datum |
| CN108875388A (en) * | 2018-05-31 | 2018-11-23 | 康键信息技术(深圳)有限公司 | Real-time risk control method, device and computer readable storage medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112839008A (en) * | 2019-11-22 | 2021-05-25 | 北京沃东天骏信息技术有限公司 | Access monitoring method, device and system |
| CN112839008B (en) * | 2019-11-22 | 2024-02-06 | 北京沃东天骏信息技术有限公司 | Access monitoring method, device and system |
| CN111049838A (en) * | 2019-12-16 | 2020-04-21 | 随手(北京)信息技术有限公司 | Black product equipment identification method and device, server and storage medium |
| CN111049838B (en) * | 2019-12-16 | 2022-05-13 | 铭迅(北京)信息技术有限公司 | Black product equipment identification method and device, server and storage medium |
| CN112988728A (en) * | 2021-03-26 | 2021-06-18 | 云南电网有限责任公司电力科学研究院 | Power distribution network data cleaning method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110365634B (en) | 2022-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10623389B2 (en) | Authenticating a device based on communication patterns in a group of devices | |
| CN108875327A (en) | One seed nucleus body method and apparatus | |
| CN110298176A (en) | Intelligent terminal App permission privacy risk monitoring and evaluation system and method | |
| US10380590B2 (en) | Transaction authentication based on metadata | |
| CN104541293A (en) | Architecture for client-cloud behavior analyzer | |
| CN106575327A (en) | Analyzing facial recognition data and social network data for user authentication | |
| CN110365634A (en) | Abnormal data monitoring method, device, medium and electronic equipment | |
| CN106465126A (en) | Verifying a secure connection between a network beacon and a user computing device | |
| BR112016017972B1 (en) | METHOD FOR MODIFICATION OF COMMUNICATION FLOW | |
| US10713657B2 (en) | Systems and methods for estimating authenticity of local network of device initiating remote transaction | |
| US11310236B2 (en) | Deriving confidence scores based on device sharing | |
| US11785010B2 (en) | Method and system for authentication via location monitoring | |
| CN112581259B (en) | Account risk identification method and device, storage medium and electronic equipment | |
| CN110473328A (en) | Community's access control management method and device, storage medium, electronic equipment | |
| CN109213857A (en) | A kind of fraud recognition methods and device | |
| US20200234297A1 (en) | Cognitive Approval of Transactions Based on Unique Multi-Device Signatures | |
| CN108123961A (en) | Information processing method, apparatus and system | |
| CN105450598A (en) | Information identification method, information identification equipment and user terminal | |
| US20200265440A1 (en) | Transaction validation for plural account owners | |
| CN109002733A (en) | A kind of pair of equipment carries out the method and device of reliability evaluation | |
| CN111931047A (en) | Artificial intelligence-based black product account detection method and related device | |
| US10742642B2 (en) | User authentication based on predictive applications | |
| US20190168714A1 (en) | Vehicle theft prevention based on fueling pattern | |
| CN109547436A (en) | Relation chain interior joint evaluation method and device, storage medium and electronic equipment | |
| CN108416583A (en) | Prevent bank card from stealing the method and system of brush |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |