CN110796497A - Method and device for detecting abnormal operation behaviors - Google Patents
Method and device for detecting abnormal operation behaviors Download PDFInfo
- Publication number
- CN110796497A CN110796497A CN201911055515.0A CN201911055515A CN110796497A CN 110796497 A CN110796497 A CN 110796497A CN 201911055515 A CN201911055515 A CN 201911055515A CN 110796497 A CN110796497 A CN 110796497A
- Authority
- CN
- China
- Prior art keywords
- operation behavior
- gaussian mixture
- mixture model
- behavior data
- encoder
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/02—Marketing; Price estimation or determination; Fundraising
- G06Q30/0207—Discounts or incentives, e.g. coupons or rebates
- G06Q30/0225—Avoiding frauds
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/088—Non-supervised learning, e.g. competitive learning
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Biophysics (AREA)
- Artificial Intelligence (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Biomedical Technology (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Development Economics (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Game Theory and Decision Science (AREA)
- Economics (AREA)
- Marketing (AREA)
- General Business, Economics & Management (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The embodiment of the specification provides a method and a device for detecting abnormal operation behaviors, wherein the method for detecting the abnormal operation behaviors comprises the following steps: the method comprises the steps of reducing dimensions of input operation behavior data samples through a self-encoder, determining distribution of a Gaussian mixture model by taking dimension reduction data as input of an estimation network, determining the Gaussian mixture model based on the operation behaviors according to the distribution, and outputting abnormal information generated by the operation behavior data samples through the Gaussian mixture model based on the operation behaviors by using the Gaussian mixture model based on the operation behaviors when the target that the error is minimum after self-encoder data is reconstructed and the probability of the operation behavior data samples generated by the Gaussian mixture model based on the operation behaviors is maximum is reached.
Description
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to a method for detecting abnormal operation behaviors. One or more embodiments of the present specification also relate to an apparatus for detecting abnormal operation behavior, a computing device, and a computer-readable storage medium.
Background
With the continuous development of informatization, operations such as online trading and the like through a third-party platform become a common mode. Driven by the interest, some people may cheat during the use of the third party platform to obtain improper interest, for example, cheating the rebate of the third party platform by completing a false transaction, etc. Because the cheating threshold is low, the profit is high, cheaters are driven by interests, the cheating methods are various, the cheating behaviors exist in high-dimensional operation behavior data of dimensions such as buyer operation behaviors, seller operation behaviors and relations among buyers and sellers, and great challenges are brought to risk prevention and control.
Therefore, how to detect an abnormal operation behavior in the high-dimensional operation behavior data becomes a problem that is difficult for the wind operators to solve.
Disclosure of Invention
In view of the above, the present specification provides a method for detecting abnormal operation behavior. One or more embodiments of the present disclosure also relate to an apparatus for detecting abnormal operation behavior, a computing device, and a computer-readable storage medium, which are used to solve the technical problems of the prior art.
According to a first aspect of embodiments herein, there is provided a method of detecting abnormal operating behavior, comprising: obtaining a compressed operation behavior data sample by inputting the operation behavior data sample into an autocoder; inputting the compressed operation behavior data samples into an estimation network to obtain the distribution of a Gaussian mixture model based on operation behaviors; determining the Gaussian mixture model based on the operation behaviors according to the distribution of the Gaussian mixture model based on the operation behaviors; under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step of inputting the operation behavior data sample into the self-encoder to obtain a compressed operation behavior data sample; and outputting the abnormal information generated by the operation behavior data sample through the Gaussian mixture model based on the operation behavior under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated through the Gaussian mixture model based on the operation behavior is maximum is reached.
Optionally, the compressed operation behavior data sample is zrAnd zcWherein z isrFor an error between an input and an output of the auto-encoder for the operational behavior data samples, the zcIs the output of the self-encoder intermediate hidden layer.
Optionally, the determining the operation behavior-based gaussian mixture model according to the distribution of the operation behavior-based gaussian mixture model includes: calculating the weight of the kth component of the Gaussian mixture model by using the number of the operation behavior data samples and the distribution of the kth component of the operation behavior data samples, wherein the kth component is any component of the Gaussian mixture model; calculating the mean value of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample and the compressed operation behavior data sample; and obtaining a covariance matrix of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample, the compressed operation behavior data sample and the mean value of the kth component of the Gaussian mixture model.
Optionally, the outputting of the abnormal information generated by the operation behavior data sample based on the gaussian mixture model of operation behavior includes: and outputting the sample energy of the operation behavior data samples generated by the Gaussian mixture model based on the operation behaviors as the abnormal score of the operation behavior data samples.
Optionally, in a case that the goal that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the operation behavior-based gaussian mixture model is maximum is not reached, the step of updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step of obtaining the compressed operation behavior data sample by inputting the operation behavior data sample into the self-encoder includes: under the condition that the goal that the error after the self-encoder data is reconstructed is minimum and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, the parameters of the self-encoder and the parameters of the estimation network are updated by back propagation through a minimization loss function, wherein the loss function comprises an error correction term after the self-encoder data is reconstructed, a sample energy correction term generated by the Gaussian mixture model based on the operation behavior data sample, and an l2 regularization term, and the l2 regularization term is equal to a hyperparameter multiplied by a square sum of weight parameters and divided by the weight number.
Optionally, the loss function further comprises a covariance matrix correction term, the covariance matrix correction term being equal to the sum of the hyperparameter multiplied by the reciprocal of the diagonal element of the covariance matrix.
According to a second aspect of embodiments herein, there is provided an apparatus for detecting abnormal operation behavior, comprising: and the compression module is configured to obtain the compressed operation behavior data samples by inputting the operation behavior data samples into the self-encoder. And the estimation module is configured to obtain the distribution of the Gaussian mixture model based on the operation behaviors by inputting the compressed operation behavior data samples into the estimation network. A model determination module configured to determine the Gaussian mixture model based on the operational behavior according to a distribution of the Gaussian mixture model based on the operational behavior. And the parameter updating module is configured to update the parameters of the self-encoder and the parameters of the estimation network and re-trigger the compression module to execute the operation on the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached. An anomaly output module configured to output anomaly information generated by the operational behavior based Gaussian mixture model on the operational behavior data samples when the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operational behavior data samples are generated by the operational behavior based Gaussian mixture model is maximum is reached.
Optionally, the model determination module comprises: and the component weight calculation submodule is configured to calculate the weight of the kth component of the Gaussian mixture model by using the number of the operation behavior data samples and the distribution of the kth component of the operation behavior data samples, wherein the kth component is any component of the Gaussian mixture model. And the component mean value calculation sub-module is configured to calculate the mean value of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample and the compressed operation behavior data sample. And the covariance matrix calculation submodule is configured to obtain a covariance matrix of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample, the compressed operation behavior data sample and the mean value of the kth component of the Gaussian mixture model.
Optionally, the anomaly output module is configured to, when a target that the error after the self-encoder data is reconstructed is minimum and the probability that the operation behavior data sample is generated by the operation behavior-based gaussian mixture model is maximum is reached, output the sample energy of the operation behavior data sample generated by the operation behavior-based gaussian mixture model as the anomaly score of the operation behavior data sample.
Optionally, the parameter updating module is configured to, in a case that an objective that the error after reconstruction of the self-encoder data is minimum and the probability that the operation behavior data sample is generated by the operation behavior-based gaussian mixture model is maximum is not reached, back-propagate and update the parameters of the self-encoder and the parameters of the estimation network by using a minimization loss function, and re-trigger the compression module to execute in the back-propagation process, wherein the loss function includes an error correction term after reconstruction of the self-encoder data, a sample energy term that the operation behavior data sample is generated by the operation behavior-based gaussian mixture model, and an l2 regularization term, and the l2 regularization term is equal to a sum of squares of a hyper-parameter multiplied by a correction weight parameter and divided by a weight number.
According to a third aspect of embodiments herein, there is provided a computing device comprising: a memory and a processor; the memory is to store computer-executable instructions, and the processor is to execute the computer-executable instructions to: obtaining a compressed operation behavior data sample by inputting the operation behavior data sample into an autocoder; inputting the compressed operation behavior data samples into an estimation network to obtain the distribution of a Gaussian mixture model based on operation behaviors; determining the Gaussian mixture model based on the operation behaviors according to the distribution of the Gaussian mixture model based on the operation behaviors; under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step of inputting the operation behavior data sample into the self-encoder to obtain a compressed operation behavior data sample; and outputting the abnormal information generated by the operation behavior data sample through the Gaussian mixture model based on the operation behavior under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated through the Gaussian mixture model based on the operation behavior is maximum is reached.
According to a fourth aspect of embodiments herein, there is provided a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the method of detecting abnormal operating behavior as described in any one of the first aspects herein.
One embodiment of the present specification implements a method for detecting abnormal operation behavior, in which a self-encoder performs dimension reduction on an input operation behavior data sample, dimension reduction data is used as an input of an estimation network to determine distribution of a gaussian MIXTURE MODEL, and the gaussian MIXTURE MODEL is determined according to the distribution, thereby implementing a DAGMM MODEL (DEEP auto-coding gaussian MIXTURE MODEL). The Gaussian mixture model describes normal distribution of data through Gaussian probability, cheating operation behaviors belong to few behaviors, the cheating operation behaviors are different from general behaviors of normal operation behaviors in operation behavior data, and the lower the probability of the operation behavior data sample generated by the Gaussian mixture model is, the more abnormal the sample is. Therefore, in the method, when the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is reached, the Gaussian mixture model based on the operation behavior can be used for identifying the data abnormity from multiple dimensions at the same time, the abnormity information of the operation behavior data sample is detected, and the aim of detecting the abnormal operation behavior in the high-dimensional operation behavior data is fulfilled.
Drawings
FIG. 1 is a flow diagram of a method of detecting abnormal operating behavior provided by one embodiment of the present description;
FIG. 2 is a diagram of a DAGMM model architecture provided by one embodiment of the present description;
FIG. 3 is a schematic structural diagram of an apparatus for detecting abnormal operation behavior according to an embodiment of the present disclosure;
FIG. 4 is a schematic structural diagram of an apparatus for detecting abnormal operating behavior according to another embodiment of the present disclosure;
fig. 5 is a block diagram of a computing device according to an embodiment of the present disclosure.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, as those skilled in the art will be able to make and use the present disclosure without departing from the spirit and scope of the present disclosure.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It will be understood that, although the terms first, second, etc. may be used herein in one or more embodiments to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first can also be referred to as a second and, similarly, a second can also be referred to as a first without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
First, the noun terms to which one or more embodiments of the present specification relate are explained.
The self-encoder is an unsupervised neural network, takes input as an output target, measures the difference between the input and the output by construction as error back propagation, performs network updating learning, outputs the result of an intermediate hidden layer, and is mainly used for data dimension reduction or feature processing.
The estimation network is a multilayer neural network model, can represent the characteristics of different proportions in a data sample through a parameter updating iterative society, and realizes multi-class classification through a plurality of neurons in an output layer. Is defined as p ═ MLN (z; theta)m) Z is input data, θmIs a uniform expression symbol of the weight of parameters of each layer of the neural network, and the parameters can be initialized to random values between 0 and 1 generally, and then updated in the model learning process. The network having as output the softmax function, i.e.
Is a K-dimensional vector. In the present specification, k is the number of gaussian mixture components.
The Gaussian mixture model describes data distribution through Gaussian probability functions, decomposes one data into a model of linear combination of a plurality of Gaussian probability functions, and can fit any curve theoretically.
In the present specification, a method of detecting abnormal operation behavior is provided, and the present specification also relates to an apparatus for detecting abnormal operation behavior, a computing device, and a computer-readable storage medium, which are described in detail one by one in the following embodiments.
Fig. 1 shows a flowchart of a method for detecting abnormal operation behavior according to an embodiment of the present disclosure, which includes steps 102 to 110.
Step 102: and inputting the operation behavior data samples into an autocoder to obtain compressed operation behavior data samples.
For example, the operation behavior data sample may include behavior information of clicking, browsing, and the like of a full number of users of the third-party platform, historical transaction information of the buyer and the seller, an identity tag of the user, a relationship between the buyer and the seller, such as a relationship of sharing wifi, and the like.
The self-encoder, that is, the compression network, is an AutoEncoding model, is a multilayer symmetrical neural network, the input layer and the output layer are consistent and represent the same meaning, the input can be output after data reconstruction after training, and the training target is that the input x is consistent with the output x'. Since the original data can be recovered by the output of the intermediate hidden layer, the self-encoder can be used for data compression, the output z of the intermediate hidden layercAs compressed data. In order to avoid the disappearance of the gradient caused by the too deep number of network layers of the self-encoder and improve the backward propagation effect, in an embodiment of the present specification, as shown in fig. 2, as a schematic structural diagram of a DAGMM model, the self-encoder may adopt a five-layer structure including an input layer, an intermediate layer, an encoding layer, another intermediate layer, and an output layer.
Although theoretically possible, in practice the self-encoder cannot reproduce perfectly, so x and x' have a certain error zr. In one embodiment of the present specification, to reduce the error, z isrAnd zcAnd (6) splicing. The compressed operation behavior data sample is zrAnd zcWherein z isrFor an error between an input and an output of the auto-encoder for the operational behavior data samples, the zcIs the output of the self-encoder intermediate hidden layer. Error zrThe calculation method includes, but is not limited to, cosine similarity, euclidean distance, etc. z is a radical ofrIs one to twoThe dimensional vector can be calculated by two error calculation methods, as follows:
zr2=‖x-x′‖
step 104: and inputting the compressed operation behavior data samples into an estimation network to obtain the distribution of the Gaussian mixture model based on the operation behaviors.
Because the estimation network has a multilayer structure of a multilayer neural network model, the characteristics of different proportions in the operation behavior data sample can be represented through parameter updating iteration, and the classification of multiple classes is realized through multiple neurons in the output layer, so that the probability of each class value predicted by the network can be output through the softmax activation function in the output layer, and the probability distribution of the Gaussian mixture model is obtained. For example, in an embodiment of the present specification, as shown in fig. 2, the estimation network may be set as a four-layer neural network model including one input layer, two hidden layers, and one output layer, and the number of neurons is set to be k according to the number k of components of the gaussian mixture model, where k may be equal to 4 or 5.
Step 106: and determining the Gaussian mixture model based on the operation behaviors according to the distribution of the Gaussian mixture model based on the operation behaviors.
According to the definition of the Gaussian mixture model:the parameters to be determined include the weight of the componentsMean value of ingredients
Covariance matrix of components
These three parameters. In the case where the distribution of the Gaussian mixture model has been determinedNext, the three parameters can be calculated using the distribution of the gaussian mixture model.
E.g. weights for the componentsIn other words, the number of operation behavior data samples N and the distribution of the kth component of the operation behavior data samples can be utilized
Calculating the weight of the kth component of the Gaussian mixture model
Wherein the kth component is any component of the Gaussian mixture model. Expressed by a formula, it can be expressed as:
n is the number of operational behavior data samples.
For example, for the mean value of the components
In particular, the distribution of the kth component of the operation behavior data sample may be utilized
And the compressed operation behavior data sample ziCalculating the mean value of the kth component of the Gaussian mixture model
Expressed by a formula, it can be expressed as:
for example, covariance matrix for components
Said number of operation actions can be utilizedAccording to the distribution of the k component of the sampleThe compressed operational behavior data sample ziAnd the mean value of the k-th component of the Gaussian mixture model
Obtaining a covariance matrix of the kth component of the Gaussian mixture model
Expressed by a formula, it can be expressed as:
the weight of the kth component of the Gaussian mixture model is calculated by using the number of the operation behavior data samples and the distribution of the kth component of the operation behavior data samples, the mean value of the kth component of the Gaussian mixture model is calculated by using the distribution of the kth component of the operation behavior data samples and the compressed operation behavior data samples, and the covariance matrix of the kth component of the Gaussian mixture model is further calculated, so that the parameters of the Gaussian mixture model are calculated according to the distribution of the Gaussian mixture model, and the Gaussian mixture model is determined.
Step 108: under the condition that the target that the error is minimum after the compressed network data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step 102: and a step of obtaining a compressed operation behavior data sample by inputting the operation behavior data sample into the self-encoder.
The minimum value of the error after the compressed network data is reconstructed and the maximum probability of the operation behavior data sample generated by the gaussian mixture model based on the operation behavior may be set according to implementation requirements, which is not limited in the embodiments of the present specification.
In one embodiment of the present description, updating the parameters of the self-encoder and the estimated network are propagated back through minimizing the loss function. To facilitate the construction of the loss function, the probability of a sample being generated by a gaussian mixture model can be evaluated by the sample energy. The sample energy is the negative logarithm of the probability function, the maximum probability generated by the Gaussian mixture model and the minimum probability generated by the sample energy are equivalent, and the smaller the sample energy is, the greater the probability generated by the Gaussian mixture model is. Thus, in this embodiment, the probability may be converted into a sample energy. For example, the sample energy e (z) can be converted by the following equation:
in this embodiment, the loss function may comprise a post-encoder data reconstruction error correction term, a sample energy correction term of which the operation behavior data samples are generated by said operation behavior based gaussian mixture model.
And reversely propagating the updating parameter process by using the minimum loss function, wherein the process comprises a forward propagation process and a reverse propagation process. In the forward propagation process, the input passes through the hidden layer through the input layer, is processed layer by layer, and is propagated to the output layer. If the expected output value can not be obtained in the output layer, the reverse propagation is carried out, the partial derivative of the loss function to the weight of each neuron is calculated layer by layer to form the gradient of the loss function to the weight vector as the basis for modifying the weight, the learning of the network is completed in the weight modifying process, and when the error reaches the expected value, the network learning is finished.
In order to avoid gradient explosion during back propagation when the parameters are updated, i.e. the gradient values are large and exceed the computer understanding range, in an embodiment of the present specification, the loss function may further include an l2 regularization term, where the l2 regularization term is equal to the sum of the square of the hyperparameter multiplied by the weighting parameter and divided by the number of weights. Due to the fact that the l2 regularization term is added, if the gradient value is large, loss is large, when parameters are updated, the model can learn in the direction of small weight, and loss is reduced, so that the problem of gradient explosion can be effectively avoided after the l2 regularization term is added.
In order to avoid the problem of singular covariance matrix when calculating parameters of the gaussian mixture model, in an embodiment of the present specification, the loss function may further include a covariance matrix correction term, where the covariance matrix correction term is equal to a sum of a hyperparameter and an inverse of a diagonal element of the covariance matrix. In order to solve the problem of covariance matrix singularity and reduce influence caused by correction, a covariance matrix correction item can be added into a loss function, so that the problem of covariance matrix singularity is avoided.
For example, the loss function may be expressed as
Wherein:
θeis a parameter of the encoder encode part, thetadIs a parameter from the decoder part of the encoder, thetamIs to estimate a parameter of the network, λ1、λ2And λ3Are three hyper-parameters.
To reconstruct the post-error correction term from the encoder data,
sample energy correction terms generated for the operational behavior data samples by the operational behavior-based Gaussian mixture model,
for correcting terms of covariance matrix, lambda3L2 is the l2 regularization term.
Step 110: and outputting the abnormal information generated by the operation behavior data sample by the Gaussian mixture model based on the operation behavior under the condition that the target that the error is minimum after the compressed network data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is reached.
For example, in an embodiment of the present specification, based on obtaining a sample energy function e (z), a sample energy of the operation behavior data sample generated by the operation behavior-based gaussian mixture model may be directly output as an anomaly score of the operation behavior data sample. The minimum probability generated by the Gaussian mixture model and the maximum sample energy are equivalent, and the larger the sample energy is, the smaller the probability generated by the Gaussian mixture model is, the more abnormal the sample is, so that the abnormal operation behavior can be effectively detected according to the abnormal score.
It can be seen that, according to the method for detecting abnormal operation behavior implemented in the embodiments of the present specification, the self-encoder performs dimension reduction on the input operation behavior data sample, determines the distribution of the gaussian MIXTURE MODEL by using the dimension reduction data as the input of the estimation network, determines the gaussian MIXTURE MODEL according to the distribution, and implements a DAGMM MODEL (DEEP auto-coding gaussian MIXTURE MODEL) as shown in fig. 2. The Gaussian mixture model describes normal distribution of data through Gaussian probability, cheating operation behaviors belong to few behaviors, the cheating operation behaviors are different from general behaviors of normal operation behaviors in operation behavior data, and the lower the probability of the operation behavior data sample generated by the Gaussian mixture model is, the more abnormal the sample is. Therefore, in the method, when the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is reached, the Gaussian mixture model based on the operation behavior can be used for identifying the data abnormity from multiple dimensions at the same time, the abnormity information of the operation behavior data sample is detected, and the aim of detecting the abnormal operation behavior in the high-dimensional operation behavior data is fulfilled.
Corresponding to the above method embodiment, this specification also provides an embodiment of an apparatus for detecting abnormal operation behavior, and fig. 3 shows a schematic structural diagram of an apparatus for detecting abnormal operation behavior provided in an embodiment of this specification. As shown in fig. 3, the apparatus includes: a compression module 302, an estimation module 304, a model determination module 306, a parameter update module 308, and an anomaly output module 310.
The compression module 302 may be configured to obtain compressed operation behavior data samples by inputting the operation behavior data samples into an auto-encoder.
The estimation module 304 may be configured to derive a distribution of the gaussian mixture model based on the operation behavior by inputting the compressed operation behavior data samples into an estimation network.
The model determination module 306 may be configured to determine the operation behavior based gaussian mixture model according to the distribution of the operation behavior based gaussian mixture model.
The parameter updating module 308 may be configured to update the parameters of the self-encoder and the parameters of the estimation network and re-trigger the estimation module 304 to execute the operation if the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the operation behavior-based gaussian mixture model is maximum is not reached.
The anomaly output module 310 may be configured to output the anomaly information generated by the operational behavior based gaussian mixture model when the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operational behavior data sample is generated by the operational behavior based gaussian mixture model is maximum is reached.
In the apparatus for detecting abnormal operation behavior implemented in the embodiment of the present specification, the self-encoder performs dimension reduction on the input operation behavior data sample, determines the distribution of the GAUSSIAN mixture model by using the dimension-reduced data as the input of the estimation network, determines the GAUSSIAN mixture model according to the distribution, and implements a DAGMM model (DEEP autonomous coding GAUSSIAN mixture model). The Gaussian mixture model describes normal distribution of data through Gaussian probability, cheating operation behaviors belong to few behaviors, the cheating operation behaviors are different from general behaviors of normal operation behaviors in operation behavior data, and the lower the probability of the operation behavior data sample generated by the Gaussian mixture model is, the more abnormal the sample is. Therefore, in the method, when the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is reached, the Gaussian mixture model based on the operation behavior can be used for identifying the data abnormity from multiple dimensions at the same time, the abnormity information of the operation behavior data sample is detected, and the aim of detecting the abnormal operation behavior in the high-dimensional operation behavior data is fulfilled.
Fig. 4 is a schematic structural diagram illustrating an apparatus for detecting abnormal operation behavior according to another embodiment of the present disclosure. As shown in fig. 4, the model determining module 306 in the apparatus includes: the component weight calculation submodule 3061 may be configured to calculate a weight of a kth component of the gaussian mixture model by using the number of the operation behavior data samples and a distribution of a kth component of the operation behavior data samples, where the kth component is any component of the gaussian mixture model. The component mean calculation submodule 3062 may be configured to calculate a mean of the kth component of the gaussian mixture model by using the distribution of the kth component of the operation behavior data sample and the compressed operation behavior data sample. The covariance matrix calculation submodule 3063 may be configured to obtain a covariance matrix of a kth component of the gaussian mixture model by using a distribution of the kth component of the operation behavior data sample, the compressed operation behavior data sample, and a mean of the kth component of the gaussian mixture model. According to the embodiment, the parameters of the Gaussian mixture model are calculated according to the distribution of the Gaussian mixture model, and the Gaussian mixture model is determined.
In an embodiment of the present specification, based on obtaining a sample energy function e (z), the anomaly output module 310 may be configured to, when a target that an error after reconstruction of the self-encoder data is minimum and a probability of the operation behavior data sample being generated by the gaussian mixture model based on the operation behavior is maximum is reached, output a sample energy of the operation behavior data sample being generated by the gaussian mixture model based on the operation behavior as an anomaly score of the operation behavior data sample. The minimum probability generated by the Gaussian mixture model and the maximum sample energy are equivalent, and the larger the sample energy is, the smaller the probability generated by the Gaussian mixture model is, the more abnormal the sample is, so that the abnormal operation behavior can be effectively detected according to the abnormal score.
In one embodiment of the present description, updating the parameters of the self-encoder and the estimated network are propagated back through minimizing the loss function. Specifically, the parameter updating module 308 may be configured to, in a case where an objective that the error after reconstruction of the self-encoder data is minimum and the probability that the operation behavior data sample is generated by the operation behavior-based gaussian mixture model is maximum is not reached, back-propagate the parameters of the self-encoder and the parameters of the estimation network by using a minimization loss function, and re-trigger the estimation module 302 to execute during the back-propagation, wherein the loss function includes an error correction term after reconstruction of the self-encoder data, a sample energy correction term that the operation behavior data sample is generated by the operation behavior-based gaussian mixture model, and an l2 regularization term, and the l2 regularization term is equal to a sum of squares of a hyperparameter multiplied by a weight parameter and divided by a weight number. Due to the fact that the l2 regularization term is added, if the gradient value is large, loss is large, when parameters are updated, the model can learn in the direction of small weight, and loss is reduced, so that the problem of gradient explosion can be effectively avoided after the l2 regularization term is added.
The above is an illustrative scheme of an apparatus for detecting abnormal operation behavior of the present embodiment. It should be noted that the technical solution of the apparatus for detecting abnormal operation behavior belongs to the same concept as the technical solution of the method for detecting abnormal operation behavior described above, and details of the technical solution of the apparatus for detecting abnormal operation behavior, which are not described in detail, can be referred to the technical solution of the method for detecting abnormal operation behavior described above.
FIG. 5 illustrates a block diagram of a computing device 500 provided in accordance with one embodiment of the present description. The components of the computing device 500 include, but are not limited to, a memory 510 and a processor 520. Processor 520 is coupled to memory 510 via bus 530, and database 550 is used to store data.
Computing device 500 also includes access device 540, access device 540 enabling computing device 500 to communicate via one or more networks 560. Examples of such networks include the Public Switched Telephone Network (PSTN), a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or a combination of communication networks such as the internet. The access device 540 may include one or more of any type of network interface, e.g., a Network Interface Card (NIC), wired or wireless, such as an IEEE802.11 Wireless Local Area Network (WLAN) wireless interface, a worldwide interoperability for microwave access (Wi-MAX) interface, an ethernet interface, a Universal Serial Bus (USB) interface, a cellular network interface, a bluetooth interface, a Near Field Communication (NFC) interface, and so forth.
In one embodiment of the present description, the above-described components of computing device 500, as well as other components not shown in FIG. 5, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device architecture shown in FIG. 5 is for purposes of example only and is not limiting as to the scope of the present description. Those skilled in the art may add or replace other components as desired.
Computing device 500 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smartphone), wearable computing device (e.g., smartwatch, smartglasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or PC. Computing device 500 may also be a mobile or stationary server.
Wherein processor 520 is configured to execute the following computer-executable instructions:
obtaining a compressed operation behavior data sample by inputting the operation behavior data sample into an autocoder;
inputting the compressed operation behavior data samples into an estimation network to obtain the distribution of a Gaussian mixture model based on operation behaviors;
determining the Gaussian mixture model based on the operation behaviors according to the distribution of the Gaussian mixture model based on the operation behaviors;
under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step of inputting the operation behavior data sample into the self-encoder to obtain a compressed operation behavior data sample;
and outputting the abnormal information generated by the operation behavior data sample through the Gaussian mixture model based on the operation behavior under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated through the Gaussian mixture model based on the operation behavior is maximum is reached.
Optionally, the compressed operation behavior data sample is zrAnd zcWherein z isrFor an error between an input and an output of the auto-encoder for the operational behavior data samples, the zcIs the output of the self-encoder intermediate hidden layer.
Optionally, the determining the operation behavior-based gaussian mixture model according to the distribution of the operation behavior-based gaussian mixture model includes: calculating the weight of the kth component of the Gaussian mixture model by using the number of the operation behavior data samples and the distribution of the kth component of the operation behavior data samples, wherein the kth component is any component of the Gaussian mixture model; calculating the mean value of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample and the compressed operation behavior data sample; and obtaining a covariance matrix of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample, the compressed operation behavior data sample and the mean value of the kth component of the Gaussian mixture model.
Optionally, the outputting of the abnormal information generated by the operation behavior data sample based on the gaussian mixture model of operation behavior includes: and outputting the sample energy of the operation behavior data samples generated by the Gaussian mixture model based on the operation behaviors as the abnormal score of the operation behavior data samples.
Optionally, in a case that the goal that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the operation behavior-based gaussian mixture model is maximum is not reached, the step of updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step of obtaining the compressed operation behavior data sample by inputting the operation behavior data sample into the self-encoder includes: under the condition that the goal that the error after the self-encoder data is reconstructed is minimum and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, the parameters of the self-encoder and the parameters of the estimation network are updated by back propagation through a minimization loss function, wherein the loss function comprises an error correction term after the self-encoder data is reconstructed, a sample energy correction term generated by the Gaussian mixture model based on the operation behavior data sample, and an l2 regularization term, and the l2 regularization term is equal to a hyperparameter multiplied by a square sum of weight parameters and divided by the weight number.
Optionally, the loss function further comprises a covariance matrix correction term, the covariance matrix correction term being equal to the sum of the hyperparameter multiplied by the reciprocal of the diagonal element of the covariance matrix.
The above is an illustrative scheme of a computing device of the present embodiment. It should be noted that the technical solution of the computing device and the technical solution of the above method for detecting abnormal operation behavior belong to the same concept, and details that are not described in detail in the technical solution of the computing device can be referred to the description of the technical solution of the above method for detecting abnormal operation behavior.
An embodiment of the present specification also provides a computer readable storage medium storing computer instructions that, when executed by a processor, are operable to:
obtaining a compressed operation behavior data sample by inputting the operation behavior data sample into an autocoder;
inputting the compressed operation behavior data samples into an estimation network to obtain the distribution of a Gaussian mixture model based on operation behaviors;
determining the Gaussian mixture model based on the operation behaviors according to the distribution of the Gaussian mixture model based on the operation behaviors;
under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step of inputting the operation behavior data sample into the self-encoder to obtain a compressed operation behavior data sample;
and outputting the abnormal information generated by the operation behavior data sample through the Gaussian mixture model based on the operation behavior under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated through the Gaussian mixture model based on the operation behavior is maximum is reached.
Optionally, the compressed operation behavior data sample is zrAnd zcWherein z isrFor an error between an input and an output of the auto-encoder for the operational behavior data samples, the zcIs the output of the self-encoder intermediate hidden layer.
Optionally, the determining the operation behavior-based gaussian mixture model according to the distribution of the operation behavior-based gaussian mixture model includes: calculating the weight of the kth component of the Gaussian mixture model by using the number of the operation behavior data samples and the distribution of the kth component of the operation behavior data samples, wherein the kth component is any component of the Gaussian mixture model; calculating the mean value of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample and the compressed operation behavior data sample; and obtaining a covariance matrix of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample, the compressed operation behavior data sample and the mean value of the kth component of the Gaussian mixture model.
Optionally, the outputting of the abnormal information generated by the operation behavior data sample based on the gaussian mixture model of operation behavior includes: and outputting the sample energy of the operation behavior data samples generated by the Gaussian mixture model based on the operation behaviors as the abnormal score of the operation behavior data samples.
Optionally, in a case that the goal that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the operation behavior-based gaussian mixture model is maximum is not reached, the step of updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step of obtaining the compressed operation behavior data sample by inputting the operation behavior data sample into the self-encoder includes: under the condition that the goal that the error after the self-encoder data is reconstructed is minimum and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, the parameters of the self-encoder and the parameters of the estimation network are updated by back propagation through a minimization loss function, wherein the loss function comprises an error correction term after the self-encoder data is reconstructed, a sample energy correction term generated by the Gaussian mixture model based on the operation behavior data sample, and an l2 regularization term, and the l2 regularization term is equal to a hyperparameter multiplied by a square sum of weight parameters and divided by the weight number.
Optionally, the loss function further comprises a covariance matrix correction term, the covariance matrix correction term being equal to the sum of the hyperparameter multiplied by the reciprocal of the diagonal element of the covariance matrix.
The above is an illustrative scheme of a computer-readable storage medium of the present embodiment. It should be noted that the technical solution of the storage medium and the technical solution of the above method for detecting abnormal operation behavior belong to the same concept, and details that are not described in detail in the technical solution of the storage medium can be referred to the description of the technical solution of the above method for detecting abnormal operation behavior.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The computer instructions comprise computer program code which may be in the form of source code, object code, an executable file or some intermediate form, or the like. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts, but those skilled in the art should understand that the present embodiment is not limited by the described acts, because some steps may be performed in other sequences or simultaneously according to the present embodiment. Further, those skilled in the art should also appreciate that the embodiments described in this specification are preferred embodiments and that acts and modules referred to are not necessarily required for an embodiment of the specification.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The preferred embodiments of the present specification disclosed above are intended only to aid in the description of the specification. Alternative embodiments are not exhaustive and do not limit the invention to the precise embodiments described. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the embodiments. The specification is limited only by the claims and their full scope and equivalents.
Claims (12)
1. A method of detecting abnormal operating behavior, comprising:
obtaining a compressed operation behavior data sample by inputting the operation behavior data sample into an autocoder;
inputting the compressed operation behavior data samples into an estimation network to obtain the distribution of a Gaussian mixture model based on operation behaviors;
determining the Gaussian mixture model based on the operation behaviors according to the distribution of the Gaussian mixture model based on the operation behaviors;
under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step of inputting the operation behavior data sample into the self-encoder to obtain a compressed operation behavior data sample;
and outputting the abnormal information generated by the operation behavior data sample through the Gaussian mixture model based on the operation behavior under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated through the Gaussian mixture model based on the operation behavior is maximum is reached.
2. The method of claim 1, wherein the compressed operational behavior data sample is zrAnd zcWherein z isrFor an error between an input and an output of the auto-encoder for the operational behavior data samples, the zcIs the output of the self-encoder intermediate hidden layer.
3. The method of claim 1, wherein the determining the operational behavior-based Gaussian mixture model from the distribution of the operational behavior-based Gaussian mixture model comprises:
calculating the weight of the kth component of the Gaussian mixture model by using the number of the operation behavior data samples and the distribution of the kth component of the operation behavior data samples, wherein the kth component is any component of the Gaussian mixture model;
calculating the mean value of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample and the compressed operation behavior data sample;
and obtaining a covariance matrix of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample, the compressed operation behavior data sample and the mean value of the kth component of the Gaussian mixture model.
4. The method of claim 1, wherein the outputting of the anomaly information of the operational behavior data samples generated by the operational behavior-based Gaussian mixture model comprises:
and outputting the sample energy of the operation behavior data samples generated by the Gaussian mixture model based on the operation behaviors as the abnormal score of the operation behavior data samples.
5. The method of claim 1, wherein the step of updating parameters of the self-encoder and parameters of the estimation network and re-entering the step of obtaining compressed operational behavior data samples by inputting the operational behavior data samples into the self-encoder, in case the goal that the error after reconstruction of the self-encoder data is minimum and the probability that the operational behavior data samples are generated by the operational behavior-based gaussian mixture model is maximum, is not reached, comprises:
under the condition that the goal that the error after the self-encoder data is reconstructed is minimum and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, the parameters of the self-encoder and the parameters of the estimation network are updated by back propagation through a minimization loss function, wherein the loss function comprises an error correction term after the self-encoder data is reconstructed, a sample energy correction term generated by the Gaussian mixture model based on the operation behavior data sample, and an l2 regularization term, and the l2 regularization term is equal to a hyperparameter multiplied by a square sum of weight parameters and divided by the weight number.
6. The method of claim 5, wherein the loss function further comprises a covariance matrix correction term equal to a sum of a hyperparameter times an inverse of a diagonal element of a covariance matrix.
7. An apparatus to detect abnormal operating behavior, comprising:
a compression module configured to obtain compressed operation behavior data samples by inputting the operation behavior data samples into a self-encoder;
an estimation module configured to obtain a distribution of a Gaussian mixture model based on the operation behavior by inputting the compressed operation behavior data samples into an estimation network;
a model determination module configured to determine the Gaussian mixture model based on the operation behavior according to the distribution of the Gaussian mixture model based on the operation behavior;
the parameter updating module is configured to update the parameters of the self-encoder and the parameters of the estimation network and re-trigger the compression module to execute the operation on the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached;
an anomaly output module configured to output anomaly information generated by the operational behavior based Gaussian mixture model on the operational behavior data samples when the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operational behavior data samples are generated by the operational behavior based Gaussian mixture model is maximum is reached.
8. The apparatus of claim 7, wherein the model determination module comprises:
a component weight calculation submodule configured to calculate a weight of a kth component of the gaussian mixture model by using the number of operation behavior data samples and a distribution of the kth component of the operation behavior data samples, wherein the kth component is any component of the gaussian mixture model;
the component mean value calculation sub-module is configured to calculate the mean value of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample and the compressed operation behavior data sample;
and the covariance matrix calculation submodule is configured to obtain a covariance matrix of the kth component of the Gaussian mixture model by using the distribution of the kth component of the operation behavior data sample, the compressed operation behavior data sample and the mean value of the kth component of the Gaussian mixture model.
9. The apparatus of claim 7, wherein the anomaly output module is configured to output, as the anomaly score of the operational behavior data sample, a sample energy of the operational behavior data sample generated by the operational behavior-based Gaussian mixture model when a target is reached that the error after reconstruction of the self-encoder data is minimum and the probability of the operational behavior data sample being generated by the operational behavior-based Gaussian mixture model is maximum.
10. The apparatus of claim 7, wherein the parameter updating module is configured to, in the case that an objective that the error after reconstruction of the self-encoder data is minimum and the probability that the operation behavior data sample is generated by the operation behavior-based Gaussian mixture model is maximum is not reached, back-propagate the parameters of the self-encoder and the parameters of the estimation network to update the parameters of the self-encoder and the parameters of the estimation network by using a minimization loss function, and re-trigger the compression module to execute in the back-propagation process, wherein the loss function includes an error correction term after reconstruction of the self-encoder data, a sample energy correction term that the operation behavior data sample is generated by the operation behavior-based Gaussian mixture model, and an l2 regularization term, and the l2 regularization term is equal to a sum of a hyperparameter multiplied by a square of a weight parameter divided by a weight number.
11. A computing device, comprising:
a memory and a processor;
the memory is to store computer-executable instructions, and the processor is to execute the computer-executable instructions to:
obtaining a compressed operation behavior data sample by inputting the operation behavior data sample into an autocoder;
inputting the compressed operation behavior data samples into an estimation network to obtain the distribution of a Gaussian mixture model based on operation behaviors;
determining the Gaussian mixture model based on the operation behaviors according to the distribution of the Gaussian mixture model based on the operation behaviors;
under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated by the Gaussian mixture model based on the operation behavior is maximum is not reached, updating the parameters of the self-encoder and the parameters of the estimation network, and re-entering the step of inputting the operation behavior data sample into the self-encoder to obtain a compressed operation behavior data sample;
and outputting the abnormal information generated by the operation behavior data sample through the Gaussian mixture model based on the operation behavior under the condition that the target that the error is minimum after the self-encoder data is reconstructed and the probability that the operation behavior data sample is generated through the Gaussian mixture model based on the operation behavior is maximum is reached.
12. A computer readable storage medium storing computer instructions which, when executed by a processor, carry out the steps of the method of detecting abnormal operating behavior of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911055515.0A CN110796497A (en) | 2019-10-31 | 2019-10-31 | Method and device for detecting abnormal operation behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911055515.0A CN110796497A (en) | 2019-10-31 | 2019-10-31 | Method and device for detecting abnormal operation behaviors |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110796497A true CN110796497A (en) | 2020-02-14 |
Family
ID=69442413
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911055515.0A Pending CN110796497A (en) | 2019-10-31 | 2019-10-31 | Method and device for detecting abnormal operation behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110796497A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111539769A (en) * | 2020-04-27 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Training method and device of anomaly detection model based on differential privacy |
| CN111682972A (en) * | 2020-08-14 | 2020-09-18 | 支付宝(杭州)信息技术有限公司 | Method and device for updating service prediction model |
| CN111724074A (en) * | 2020-06-23 | 2020-09-29 | 华中科技大学 | Pavement lesion detection early warning method and system based on deep learning |
| CN112037052A (en) * | 2020-11-04 | 2020-12-04 | 上海冰鉴信息科技有限公司 | User behavior detection method and device |
| CN112509696A (en) * | 2020-11-04 | 2021-03-16 | 江南大学 | Health data detection method based on convolution autoencoder Gaussian mixture model |
| CN113435107A (en) * | 2021-06-02 | 2021-09-24 | 杭州电子科技大学 | Defective product detection method based on production data |
| CN113763077A (en) * | 2020-07-24 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Method and apparatus for detecting false trade orders |
| CN113762967A (en) * | 2021-03-31 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Risk information determination method, model training method, device, and program product |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120284791A1 (en) * | 2011-05-06 | 2012-11-08 | The Penn State Research Foundation | Robust anomaly detection and regularized domain adaptation of classifiers with application to internet packet-flows |
| CN108694414A (en) * | 2018-05-11 | 2018-10-23 | 哈尔滨工业大学深圳研究生院 | Digital evidence obtaining file fragmentation sorting technique based on digital picture conversion and deep learning |
| WO2018226492A1 (en) * | 2017-06-05 | 2018-12-13 | D5Ai Llc | Asynchronous agents with learning coaches and structurally modifying deep neural networks without performance degradation |
| WO2019020094A1 (en) * | 2017-07-28 | 2019-01-31 | 阿里巴巴集团控股有限公司 | Method, device, and electronic apparatus for detecting indicator abnormality |
| CN109492767A (en) * | 2018-11-09 | 2019-03-19 | 济南浪潮高新科技投资发展有限公司 | A kind of method for detecting abnormality applied to unsupervised field based on self-encoding encoder |
| CN109636061A (en) * | 2018-12-25 | 2019-04-16 | 深圳市南山区人民医院 | Training method, device, equipment and the storage medium of medical insurance Fraud Prediction network |
| US20190124045A1 (en) * | 2017-10-24 | 2019-04-25 | Nec Laboratories America, Inc. | Density estimation network for unsupervised anomaly detection |
| CN109684118A (en) * | 2018-12-10 | 2019-04-26 | 深圳前海微众银行股份有限公司 | Detection method, device, equipment and the computer readable storage medium of abnormal data |
| CN109978379A (en) * | 2019-03-28 | 2019-07-05 | 北京百度网讯科技有限公司 | Time series data method for detecting abnormality, device, computer equipment and storage medium |
| US20190228312A1 (en) * | 2018-01-25 | 2019-07-25 | SparkCognition, Inc. | Unsupervised model building for clustering and anomaly detection |
| CN110378382A (en) * | 2019-06-18 | 2019-10-25 | 华南师范大学 | Novel quantization transaction system and its implementation based on deeply study |
-
2019
- 2019-10-31 CN CN201911055515.0A patent/CN110796497A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120284791A1 (en) * | 2011-05-06 | 2012-11-08 | The Penn State Research Foundation | Robust anomaly detection and regularized domain adaptation of classifiers with application to internet packet-flows |
| WO2018226492A1 (en) * | 2017-06-05 | 2018-12-13 | D5Ai Llc | Asynchronous agents with learning coaches and structurally modifying deep neural networks without performance degradation |
| WO2019020094A1 (en) * | 2017-07-28 | 2019-01-31 | 阿里巴巴集团控股有限公司 | Method, device, and electronic apparatus for detecting indicator abnormality |
| US20190124045A1 (en) * | 2017-10-24 | 2019-04-25 | Nec Laboratories America, Inc. | Density estimation network for unsupervised anomaly detection |
| US20190228312A1 (en) * | 2018-01-25 | 2019-07-25 | SparkCognition, Inc. | Unsupervised model building for clustering and anomaly detection |
| CN108694414A (en) * | 2018-05-11 | 2018-10-23 | 哈尔滨工业大学深圳研究生院 | Digital evidence obtaining file fragmentation sorting technique based on digital picture conversion and deep learning |
| CN109492767A (en) * | 2018-11-09 | 2019-03-19 | 济南浪潮高新科技投资发展有限公司 | A kind of method for detecting abnormality applied to unsupervised field based on self-encoding encoder |
| CN109684118A (en) * | 2018-12-10 | 2019-04-26 | 深圳前海微众银行股份有限公司 | Detection method, device, equipment and the computer readable storage medium of abnormal data |
| CN109636061A (en) * | 2018-12-25 | 2019-04-16 | 深圳市南山区人民医院 | Training method, device, equipment and the storage medium of medical insurance Fraud Prediction network |
| CN109978379A (en) * | 2019-03-28 | 2019-07-05 | 北京百度网讯科技有限公司 | Time series data method for detecting abnormality, device, computer equipment and storage medium |
| CN110378382A (en) * | 2019-06-18 | 2019-10-25 | 华南师范大学 | Novel quantization transaction system and its implementation based on deeply study |
Non-Patent Citations (1)
| Title |
|---|
| BO ZONGY, QI SONG等: "Deep Autoencoding Gaussian Mixture Model for Unsupervised Anomaly Detection", 《THE 27TH ACM INTERNATIONAL CONFERENCE TGNET: LEARNING TO RANK NODES IN TEMPORAL GRAPHS》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111539769A (en) * | 2020-04-27 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Training method and device of anomaly detection model based on differential privacy |
| WO2021218828A1 (en) * | 2020-04-27 | 2021-11-04 | 支付宝(杭州)信息技术有限公司 | Training for differential privacy-based anomaly detection model |
| TWI764640B (en) * | 2020-04-27 | 2022-05-11 | 大陸商支付寶(杭州)信息技術有限公司 | Training method and device for anomaly detection model based on differential privacy |
| CN111724074A (en) * | 2020-06-23 | 2020-09-29 | 华中科技大学 | Pavement lesion detection early warning method and system based on deep learning |
| CN111724074B (en) * | 2020-06-23 | 2023-10-27 | 华中科技大学 | Pavement lesion detection early warning method and system based on deep learning |
| CN113763077A (en) * | 2020-07-24 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Method and apparatus for detecting false trade orders |
| CN111682972A (en) * | 2020-08-14 | 2020-09-18 | 支付宝(杭州)信息技术有限公司 | Method and device for updating service prediction model |
| CN111682972B (en) * | 2020-08-14 | 2020-11-03 | 支付宝(杭州)信息技术有限公司 | Method and device for updating service prediction model |
| CN112037052A (en) * | 2020-11-04 | 2020-12-04 | 上海冰鉴信息科技有限公司 | User behavior detection method and device |
| CN112509696A (en) * | 2020-11-04 | 2021-03-16 | 江南大学 | Health data detection method based on convolution autoencoder Gaussian mixture model |
| CN113762967A (en) * | 2021-03-31 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Risk information determination method, model training method, device, and program product |
| CN113435107A (en) * | 2021-06-02 | 2021-09-24 | 杭州电子科技大学 | Defective product detection method based on production data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110796497A (en) | Method and device for detecting abnormal operation behaviors | |
| JP6959308B2 (en) | Sparse and compressed neural networks based on sparse constraints and distillation of knowledge | |
| Sau et al. | Deep model compression: Distilling knowledge from noisy teachers | |
| Chen et al. | Domain space transfer extreme learning machine for domain adaptation | |
| Zhang et al. | Image denoising method based on a deep convolution neural network | |
| Kalofolias et al. | Matrix completion on graphs | |
| Gu et al. | Selectnet: Self-paced learning for high-dimensional partial differential equations | |
| JP7250126B2 (en) | Computer architecture for artificial image generation using autoencoders | |
| Pokharel et al. | Mixture kernel least mean square | |
| Cai et al. | An optimal construction and training of second order RBF network for approximation and illumination invariant image segmentation | |
| CN111260620B (en) | Image anomaly detection method and device and electronic equipment | |
| Li et al. | Evolutionary extreme learning machine with sparse cost matrix for imbalanced learning | |
| US11593619B2 (en) | Computer architecture for multiplier-less machine learning | |
| EP4118583A1 (en) | Edge message passing neural network | |
| Mdrafi et al. | Joint learning of measurement matrix and signal reconstruction via deep learning | |
| US20200272812A1 (en) | Human body part segmentation with real and synthetic images | |
| CN110929836A (en) | Neural network training and image processing method and device, electronic device and medium | |
| CN113449853A (en) | Graph convolution neural network model and training method thereof | |
| Vijendran et al. | Deep online sequential extreme learning machines and its application in pneumonia detection | |
| CN113762468A (en) | Classification model generation method based on missing data | |
| Chan et al. | Sensitivity based robust learning for stacked autoencoder against evasion attack | |
| Zhang et al. | Comparison of $\ell _ {1} $-Norm SVR and Sparse Coding Algorithms for Linear Regression | |
| Zhang et al. | Learning from few samples with memory network | |
| CN113569059A (en) | Target user identification method and device | |
| CN112836007B (en) | Relational element learning method based on contextualized attention network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200214 |
|
| RJ01 | Rejection of invention patent application after publication |