CN111738770B

CN111738770B - Advertisement abnormal flow detection method and device

Info

Publication number: CN111738770B
Application number: CN202010599935.1A
Authority: CN
Inventors: 戚名钰; 马骏; 史剑; 程堂全; 唐思廉
Original assignee: Beijing Dajia Internet Information Technology Co Ltd
Current assignee: Beijing Dajia Internet Information Technology Co Ltd
Priority date: 2020-06-28
Filing date: 2020-06-28
Publication date: 2023-09-26
Anticipated expiration: 2040-06-28
Also published as: CN111738770A

Abstract

The disclosure provides advertisement abnormal flow detection method and device, which are used for selecting abnormal detection items to be detected according to data of different dimensions in advertisement flow data to be detected, and combining the selected abnormal detection items to obtain corresponding detection links. The selected abnormal detection item and the detection link obtained by combining the abnormal detection items are the target detection logic corresponding to the service scene. And then, respectively carrying out abnormal detection on the advertisement traffic data to be detected by each detection link, and obtaining a final detection result according to the detection result of each abnormal detection link. According to the scheme, the anomaly detection items are decoupled from the specific scenes, for any scene, the corresponding anomaly detection items can be selected according to the actual requirements of the scene, the final target anomaly detection logic is obtained through reasonable combination, and corresponding detection is carried out according to the target anomaly detection logic. The accuracy of the detection result of the advertisement abnormal flow detection method under various different service scenes is improved.

Description

Advertisement abnormal flow detection method and device

Technical Field

The disclosure relates to the technical field of network advertisements, and in particular relates to an advertisement abnormal flow detection method and device

Background

Along with the rapid development of internet technology, internet advertisements are permeated into the aspects of life of people, and meanwhile, abnormal advertisement flows such as flow counterfeiting, malicious clicking and the like are generated.

The advertisement abnormal flow detection method is to identify various advertisement abnormal flows, in the related technology, one advertisement abnormal flow detection scheme can only identify abnormal flows in a certain specific service scene, and can not accurately identify abnormal flows of other scenes, namely, the detection result accuracy is very low when the advertisement abnormal flow detection method is applied to other service scenes.

Disclosure of Invention

The disclosure provides a method and a device for detecting advertisement abnormal flow, which at least solve the problems of poor portability and poor reusability of advertisement abnormal flow detection schemes in the related technology. The technical scheme of the present disclosure is as follows:

according to a first aspect of an embodiment of the present disclosure, there is provided an advertisement abnormal traffic detection method, including:

determining target abnormality detection logic according to the obtained advertisement flow data to be detected, wherein the target abnormality detection logic comprises an abnormality detection item and a detection link formed by the abnormality detection item, the abnormality detection item at least comprises abnormality detection of service dimension and abnormality detection of information portrait data, and the information portrait data is determined based on account related information in the advertisement flow data to be detected;

And respectively carrying out abnormal detection on the advertisement flow data to be detected, and obtaining a final detection result of the advertisement flow data to be detected according to the detection results corresponding to the detection links.

In a possible implementation manner of the first aspect, the determining the target anomaly detection logic step according to the obtained advertisement traffic data to be detected includes:

acquiring account related information and business scene related information from the advertisement flow data to be detected;

determining an abnormality detection item to be detected according to the account association information and the service scene association information;

combining the abnormal detection items according to the association relation among the abnormal detection items to obtain corresponding detection links, wherein each detection link comprises at least one abnormal detection item;

and obtaining the target abnormality detection logic according to the abnormality detection item to be detected and the detection link, wherein the target abnormality detection logic comprises at least one detection link.

In another possible implementation manner of the first aspect, the target anomaly detection logic is an anomaly detection graph of a graph structure, each anomaly detection item is a detection node in the anomaly detection graph, detection nodes with association relationships are connected by a directed edge, an input node inputs the advertisement traffic data to be detected, and an output node outputs the final detection result;

The step of combining the abnormal detection items according to the association relation among the abnormal detection items to obtain the corresponding detection link comprises the following steps:

and traversing a directed path formed by all directed edges from the input node to the output node in the anomaly detection graph to obtain the detection link.

In still another possible implementation manner of the first aspect, the step of performing anomaly detection on each detection link on the advertisement traffic data to be detected, and obtaining a final detection result of the advertisement traffic data to be detected according to a detection result corresponding to each detection link includes:

and obtaining a final detection result of the advertisement traffic data to be detected according to the detection results corresponding to the detection links in the target abnormality detection logic and the weights of the detection links, wherein the weights of the detection links represent the influence degree of the detection links on the final detection result.

In a further possible implementation manner of the first aspect, the step of obtaining a detection result corresponding to any detection link includes:

for any detection link, acquiring data to be detected required by each abnormal detection item contained in the detection link;

sequentially carrying out anomaly detection on the data to be detected corresponding to each anomaly detection item according to the detection sequence of each anomaly detection item in the detection link to obtain a detection result corresponding to each anomaly detection item;

According to the weight of each abnormal detection item in the detection link and the detection result corresponding to each abnormal detection item, the detection result corresponding to the detection link is obtained, and the weight of the abnormal detection item represents the influence degree of the abnormal detection item on the detection result of the detection link where the abnormal detection item is located.

In another possible implementation manner of the first aspect, the step of acquiring, for any detection link, data to be detected required for each anomaly detection item included in the detection link includes:

for a first-stage abnormality detection item in the detection link, acquiring data to be detected required by the first-stage abnormality detection item from the advertisement traffic to be detected;

and for a non-first-stage abnormality detection item in the detection link, acquiring a detection result corresponding to a last-stage abnormality detection item associated with the non-first-stage abnormality detection item, and acquiring original to-be-detected data required by the non-first-stage abnormality detection item from the to-be-detected advertisement traffic data.

In a further possible implementation manner of the first aspect, the step of obtaining a detection result corresponding to any anomaly detection item includes:

aiming at an abnormal detection item of a service dimension, acquiring an abnormal judgment rule corresponding to the abnormal detection item, and acquiring a detection result of the advertisement traffic data to be detected aiming at the abnormal detection item according to the abnormal judgment rule;

And aiming at the abnormal detection item of the information portrait data, acquiring a global correct set corresponding to the abnormal detection item from the information portrait data, and acquiring a detection result of the advertisement flow data to be detected aiming at the abnormal detection item according to the global correct set.

According to a second aspect of the embodiments of the present disclosure, there is provided an advertisement abnormal flow detection apparatus, including:

the system comprises a determining module, a target anomaly detection module and a processing module, wherein the determining module is configured to execute target anomaly detection logic according to the obtained advertisement traffic data to be detected, the target anomaly detection logic comprises an anomaly detection item and a detection link formed by the anomaly detection item, the anomaly detection item at least comprises anomaly detection of a service dimension and anomaly detection of information portrait data, and the information portrait data is determined based on account related information in the advertisement traffic data to be detected;

the detection module is configured to perform abnormality detection on each detection link of the advertisement traffic data to be detected respectively, and obtain a final detection result of the advertisement traffic data to be detected according to detection results corresponding to each detection link.

In a possible implementation manner of the second aspect, the determining module includes:

The information acquisition sub-module is configured to acquire account related information and business scene related information from the advertisement flow data to be detected;

the abnormality detection item determining submodule is configured to determine an abnormality detection item to be detected according to the account related information and the service scene related information;

the detection link acquisition sub-module is configured to execute the steps of combining the abnormal detection items according to the association relation among the abnormal detection items to obtain corresponding detection links, wherein each detection link comprises at least one abnormal detection item;

the target abnormality detection logic acquisition sub-module is configured to execute an abnormality detection item to be detected and the detection link to obtain the target abnormality detection logic, and the target abnormality detection logic comprises at least one detection link.

In another possible implementation manner of the second aspect, the target anomaly detection logic is an anomaly detection graph of a graph structure, each anomaly detection item is a detection node in the anomaly detection graph, detection nodes with association relationships are connected by a directed edge, an input node inputs the advertisement traffic data to be detected, and an output node outputs the final detection result;

The detection link acquisition submodule comprises: a path traversing sub-module;

the path traversing sub-module is configured to execute traversing the directed path formed by all directed edges from the input node to the output node in the anomaly detection graph to obtain the detection link.

In a further possible implementation manner of the second aspect, the detection module includes:

the detection link detection result acquisition sub-module is configured to execute detection results corresponding to all detection links in the target abnormality detection logic;

and the final detection result acquisition sub-module is configured to execute the detection results obtained according to the detection sub-module and the weights of the detection links to obtain the final detection result of the advertisement traffic data to be detected, and the weights of the detection links represent the influence degree of the detection links on the final detection result.

In another possible implementation manner of the second aspect, the detecting link detection result obtaining submodule includes:

a detection data acquisition sub-module configured to perform acquisition of data to be detected required by each abnormal detection item contained in a detection link for any detection link;

The detection item detection result acquisition sub-module is configured to execute abnormal detection on the data to be detected corresponding to each abnormal detection item in sequence according to the detection sequence of each abnormal detection item in the detection link, so as to obtain a detection result corresponding to each abnormal detection item;

the link detection result calculation sub-module is configured to execute the weight of each abnormal detection item in the detection link and the detection result corresponding to each abnormal detection item to obtain the detection result corresponding to the detection link, wherein the weight of the abnormal detection item represents the influence degree of the abnormal detection item on the detection result of the detection link where the abnormal detection item is located.

In a further possible implementation manner of the second aspect, the detection data acquisition submodule includes:

a first detection data acquisition sub-module configured to perform acquisition of to-be-detected data required by a first-level abnormality detection item in the detection link from the to-be-detected advertisement traffic;

the second detection data acquisition sub-module is configured to execute the detection result corresponding to the non-first-stage abnormal detection item in the detection link, the detection result corresponding to the last-stage abnormal detection item associated with the non-first-stage abnormal detection item, and the original to-be-detected data required by the non-first-stage abnormal detection item is acquired from the to-be-detected advertisement traffic data.

In another possible implementation manner of the second aspect, the detection item detection result obtaining submodule includes:

the first detection item detection result acquisition sub-module is configured to execute an abnormality detection item aiming at a service dimension, acquire an abnormality judgment rule corresponding to the abnormality detection item, and acquire a detection result of the advertisement traffic data to be detected aiming at the abnormality detection item according to the abnormality judgment rule;

the second detection item detection result acquisition sub-module is configured to execute an abnormal detection item aiming at the information image data, acquire a global correct set corresponding to the abnormal detection item from the information image data, and acquire the detection result of the advertisement flow data to be detected aiming at the abnormal detection item according to the global correct set.

In a third aspect of the embodiments of the present disclosure, there is provided an advertisement abnormal flow detection apparatus, including:

a processor;

a memory for storing instructions executable by the processor;

wherein the processor is configured to execute the instructions to implement the advertisement abnormal traffic detection method according to any one of the possible implementation manners of the first aspect.

In a fourth aspect of embodiments of the present disclosure, there is provided a storage medium, which when executed by a processor of an advertisement abnormal traffic detection apparatus, causes the advertisement abnormal traffic detection apparatus to perform the advertisement abnormal traffic detection method according to any one of the possible implementation manners of the first aspect.

According to a fifth aspect of embodiments of the present disclosure, there is provided a computer program product for, when executed on a data processing apparatus, time-domain execution of a program for initializing the advertisement abnormal traffic detection method according to any one of the possible implementations of the first aspect.

According to the advertisement abnormal flow detection method provided by the embodiment of the disclosure, abnormal detection items to be detected are selected according to data with different dimensions in advertisement flow data to be detected, and the selected abnormal detection items are combined to obtain corresponding detection links. The selected abnormal detection item and the detection link obtained by combining the abnormal detection items are the target detection logic corresponding to the service scene. And then, respectively carrying out abnormal detection on the advertisement flow data to be detected by each detection link, and obtaining a final detection result according to the detection results corresponding to each abnormal detection link. As can be seen from the above, according to the scheme, the anomaly detection items are decoupled from the specific scene, and for any scene, the corresponding anomaly detection items can be selected according to the actual requirements of the scene and reasonably combined to obtain the final target anomaly detection logic, and the corresponding detection can be performed according to the target anomaly detection logic. By continuously enriching the types of the abnormal detection items and constructing reasonable abnormal detection links aiming at service scenes, the advertisement abnormal flow under different scenes is detected, the accuracy of detection results of the advertisement abnormal flow detection method under various different service scenes is improved, namely the portability and reusability of the advertisement abnormal flow detection method are improved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure and do not constitute an undue limitation on the disclosure.

FIG. 1 is a schematic diagram of an advertising system, shown in accordance with an exemplary embodiment;

FIG. 2 is a flow chart illustrating a method of advertisement abnormal traffic detection according to an example embodiment;

FIG. 3 is a schematic diagram of an anomaly detection graph, shown in accordance with an exemplary embodiment;

FIG. 4 is a flowchart illustrating another advertisement abnormal traffic detection method, according to an example embodiment;

FIG. 5 is a flowchart illustrating a detection process of an IP anomaly detection term, according to an example embodiment;

FIG. 6 is a block diagram illustrating an advertising anomaly traffic detection device, according to an example embodiment;

FIG. 7 is a block diagram of a detection link detection result acquisition sub-module, according to an example embodiment;

fig. 8 is a block diagram illustrating another advertisement abnormal traffic detection apparatus according to an example embodiment.

Detailed Description

In order to enable those skilled in the art to better understand the technical solutions of the present disclosure, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings.

It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.

The terms and terminology involved in the embodiments of the present disclosure are explained as follows:

an advertiser: the advertisement clicks which have advertisement putting requirements and pay corresponding fees for advertisement putting are all effective clicks of real users, rather than cheating clicks, by the advertiser hope that each paid advertisement click is a real user.

Advertisement exposure: the advertisement is shown on the user side in advertisement slots (e.g., advertisement slots in pages accessed by the user, advertisement slots in applications used by the user), and the advertisement is shown once on the user side, referred to as a single advertisement exposure.

Clicking an advertisement: the user accesses the page of the advertiser by clicking the advertisement on the user side device (such as a terminal device of a smart phone, a tablet computer and the like).

Advertisement effect: after the advertisement is exposed, the user performs advertisement clicking to realize the effect that the advertiser expects to be realized by advertisement delivery, such as accessing the webpage of the advertiser, registering on the webpage of the advertiser, ordering and purchasing goods or downloading application, and the like, which is called advertisement effect.

Conversion rate: the ratio of the number of actual advertisement effects (e.g., users clicking on advertisements, registering accounts with the advertiser's web page, downloading applications, etc.) to the number of exposed advertisements is generated in the exposed advertisements.

Click rate: the ratio of the number of advertisement clicks to the number of advertisement exposures.

Cost per thousand persons (Cost Per Thousand, CPM) charging mode, and counting the cost according to the advertisement exposure times of the advertisements on the traffic.

A pay-Per-Click (CPC) billing scheme, the advertiser pays only for the behavior of the user clicking on the advertisement, and no longer pays for exposure of the advertisement. CPC advertising avoids the risk of exposing only non-clicks for advertisers.

The Cost Per Action (CPA) charging mode refers to charging according to the number of times of actual effect of advertisement delivery, that is, charging is performed only for the click volume generating actual advertisement effect in the exposure of advertisement.

Advertisement cheating: in links of advertisement exposure, clicking, effect and the like, users have the behavior of improving indexes such as advertisement exposure, advertisement clicking amount, advertisement clicking rate, conversion rate and the like for some malicious purposes, and the malicious behavior of the cheating users is called advertisement cheating.

And detecting abnormal advertisement flow, namely checking links such as advertisement exposure, clicking and effect, and judging whether the advertisement exposure, the advertisement clicking and the advertisement effect are triggered by normal access of a user side or are realized by an advertisement cheating means by a cheating user.

Traffic, also known as access traffic, a carrier for generating data traffic for accessing the access network, such as web applications, public numbers in social networks, etc.

The flow is as follows: the traffic owner, i.e., the party that can provide traffic, is typically referred to as an application publisher, a website owner, etc. For example, the traffic master may be a content publisher of a certain platform, such as a video publisher. The traffic owner may participate in profit sharing of the advertising costs. Taking CPC as an example, when the exposure of the advertisements put on the access traffic of the advertiser is the same under the same advertisement exposure, the higher the click rate of the advertisements is, the higher the profit share of the advertisement put cost of the traffic owner is, so the traffic owner has a stronger cheating motivation to improve the click rate of the advertisements.

Cheating users: network personnel hired by network companies achieve the purpose of profit or public opinion establishment by clicking advertisements, downloading applications or posting back and the like. The cheating user may be a natural person or may be a cheating program that disguises the user.

Web black (gray) yield: the black (gray) product is referred to as illegal act of potential threat (major potential safety hazard) brought by security and political stability of the state even for computer information system security and network space management order by taking the Internet as medium and network technology as main means, and is mainly referred to as advertisement cheating act.

An embodiment of the present disclosure provides a method and an apparatus for detecting advertisement abnormal traffic, and an application scenario of the method for detecting advertisement abnormal traffic will be described first, and fig. 1 is a schematic diagram illustrating an advertisement system according to an exemplary embodiment, and as shown in fig. 1, the advertisement system includes: an advertisement platform 1 and an advertisement abnormal flow detection system 2.

The advertisement platform 1 is used to deliver advertisements set by an advertiser on a user (i.e., an advertisement audience) access traffic to expose the advertiser's advertisement to the advertisement display site on the user side.

The advertisement platform 1 obtains charging data of advertisements put by advertisers according to advertisement behaviors (such as exposure, clicking, conversion and the like) of a user side. Taking CPC charging mode as an example, the advertisement platform 1 calculates to obtain charging data according to the click rate of the advertisement audience side for the exposed advertisement and the set unit click cost.

The advertisement abnormal flow detection system 2 identifies a cheating user and a cheating flow. The advertisement platform 1 does not settle accounts for the part of cheating traffic or performs weight and price reduction processing on the corresponding advertisement channels.

It should be noted that, the advertisement platform 1 and the advertisement abnormal traffic detection system 2 may be servers or server clusters, where the advertisement abnormal traffic detection system 2 may also provide advertisement abnormal traffic detection service in a cloud service form.

The advertisement cheating approach typically includes the following:

(1) Fake machine fake user; it is common to use virtual machines, simulators, scripts, cloud handsets, etc. to constantly transform IP, cookies, even device IDs, etc. to disguise as different "users" to brush advertisement pages or click on advertisements.

(2) A true machine fake user; for example, in a group control scenario, a user controls a number of machines to generate a cheating flow.

(3) True user false behavior of the true machine; such as silent installation, repackaging, injection, click hijacking, etc.

(4) True machine true user true behavior false machine; such as crowd-sourced distribution platforms or classes of wool clusters.

The traditional advertisement abnormal flow detection scheme provided by the related technology can only identify abnormal flow of a specific certain scene according to manual experience and familiarity degree of the specific advertisement service scene, generally has no universality and reusability, and is more dependent on the manual experience and certain specific performance characteristics of service data. The advertisement abnormal flow detection system provided by the disclosure can be applied to advertisement abnormal flow detection of different service scenes, has strong universality, is less dependent on specific manual experience, and can effectively and comprehensively identify advertisement abnormal flows of different service scenes. The detection process of the advertisement abnormal flow detection system 2 will be described below.

Fig. 2 is a flowchart illustrating an advertisement abnormal flow detection method according to an exemplary embodiment, which is used in the advertisement abnormal flow detection system shown in fig. 1, as shown in fig. 2, and may include the following steps.

In S110, a target anomaly detection logic is determined according to the obtained advertisement traffic data to be detected.

The target abnormality detection logic comprises a detection link consisting of an abnormality detection item and an abnormality detection item; the anomaly detection item includes at least anomaly detection of a business dimension and anomaly detection of informative portrait data, which is determined based on account related information in the advertisement traffic data to be detected.

In one embodiment of the present disclosure, as shown in FIG. 2, the process of determining target anomaly detection logic may include:

in S111, account related information and service scenario related information are obtained from the advertisement traffic data to be detected.

The advertisement traffic data to be detected may be obtained from an advertisement platform. In practice, the advertisement traffic data may be advertisement log data in an advertisement platform.

The advertisement log data is a click log corresponding to the put advertisement, the log is structured data and comprises fields with different dimensions, and the log mainly comprises account related information and service scene related information, for example, the service scene related information can comprise advertisement display information, advertisement putting channel identification, request time, click time and the like; the account related information may include an account number, a device unique identification, a cell phone number, an IP address, etc.

In S112, an anomaly detection item to be detected is determined according to the account-related information and the business scenario-related information.

And determining the abnormality detection items of which dimensions are required to be performed according to the account related information and the service scene related information contained in the advertisement traffic data to be detected.

For example, the advertisement traffic data to be detected includes equipment information used by the user, such as a brand, a model, and the like of the equipment, and includes an IP address corresponding to the user, and in this scenario, the detection may be performed with respect to the equipment anomaly detection item, the IP anomaly detection item, and the timing anomaly detection item. The equipment abnormality detection is used for detecting the probability of generating advertisement abnormal flow by the current equipment; the IP anomaly detection item is used for detecting the probability of generating advertisement anomaly traffic by the current IP address; the timing anomaly detection item is used to detect whether there is an anomaly in the timing of the occurrence of advertisement behavior in the advertisement traffic data, for example, the occurrence of advertisement clicks before advertisement exposure indicates that the behavior timing conflicts.

In S113, the anomaly detection items are combined to obtain corresponding detection links according to the association relationship between the anomaly detection items.

Corresponding anomaly detection items are selected according to specific business scene requirements in the advertisement traffic to be detected, and then corresponding detection links are obtained by combining according to association relations among the selected anomaly detection items, for example, the selected anomaly detection items are equipment anomaly detection items, IP anomaly detection items and time sequence anomaly detection items, the combination relations among the three items are shown in fig. 3, and four detection links formed by the three anomaly detection items are shown in fig. 3:

Detecting a link 1) advertisement flow data to be detected, equipment abnormality detection items and equipment detection results 1;

detecting a link 2) advertisement flow data to be detected, an IP abnormal detection item and an IP detection result 2;

the detection link 3) advertisement flow data to be detected, IP anomaly detection item, time sequence anomaly detection item and detection result 3;

the detection link 4) advertisement flow data to be detected, equipment abnormality detection item, time sequence abnormality detection item and detection result 4.

In S114, the target anomaly detection logic is obtained according to the anomaly detection item to be detected and the detection link.

The target abnormality detection logic is a detection link composed of each abnormality detection item to be detected. As shown in fig. 3, the anomaly detection items are three anomaly detection items, namely, an equipment anomaly detection item, an IP anomaly detection item and a time sequence anomaly detection item, and four detection links formed by the anomaly detection items, namely, corresponding target anomaly detection logic.

In one embodiment of the present disclosure, the target detection logic corresponding to any scenario may be represented by a graph structure, each anomaly detection item is a detection node in the anomaly detection graph, the detection nodes with association relationships are connected by a directed edge, the input node inputs the advertisement traffic data to be detected, and the output node outputs the final detection result. And traversing the directed paths formed by all directed edges from the input node to the output node in the abnormality detection graph to obtain all detection paths corresponding to the abnormality detection graph.

In addition, the detection items are decoupled from the specific scenes, and for any scene, a reasonable abnormal detection diagram can be constructed by selecting corresponding detection items according to specific scene requirements, and corresponding detection can be carried out according to the abnormal detection diagram. By enriching the types of the anomaly detection items and constructing a reasonable anomaly detection graph aiming at the service scene, the method can be applied to detecting the advertisement anomaly traffic under different service scenes.

In S120, abnormal detection of each detection link is performed on the advertisement traffic data to be detected, and a final detection result of the advertisement traffic data to be detected is obtained according to the detection results corresponding to each detection link.

The target anomaly detection logic corresponding to a certain service scenario may include a plurality of detection links, and the influence degree of each link on the final detection result may be different. The weight of each detection link can be determined according to the influence degree of each detection link on the final detection result.

In S121, according to the detection results corresponding to the detection links in the target anomaly detection logic and the weights of the detection links, the final detection result of the advertisement traffic data to be detected is obtained.

The detection result of each detection link is the probability that the advertisement traffic data to be detected is abnormal traffic, and the sum of products of the detection results of the detection links and the corresponding weights is taken as the final detection result corresponding to the advertisement traffic data to be detected. For example, in the example shown in fig. 3, the detection results of the detection links 1) to 4) are a, b, c, d, and the weights corresponding to the four detection links are A1, A2, A3, and A4, respectively, and then the final detection result=a1×a+a2×b+a3×c+a4×d, where a1+a2+a3+a4=1.

Wherein the detection result of each detection link is obtained according to the detection result of each abnormal detection item in the detection link.

In one embodiment of the present disclosure, after obtaining a detection result corresponding to any detection link included in the target anomaly detection logic, the detection result corresponding to each detection link may be added to the original advertisement traffic data to be detected, and the distribution situation of the detection result of each dimension in the advertisement traffic data to be detected is counted, and the detection result and the final detection result are used as an anomaly detection report.

According to the advertisement abnormal flow detection method provided by the embodiment, abnormal detection items to be detected are selected according to the data of different dimensions in the advertisement flow data to be detected, and the selected abnormal detection items are combined to obtain corresponding detection links. The selected abnormal detection item and the detection link obtained by combining the abnormal detection items are the target detection logic corresponding to the service scene. And then, respectively carrying out abnormal detection on the advertisement flow data to be detected by each detection link, and obtaining a final detection result according to the detection results corresponding to each abnormal detection link. As can be seen from the above, according to the scheme, the anomaly detection items are decoupled from the specific scene, and for any scene, the corresponding anomaly detection items can be selected according to the actual requirements of the scene and reasonably combined to obtain the final target anomaly detection logic, and the corresponding detection can be performed according to the target anomaly detection logic. By continuously enriching the types of the abnormal detection items and constructing reasonable abnormal detection links aiming at service scenes, the advertisement abnormal flow under different scenes is detected, the accuracy of detection results of the advertisement abnormal flow detection method under various different service scenes is improved, namely the portability and reusability of the advertisement abnormal flow detection method are improved.

In an embodiment of the present disclosure, as shown in fig. 4, which is a flowchart illustrating another advertisement abnormal traffic detection method according to an exemplary embodiment, the present embodiment will focus on a process of obtaining detection results corresponding to respective detection links.

In S210, for any detection link, data to be detected required for each abnormal detection item included in the detection link is acquired.

In one embodiment of the present disclosure, the detection data required to detect anomaly detection terms at different levels of locations in a link is different, e.g., one detection link includes a first level anomaly detection term and at least one non-first level anomaly detection term. For example, in the detection link 4) in the example shown in fig. 3, the first abnormality detection item is a device abnormality detection item, and the non-first-stage abnormality detection item is a time-series abnormality detection item.

And for the first-stage abnormality detection item in the detection link, acquiring data to be detected required by the first-stage abnormality detection item from the advertisement traffic to be detected. For example, in the detection link 4) shown in fig. 3), the data to be detected required for the equipment abnormality detection item includes equipment-related information in the advertisement traffic data to be detected, and may include, for example, an equipment unique identifier, an equipment brand, an equipment model, and the like.

For a non-first level anomaly detection item in a detection link, the data to be detected of the anomaly detection item comprises two parts, wherein one part is the original data in the advertisement traffic data to be detected, and the other part is the detection result of the last level anomaly detection item associated with the anomaly detection item. For example, the timing anomaly detection item in the detection link 4) shown in fig. 3), the data to be detected of the timing anomaly detection item includes data related to timing anomaly detection in the advertisement traffic data to be detected, and the detection result of the IP anomaly detection item.

The same anomaly detection term may differ in the different detection links for which the required data to be detected is different. For example, in the example shown in fig. 3, the data to be detected corresponding to the timing anomaly detection item in the detection link 4) includes the original data in the advertisement traffic data to be detected, and the detection result of the device anomaly detection item; and the data to be detected corresponding to the time sequence abnormal detection item in the detection link 3) comprises the original data in the advertisement traffic data to be detected and the detection result of the IP abnormal detection item.

In S220, according to the detection sequence of each abnormal detection item in the detection link, sequentially performing abnormal detection on the data to be detected corresponding to each abnormal detection item, to obtain a detection result corresponding to each abnormal detection item.

Taking the detection link 4) in fig. 3 as an example, the detection link first detects the IP abnormality detection item to obtain a detection result of whether the IP address is abnormal; and detecting the time sequence abnormality detection item to obtain a detection result of whether the time sequence of each item of data is abnormal.

And for any abnormal detection item, carrying out corresponding detection on the data to be detected corresponding to the abnormal detection item based on the detection logic of the abnormal detection item to obtain a detection result corresponding to the abnormal detection item. For example, for the access frequency abnormality detection item, access frequency related data of the user is obtained from advertisement traffic data to be detected, and a corresponding access frequency is calculated, and if the access frequency exceeds a normal threshold range, the access frequency abnormality of the user is determined. If the access frequency is within the normal threshold range, determining that the access frequency of the user is normal.

In S230, according to the weights of the abnormal detection items in the detection link and the detection results corresponding to the abnormal detection items, the detection results corresponding to the detection link are obtained.

One detection link may include at least two anomaly detection terms, and the degree of influence of different detection terms on the detection link may be different, so that the weight of each anomaly detection term may be determined according to the degree of influence of the anomaly detection term on the detection result of the detection link. And then obtaining the detection result of the detection link according to the weight of the abnormal detection item and the detection result of each abnormal detection item contained in the detection link.

For example, if a certain detection link includes two anomaly detection terms, the detection results of the two anomaly detection terms are e and f, and the weights corresponding to the two anomaly detection terms are b1 and b2, respectively, then the anomaly detection result=e×b1+f×b2 corresponding to the detection link, where b1+b2=1.

In one embodiment of the present disclosure, the weights of the anomaly detection terms are determined based on a hierarchical analysis, the determination process being as follows:

(1) Determining anomaly detection sets

According to the characteristics of the service security and the condition of a pre-established information database, the abnormality detection set U based on the information is roughly divided into four dimensions of an IP address, a mobile phone number, an account number and equipment, wherein each subset is an evaluation factor set comprising a plurality of specific factors, for example, ui= { Ui1, ui2, … …, uik }, and k is a positive integer.

(2) Determining weights of influencing factors

Dividing each influence factor into a hierarchical level structure according to primary and secondary and membership relations, comparing the importance of the influence factors of the same level in pairs and grading to establish a judgment matrix Ri, and then calculating the maximum eigenvalue and the corresponding eigenvector of the judgment matrix, wherein each component of the eigenvector represents the importance weight of the corresponding abnormality detection item of the level.

(3) Determining an anomaly evaluation set

In one embodiment of the present disclosure, the anomaly class is classified into four classes according to actual experience of business safety, respectively: high, medium, low, none, i.e., the anomaly evaluation set is v= { V1, V2, V3, V4} = { high, medium, low, none }.

(4) Comprehensive evaluation

According to the analysis result of the analytic hierarchy process and the weight calculation of the abnormal detection item, the vector Ai and the matrix Ri are obtained, so that a first-stage fuzzy comprehensive evaluation model Bi=ai×Ri can be obtained, and a second-stage fuzzy comprehensive evaluation model BS=A×R=A×B can be obtained by the first-stage fuzzy comprehensive evaluation matrix B and the corresponding weight A, wherein the second-stage fuzzy comprehensive evaluation matrix R is the first-stage fuzzy comprehensive evaluation matrix B. Finally, determining the abnormal grade of the target request (namely the advertisement request) aiming at the dimension according to the method of the maximum membership degree by contrasting the abnormal grade divided in the established abnormal evaluation set.

After the four different abnormal grades of high, medium, low and no are finally obtained, a service calling party (such as an advertisement platform) can directly intercept or reject advertisement requests with high abnormal grades, the requests with medium and low grades can be labeled for observation or secondary verification, and the request without abnormal grades can be directly put through.

According to the advertisement abnormal flow detection method provided by the embodiment, after the detection links consisting of the abnormal detection items to be detected and the abnormal detection items are selected according to the advertisement flow data to be detected, the data to be detected required by the abnormal detection items are determined according to the detection sequence of the abnormal detection items in any detection link, and the data to be detected are subjected to corresponding abnormal detection to obtain the detection results corresponding to the abnormal detection items. And further obtaining the detection result corresponding to the detection link according to the detection result of each abnormal detection item and the weight corresponding to each abnormal detection item. And finally, obtaining a final detection result corresponding to the advertisement flow data to be detected according to the detection result corresponding to each detection link and the weight corresponding to each detection link. By continuously enriching the types of the abnormal detection items and constructing reasonable abnormal detection links aiming at service scenes, the advertisement abnormal flow under different scenes is detected, and the accuracy of detection results of the advertisement abnormal flow detection method under various different service scenes is improved.

In addition, the advertisement abnormal flow detection method adopts a hierarchical analysis method to determine the influence weight of different abnormal detection items on a final detection result, firstly, each abnormal detection item is divided into different hierarchical structures, the abnormal detection items of the same hierarchy are compared in pairs, and the relative scale is adopted during the comparison, so that the difficulty in comparing the abnormal detection items of different dimensions is reduced as much as possible, the final detection result of advertisement data is comprehensively determined by combining the output values of the abnormal detection items, and the accuracy of the detection result is improved.

In one embodiment of the present disclosure, for anomaly detection items of different dimensions, the process of obtaining detection results corresponding to the anomaly detection items may also be different, and some anomaly detection items may obtain detection results only by counting information included in data to be detected, such as anomaly detection items of a service dimension, for example, access frequency anomaly detection items; and some anomaly detection items need to be combined with a pre-constructed third party information database to judge whether the data to be detected has cheating risks, such as anomaly detection items of information portrait data, for example, equipment dimension, IP dimension, mobile phone number dimension and account number dimension.

The following describes the detection result acquisition process of the anomaly detection item for the business dimension and the anomaly detection item for the information portrait data respectively:

1) Anomaly detection item for business dimension

And for the abnormal detection item of the service dimension, acquiring an abnormal judgment rule corresponding to the abnormal detection item, and acquiring a detection result of the advertisement traffic data to be detected for the abnormal detection item according to the abnormal judgment rule.

For example, the access frequency abnormality detection item only needs to judge whether the data related to the access frequency in the advertisement traffic data to be detected has abnormality according to the judgment rule of the access frequency abnormality.

2) Abnormality detection item for information image data

And for the abnormal detection items of the information image data, acquiring a global correct set corresponding to the abnormal detection items from the information image data, and acquiring a detection result of the advertisement flow data to be detected for the abnormal detection items according to the global correct set.

For example, the device anomaly detection item needs to determine whether the device related information in the advertisement traffic data to be detected is abnormal according to a pre-established global correct data set of the device dimension.

For another example, the IP anomaly detection term needs to use a global correct data set of a pre-established IP dimension to determine whether an anomaly exists in the current IP address; the mobile phone number abnormality detection item needs to utilize a global correct data set of a preset mobile phone number dimension to judge whether the current mobile phone number is abnormal or not; the account abnormity detection item needs to judge whether the current account is abnormal or not by utilizing the pre-established account portrait data.

In one embodiment of the present disclosure, the four-dimensional globally correct dataset comprises data of the following dimensions:

IP address dimension: geographic location corresponding to IP address, network attribute (such as mobile gateway, WIFI, proxy, IDC, etc.), IP attack record (such as collision library, crawling, XSS, etc.), IP address white list, malicious domain name corresponding to IP address, IP influence (corresponding equipment number), IP service attribute label.

Number dimension of mobile phone: the system comprises a decoding platform, a coding platform, a small-size electronic commerce platform and a network time length.

Account dimension: and (5) a black product account number, a waistcoat number, a batch registration account number and a garbage account number.

Device dimension: equipment manufacturer, model, brand, ROOT, group control, virtual machine, forgery, and equipment security factor information.

And constructing a corresponding judgment rule set or an abnormality evaluation model for each dimension to obtain detection logic of the corresponding dimension.

The following describes a detection logic process of a single anomaly detection item with an IP anomaly detection item as an example, and as shown in fig. 5, the detection process of the IP anomaly detection item includes the following steps:

s510, acquiring legal IP addresses contained in the advertisement traffic data to be detected.

S520, obtaining the abnormality related information corresponding to the IP address.

In one embodiment of the present disclosure, the anomaly-related information corresponding to the IP address includes, but is not limited to: network attributes, black product attributes, attack records, service label data.

S530, scoring each piece of abnormality related information of the IP address according to the IP portrait data.

For example, base scoring based on network attribute information; performing black ash production scoring according to the black production attribute; performing security scoring according to the attack record; and carrying out business anomaly scoring according to the business label data.

The time decay function is considered when scoring each anomaly related information in a dimension. For example, if a certain IP address has had a cheating action, the probability of having a cheating operation again decreases over time, and therefore, the scoring process described above takes into account the time decay function.

S540, combining the weight corresponding to the abnormal related information to obtain the comprehensive score of the advertisement flow data to be detected in the IP dimension.

For example, the comprehensive score of the IP dimension is obtained according to the weights corresponding to the four different attributes of the network attribute, the black product attribute, the attack record and the service label data and the anomalies corresponding to the attributes.

The weight corresponding to each attribute in the step can be determined according to actual business safety practical experience.

For example, the weights corresponding to the four items of network attribute, black product attribute, attack record and service label data are sequentially: 0.5, 0.15 and 0.2, the calculation formula of the integrated score is:

integrated score = network attribute score x 0.5+ business anomaly score x 0.2+ attack record security score x 0.15+ black ash yield score x 0.15.

S550, obtaining corresponding detection results according to the comprehensive scores corresponding to the IP addresses to be detected.

And repeating the processes of S210-S240, determining the IP abnormal comprehensive scores corresponding to all the IPs to be detected, and carrying out global normalization on the comprehensive scores of all the IPs to obtain the corresponding percentages of the comprehensive scores of all the IPs. And outputs detailed data such as comprehensive scores, abnormal grades, attack records, network attributes, service attributes and the like corresponding to the IPs.

Corresponding to the embodiment of the advertisement abnormal flow detection method, the disclosure also provides an embodiment of the advertisement abnormal flow detection device.

Fig. 6 is a block diagram illustrating an advertisement abnormal traffic detection apparatus according to an example embodiment. Referring to fig. 6, the apparatus includes a determination module 610 and a detection module 620.

The determining module 610 is configured to execute determining the target anomaly detection logic according to the obtained advertisement traffic data to be detected.

The target anomaly detection logic comprises an anomaly detection item and a detection link formed by the anomaly detection item, wherein the anomaly detection item at least comprises anomaly detection of service dimension and anomaly detection of information portrait data, and the information portrait data is determined based on account related information in advertisement flow data to be detected.

In one embodiment of the present disclosure, referring to fig. 6, the determination module 610 includes an information acquisition sub-module 611, an anomaly detection item determination sub-module 612, a detection link acquisition sub-module 613, and a target anomaly detection logic acquisition sub-module 614.

The information obtaining sub-module 611 is configured to obtain account related information and service scenario related information from the advertisement traffic data to be detected.

The anomaly detection term determination submodule 612 is configured to perform determination of anomaly detection terms to be detected according to account-related information and business scenario-related information.

The detection link acquiring sub-module 613 is configured to perform combining the anomaly detection items according to the association relationship between the anomaly detection items to obtain corresponding detection links, where each detection link includes at least one anomaly detection item.

In one embodiment of the disclosure, the target anomaly detection logic is an anomaly detection graph of a graph structure, each anomaly detection item is a detection node in the anomaly detection graph, detection nodes with association relations are connected by directed edges, input nodes input advertisement flow data to be detected, and output nodes output final detection results;

in this embodiment, the detection link acquisition submodule includes: and the path traversing sub-module is configured to execute traversing the directed path formed by all directed edges from the input node to the output node in the anomaly detection graph to obtain a detection link.

The target anomaly detection logic acquisition sub-module 614 is configured to execute the anomaly detection term and detection link according to the need to detect to obtain target anomaly detection logic, the target anomaly detection logic comprising at least one detection link.

The detection module 620 is configured to perform anomaly detection on each detection link of the advertisement traffic data to be detected, and obtain a final detection result of the advertisement traffic data to be detected according to the detection result corresponding to each detection link.

In one embodiment of the present disclosure, the detection module 620 includes: a detection link detection result acquisition sub-module 621 and a final detection result acquisition sub-module 622.

The detection link detection result acquisition sub-module 621 is configured to execute detection results corresponding to each detection link in the target anomaly detection logic.

In one embodiment of the present disclosure, as shown in fig. 7, the detection link detection result acquisition sub-module 621 includes: a detection data acquisition submodule 6211, a detection item detection result acquisition submodule 6212 and a link detection result calculation submodule 6213.

The detection data acquisition submodule 6211 is configured to perform acquisition of data to be detected required for each abnormal detection item included in the detection link for any one of the detection links.

In one embodiment of the present disclosure, the detection data acquisition submodule 6211 includes: the device comprises a first detection data acquisition sub-module and a second detection data acquisition sub-module.

The first detection data acquisition sub-module is configured to execute the detection of the first-stage abnormality detection item in the detection link, and acquire the data to be detected required by the first-stage abnormality detection item from the advertisement traffic to be detected.

The second detection data acquisition sub-module is configured to execute the detection result corresponding to the upper-level abnormal detection item associated with the non-first-level abnormal detection item for the non-first-level abnormal detection item in the detection link, and acquire the original to-be-detected data required by the non-first-level abnormal detection item from the to-be-detected advertisement traffic data.

The detection item detection result obtaining submodule 6212 is configured to perform abnormality detection on to-be-detected data corresponding to each abnormal detection item in sequence according to the detection sequence of each abnormal detection item in the detection link, so as to obtain a detection result corresponding to each abnormal detection item.

In one embodiment of the present disclosure, the test item test result acquisition submodule 6212 includes: the device comprises a first detection item detection result acquisition sub-module and a second detection item detection result acquisition sub-module.

The first detection item detection result acquisition sub-module is configured to execute an abnormality detection item aiming at a service dimension, acquire an abnormality judgment rule corresponding to the abnormality detection item, and acquire a detection result of advertisement traffic data to be detected aiming at the abnormality detection item according to the abnormality judgment rule.

The second detection item detection result acquisition sub-module is configured to execute the abnormal detection item aiming at the information image data, acquire a global correct set corresponding to the abnormal detection item from the information image data, and acquire the detection result aiming at the abnormal detection item of the advertisement flow data to be detected according to the global correct set.

The link detection result calculation submodule 6213 is configured to perform obtaining a detection result corresponding to the detection link according to the weight of each abnormal detection item in the detection link and the detection result corresponding to each abnormal detection item, where the weight of the abnormal detection item characterizes the influence degree of the abnormal detection item on the detection result of the detection link where the abnormal detection item is located.

The final detection result obtaining sub-module 622 is configured to obtain a final detection result of the advertisement traffic data to be detected according to each detection result obtained by the detection sub-module and the weight of each detection link, where the weight of the detection link characterizes the influence degree of the detection link on the final detection result.

According to the advertisement abnormal flow detection device provided by the embodiment, the determination module selects abnormal detection items to be detected according to the data with different dimensions in the advertisement flow data to be detected, and the selected abnormal detection items are combined to obtain corresponding detection links. The selected abnormal detection item and the detection link obtained by combining the abnormal detection items are the target detection logic corresponding to the advertisement flow to be detected in the service scene. And then the detection module carries out abnormal detection on each detection link according to the target detection logic and the advertisement flow data to be detected, and a final detection result is obtained according to the detection result corresponding to each detection link. According to the scheme, the anomaly detection items are decoupled from the specific scenes, for any scene, the corresponding anomaly detection items can be selected according to the actual requirements of the scene, the final target anomaly detection logic is obtained through reasonable combination, and corresponding detection is carried out according to the target anomaly detection logic. The accuracy of the detection result of the advertisement abnormal flow detection method under various different service scenes is improved, namely the portability and the reusability of the advertisement abnormal flow detection method are improved.

The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.

Fig. 8 is a block diagram illustrating an apparatus 800 for advertisement abnormal traffic detection, according to an example embodiment. Referring to fig. 8, the apparatus 800 includes at least one memory 801, at least one processor 802, and a bus 803. Wherein the processor 802 communicates with the memory 801 over a bus 803.

Instructions are stored in the memory 801 and the processor 802 calls the instructions in the memory 801 to perform the advertisement abnormal flow detection method described above. The apparatus 800 herein may be a server, a cluster of servers, or the like.

In an exemplary embodiment, a storage medium is also provided that includes instructions, such as storage 801 including instructions, that are executable by processor 802 of apparatus 800 to perform the advertising exception flow detection method described above. Alternatively, the storage medium may be a non-transitory computer readable storage medium, which may be, for example, ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. The advertisement abnormal flow detection method is characterized by comprising the following steps:

Respectively carrying out abnormal detection on the advertisement flow data to be detected by each detection link, and obtaining a final detection result of the advertisement flow data to be detected according to the detection result corresponding to each detection link;

the step of determining the target abnormality detection logic according to the obtained advertisement flow data to be detected comprises the following steps:

obtaining the target abnormality detection logic according to abnormality detection items to be detected and the detection links, wherein the target abnormality detection logic comprises at least one detection link, the target abnormality detection logic is an abnormality detection diagram of a diagram structure, each abnormality detection item is a detection node in the abnormality detection diagram, the detection nodes with association relations are connected by directed edges, the input node inputs the advertisement flow data to be detected, and the output node outputs the final detection result;

2. The advertisement abnormal flow detection method according to claim 1, wherein the step of performing abnormal detection of each detection link on the advertisement flow data to be detected, and obtaining a final detection result of the advertisement flow data to be detected according to the detection result corresponding to each detection link includes:

3. The advertisement abnormal flow detection method according to claim 2, wherein the step of obtaining a detection result corresponding to any detection link comprises:

4. The advertisement abnormal flow detection method according to claim 3, wherein the step of acquiring, for any detection link, data to be detected required for each abnormal detection item included in the detection link includes:

5. The advertisement abnormal flow detection method according to claim 3 or 4, wherein the step of obtaining a detection result corresponding to any one of the abnormal detection items comprises:

6. An advertisement abnormal flow detection device, characterized by comprising:

The detection module is configured to perform abnormality detection on each detection link of the advertisement traffic data to be detected respectively, and obtain a final detection result of the advertisement traffic data to be detected according to detection results corresponding to each detection link;

wherein the determining module comprises:

the target abnormality detection logic acquisition submodule is configured to execute an abnormality detection item to be detected and the detection link to obtain target abnormality detection logic, the target abnormality detection logic comprises at least one detection link, the target abnormality detection logic is an abnormality detection graph of a graph structure, each abnormality detection item is one detection node in the abnormality detection graph, detection nodes with association relations are connected by directed edges, an input node inputs the advertisement flow data to be detected, and an output node outputs the final detection result;

7. The advertising anomaly traffic detection device of claim 6, wherein the detection module comprises:

8. The advertisement abnormal flow detection device according to claim 7, wherein the detection link detection result acquisition submodule includes:

9. The advertising anomaly traffic detection device of claim 8, wherein the detection data acquisition sub-module comprises:

10. The advertising abnormal flow detection apparatus according to claim 8 or 9, wherein the detection item detection result acquisition submodule includes:

11. An advertisement abnormal flow detection device, characterized by comprising:

a processor;

a memory for storing instructions executable by the processor;

wherein the processor is configured to execute the instructions to implement the advertisement anomaly traffic detection method of any one of claims 1 to 5.

12. A storage medium, which when executed by a processor of an advertising anomaly traffic detection device, causes the advertising anomaly traffic detection device to perform the advertising anomaly traffic detection method of any one of claims 1 to 5.