CN111756760B - User abnormal behavior detection method based on integrated classifier and related equipment - Google Patents

User abnormal behavior detection method based on integrated classifier and related equipment Download PDF

Info

Publication number
CN111756760B
CN111756760B CN202010600018.0A CN202010600018A CN111756760B CN 111756760 B CN111756760 B CN 111756760B CN 202010600018 A CN202010600018 A CN 202010600018A CN 111756760 B CN111756760 B CN 111756760B
Authority
CN
China
Prior art keywords
category
historical data
classifier
data stream
prediction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010600018.0A
Other languages
Chinese (zh)
Other versions
CN111756760A (en
Inventor
刘利
刘中原
庞俊涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
OneConnect Financial Technology Co Ltd Shanghai
Original Assignee
OneConnect Financial Technology Co Ltd Shanghai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by OneConnect Financial Technology Co Ltd Shanghai filed Critical OneConnect Financial Technology Co Ltd Shanghai
Priority to CN202010600018.0A priority Critical patent/CN111756760B/en
Publication of CN111756760A publication Critical patent/CN111756760A/en
Application granted granted Critical
Publication of CN111756760B publication Critical patent/CN111756760B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to the technical field of artificial intelligence, and provides a user abnormal behavior detection method based on an integrated classifier and related equipment, which comprise the following steps: acquiring historical data streams of a plurality of partitions in a system and the real category of each historical data stream; monitoring a system memory, and performing incremental training on a plurality of classifiers according to the system memory, the historical data streams of a plurality of partitions and the real category of each historical data stream to obtain an integrated classifier; acquiring a plurality of pieces of streaming data of a user in a monitoring period, and inputting the streaming data into an integrated classifier for class prediction to obtain a plurality of prediction classes; and calculating the number of normal categories and abnormal categories in the prediction categories, and outputting a result of whether the behavior of the user is abnormal or not based on the number. The invention can fully utilize the memory to obtain the classifier with the best classification performance, thereby improving the detection accuracy of the abnormal behaviors of the user. In addition, the invention also relates to the technical field of block chains, and the integrated classifier and the result can be stored in the block chains.

Description

User abnormal behavior detection method based on integrated classifier and related equipment
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a user abnormal behavior detection method and device based on an integrated classifier, computer equipment and a storage medium.
Background
With the popularization and development of computers and networks, the scale of network users is gradually enlarged and user behaviors are more and more complex no matter local area networks or wide area networks, and under the background, the rapid detection and the effective control of the user behaviors are very important.
In the prior art, a user behavior is identified by training an anomaly detection model, so that whether the user behavior is legal or not is judged. However, the anomaly detection model is usually limited by the number of training samples, because the anomaly detection model assumes that all training samples can be stored in the memory at the same time, the detection effect of the anomaly detection model is not ideal.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a method, an apparatus, a computer device and a storage medium for detecting abnormal user behavior based on an integrated classifier, which can fully utilize a memory to obtain a classifier with the best classification performance, thereby improving the accuracy rate of detecting the abnormal user behavior.
The first aspect of the present invention provides a method for detecting abnormal user behavior based on an integrated classifier, which includes:
acquiring historical data streams of a plurality of partitions in a Kafka system and a real category of each historical data stream;
monitoring the memory of the Kafka system, and performing incremental training on a plurality of classifiers according to the memory of the Kafka system, the historical data streams of the plurality of partitions and the real category of each historical data stream to obtain an integrated classifier;
acquiring a plurality of pieces of streaming data of a user in a monitoring period, and inputting each piece of streaming data into the integrated classifier for class prediction to obtain a plurality of prediction classes of each piece of streaming data;
calculating the number of normal categories in the prediction categories and calculating the number of abnormal categories in the prediction categories;
and outputting a result of whether the user behavior is abnormal or not according to the number of the normal types and the number of the abnormal types.
According to an optional embodiment of the present invention, the incrementally training a plurality of classifiers according to the memory of the Kafka system, the historical data streams of the plurality of partitions, and the real category of each historical data stream to obtain an integrated classifier includes:
extracting a preset first number of historical data streams from the historical data streams of each partition, and training a classifier for the extracted preset first number of historical data streams in each partition;
acquiring memories occupied by training a plurality of classifiers, and judging whether the memories occupied by the classifiers exceed the memory of the Kafka system;
when the memory occupied by the classifiers does not exceed the memory of the Kafka system, performing incremental training on each classifier;
and when the memory occupied by the classifiers exceeds the memory of the Kafka system, finishing the training process of all the classifiers to obtain an integrated classifier formed by the classifiers, wherein the integrated classifier is stored in a block chain node.
According to an alternative embodiment of the present invention, training a classifier for the extracted predetermined first number of historical data streams in each partition comprises:
performing operation behavior classification on the preset first number of historical data streams;
constructing a training data triple based on each data stream and the corresponding real class and operation behavior class;
and inputting the training data triple into the SVM to train the classifier.
According to an alternative embodiment of the present invention, the incrementally training each classifier comprises:
obtaining the prediction category of each historical data stream output by a classifier corresponding to each partition;
constructing an initial data stream category matrix according to the real category and the prediction category of each historical data stream;
calculating a first accuracy of the initial data stream class matrix;
calculating a Kappa coefficient according to the first accuracy and the initial data stream class matrix;
judging whether the Kappa coefficient is larger than a preset coefficient threshold value or not;
when the Kappa coefficient is determined to be smaller than a preset coefficient threshold value, extracting a preset second number of data streams from the data streams of the corresponding partitions; adding the preset second number of historical data streams into the preset first number of historical data streams to obtain new historical data streams; training the classifier based on the new historical data stream;
and when the Kappa coefficient is determined to be larger than a preset coefficient threshold value, ending the training process of the classifier.
According to an alternative embodiment of the present invention, the constructing the initial data stream class matrix according to the real class and the prediction class of each historical data stream includes:
establishing an initial data stream category table by taking the real category of each historical data stream as a column key and the prediction category of each historical data stream as a row key;
calculating the number corresponding to each table in the initial data stream category table;
and writing the number corresponding to each table into the table to obtain an initial data stream category matrix.
According to an alternative embodiment of the invention, said calculating Kappa coefficients based on said first accuracy and said initial data stream class matrix comprises:
calculating a first category quantity of each real category and a second category quantity of each prediction category;
calculating a ratio of each first class quantity to the total number of the initial data stream class matrices;
calculating the product of each proportion and each second category quantity as the random classification quantity in the corresponding table;
updating the initial data stream category matrix according to the random classification quantity;
calculating a second accuracy of the updated data stream class matrix;
the Kappa coefficient is calculated using the following formula, kappa coefficient = (the first accuracy-the second accuracy)/(1-the second accuracy).
According to an alternative embodiment of the present invention, the acquiring the plurality of pieces of streaming data of the user during the monitoring period includes:
calling a predefined interface to obtain a user operation behavior in a monitoring period based on a streaming processing frame;
classifying the user operation behavior;
calculating the operation behavior times in each category;
and taking the user operation behavior and the corresponding operation behavior times as streaming data.
A second aspect of the present invention provides an integrated classifier-based user abnormal behavior detection apparatus, including:
the data acquisition module is used for acquiring historical data streams of a plurality of partitions in the Kafka system and the real category of each historical data stream;
the increment training module is used for monitoring the memory of the Kafka system and carrying out increment training on a plurality of classifiers according to the memory of the Kafka system, the historical data streams of the plurality of partitions and the real category of each historical data stream to obtain an integrated classifier;
the category prediction module is used for acquiring a plurality of pieces of streaming data of a user in a monitoring period, inputting each piece of streaming data into the integrated classifier for category prediction, and obtaining a plurality of prediction categories of each piece of streaming data;
the quantity calculation module is used for calculating the quantity of normal categories in the prediction categories and calculating the quantity of abnormal categories in the prediction categories;
and the result output module is used for outputting the result whether the user behavior is abnormal or not according to the number of the normal types and the number of the abnormal types.
A third aspect of the invention provides a computer device comprising a processor for implementing the integrated classifier based user abnormal behavior detection method when executing a computer program stored in a memory.
A fourth aspect of the present invention provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the integrated classifier-based user abnormal behavior detection method.
In summary, according to the method, the apparatus, the computer device and the storage medium for detecting the abnormal behavior of the user based on the integrated classifier, provided by the invention, since the memory of the system is considered when the classifier is trained, the memory can be fully utilized to obtain the classifier with the best classification performance, so that the accuracy rate of detecting the abnormal behavior of the user is improved. And (3) integrating the prediction categories of all the classifiers for each piece of streaming data, determining the number of normal categories and the number of abnormal categories from the point of statistics, and further determining that the behavior of the user is normal or abnormal.
Drawings
Fig. 1 is a flowchart of a user abnormal behavior detection method based on an integrated classifier according to an embodiment of the present invention.
Fig. 2 is a structural diagram of a user abnormal behavior detection apparatus based on an integrated classifier according to a second embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a computer device according to a third embodiment of the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a detailed description of the present invention will be given below with reference to the accompanying drawings and specific embodiments. It should be noted that the embodiments of the present invention and features of the embodiments may be combined with each other without conflict.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
Example one
Fig. 1 is a flowchart of a user abnormal behavior detection method based on an integrated classifier according to an embodiment of the present invention.
The user abnormal behavior detection method based on the integrated classifier is applied to computer equipment and specifically comprises the following steps, and the sequence of the steps in the flowchart can be changed and some steps can be omitted according to different requirements.
S11, historical data streams of a plurality of partitions in the Kafka system and the real category of each historical data stream are obtained.
The computer equipment is provided with a Kafka system, the Kafka system is divided into a plurality of partitions, and a plurality of historical data streams of a plurality of users are stored in each partition.
The computer device may provide an annotation tool by which to annotate the true category of each historical data stream.
The real categories include normal behavior and abnormal behavior.
And S12, monitoring the memory of the Kafka system, and performing incremental training on a plurality of classifiers according to the memory of the Kafka system, the historical data streams of the plurality of partitions and the real category of each historical data stream to obtain an integrated classifier.
Because the data streams in different partitions are different, the attributes and classification capabilities of trained classifiers are different, and a plurality of classifiers are trained based on the historical data streams of a plurality of partitions and the real categories of each historical data stream, so that the detection of the abnormal behaviors of the user can exert stronger strength by virtue of the plurality of classifiers.
In addition, since not all training samples can be stored in the memory at the same time, the memory of the Kafka system is considered while training a plurality of classifiers, and the training data is gradually increased in an incremental mode according to the memory of the Kafka system to train the plurality of classifiers, so that memory leakage is avoided, and normal operation of the computer system is ensured.
The computer device may train the ensemble classifier offline.
In an optional embodiment, the incrementally training a plurality of classifiers according to the memory of the Kafka system, the historical data streams of the plurality of partitions, and the real category of each historical data stream to obtain an integrated classifier includes:
s121, extracting a preset first number of historical data streams from the historical data streams of each partition, and training a classifier for the extracted preset first number of historical data streams in each partition;
s122, acquiring memories occupied by training a plurality of classifiers, and judging whether the memories occupied by the classifiers exceed the memory of the Kafka system;
s123, when the memory occupied by the classifiers does not exceed the memory of the Kafka system, performing incremental training on each classifier;
and S124, when the memory occupied by the classifiers exceeds the memory of the Kafka system, finishing the training process of all the classifiers to obtain the integrated classifier consisting of the classifiers.
In this optional embodiment, because the plurality of classifiers are trained in an incremental manner, the greater the number of data streams participating in the training, the stronger the classification capability of the classifiers is, and whether the memory occupied by the plurality of classifiers exceeds the memory of the system is taken as the basis for receiving and training the classifiers, so that the number of training samples participating in the classifiers can be increased to the maximum, the efficiency of the trained classifiers reaches the maximum, the memory cannot be occupied, and the normal operation of the computer system is ensured.
In an alternative embodiment, the training a classifier for the predetermined first number of historical data streams extracted in each partition includes:
performing operation behavior classification on the preset first number of historical data streams;
constructing a training data triple based on each data stream and the corresponding real class and operation behavior class;
and inputting the training data triple into the SVM to train the classifier.
In this alternative embodiment, each historical data stream includes operation behavior information, the operation behavior category of the corresponding historical data stream is determined based on the operation behavior information, and a training data triple (historical data stream, real category, operation behavior category) is constructed based on each historical data stream and the corresponding real category and operation behavior category.
The classifier is obtained based on a plurality of constructed triple training Support Vector Machines (SVM), and the classification can be predicted by inputting the operation behavior classification and the data stream into the classifier subsequently.
In an optional embodiment, the incrementally training each classifier comprises:
obtaining the prediction category of each historical data stream output by a classifier corresponding to each partition;
constructing an initial data stream category matrix according to the real category and the prediction category of each historical data stream;
calculating a first accuracy of the initial data stream class matrix;
calculating a Kappa coefficient according to the first accuracy and the initial data stream class matrix;
judging whether the Kappa coefficient is larger than a preset coefficient threshold value or not;
when the Kappa coefficient is determined to be smaller than a preset coefficient threshold value, extracting a preset second number of data streams from the data streams of the corresponding subareas; adding the preset second number of historical data streams into the preset first number of historical data streams to obtain new historical data streams; training the classifier based on the new historical data stream;
and when the Kappa coefficient is determined to be larger than a preset coefficient threshold value, ending the training process of the classifier.
In this alternative embodiment, the Kappa coefficient represents a ratio of classification to fully random classification, and when the calculated Kappa coefficient is smaller (smaller than a preset coefficient threshold), it indicates that the prediction capability of the classifier is not as good as that of the random classification, and therefore it is necessary to continue to add training data and train a new classifier based on the added data until the calculated Kappa coefficient with the first accuracy obtained by the classifier is larger (larger than the preset coefficient threshold), and the prediction capability of the classifier is considered to be improved.
In an alternative embodiment, the constructing the initial data stream class matrix according to the real class and the prediction class of each historical data stream includes:
establishing an initial data stream category table by taking the real category of each historical data stream as a column key and the prediction category of each historical data stream as a row key;
calculating the number corresponding to each table in the initial data stream category table;
and writing the number corresponding to each table into the table to obtain an initial data stream category matrix.
Illustratively, the initial data stream class matrix constructed as shown in table 1 below, the rows represent true classes and the columns represent prediction classes.
TABLE 1 initial data stream class matrix
Figure BDA0002558337940000081
The first accuracy p1= diagonal and/total = (239 +73+ 280)/664=0.891566265060241 of the initial data stream class matrix.
In an alternative embodiment, said calculating Kappa coefficients based on said first accuracy and said initial data stream class matrix comprises:
calculating a first category quantity of each real category and a second category quantity of each prediction category;
calculating a ratio of each first class quantity to the total number of the initial data stream class matrices;
calculating the product of each proportion and each second category quantity as the random classification quantity in the corresponding table;
updating the initial data stream category matrix according to the random classification quantity;
calculating a second accuracy of the updated data stream class matrix;
the Kappa coefficient is calculated using the following formula, kappa coefficient = (the first accuracy-the second accuracy)/(1-the second accuracy).
Illustratively, as shown in table 1, the first class amount of the real class a is 276, the first class amount of the real class B is 93, the first class amount of the real class C is 295, the second class amount of the predicted class a is 261, the second class amount of the predicted class B is 103, the second class amount of the predicted class C is 300, and the total number of the initial data stream class matrices is 664.
Calculating a ratio of each first class quantity to the total number of the initial data stream class matrices as follows:
ratio 1= first class amount 276/total amount 664=0.415663 as possible for prediction as class a;
ratio 2= first class amount 93/total amount 664=0.14006 as a possibility of prediction as class B;
ratio 3= first class amount 295/total amount 664=0.444277 as possible for prediction as class C;
the product of each ratio and each second class quantity is calculated as the random classification quantity in the corresponding table as follows:
p11 (row 1, column 1): 0.415663 × 261=108.488, and random classification would classify the person of ratio 1 (0.415663) as class a;
p12 (row 1, column 2): 0.415663 × 261=36.55572, the random classification will classify the person of ratio 2 (0.14006) as class B;
p12 (row 1, column 3): 0.444277 × 261=115.95, and random sorting would classify ratio 3 (0.444277) as class C.
By analogy, the second row: the randomized classification will classify 0.415663 as class A (42.81 for 0.415663 of 103), 0.14006 as class B (14.42 for 0.415663 of 103), and 0.444277 as class C (45.76 for 0.444277 of 103).
The updated data stream class matrix is shown in table 2 below.
TABLE 2 updated data stream class matrix
Figure BDA0002558337940000101
Therefore, a second accuracy p2= (108.488 +14.4262+ 133.2831)/644 =0.385839290898534, then the Kappa coefficient = (p 1-p 2)/(1-p 2) =0.823444037801766.
S13, acquiring a plurality of pieces of streaming data of the user in the monitoring period, and inputting each piece of streaming data into the integrated classifier for class prediction to obtain a plurality of prediction classes of each piece of streaming data.
In order to monitor whether the behavior of the current user is abnormal, the computer device can acquire a plurality of pieces of streaming data of the current user in a monitoring period, and online call the integrated classifier to perform class prediction on the plurality of pieces of streaming data.
Each classifier in the integrated classifier outputs a class prediction result for the same streaming data.
The class prediction result comprises a normal class and an abnormal class.
In an optional embodiment, the acquiring the plurality of pieces of streaming data of the user in the monitoring period includes:
calling a predefined interface to obtain a user operation behavior in a monitoring period based on a streaming processing frame;
classifying the user operation behavior;
calculating the operation behavior times in each category;
and taking the user operation behaviors and the corresponding operation behavior times as streaming data.
In this alternative embodiment, the streaming framework comprises: flink, spark Streaming or Storm, in a Streaming framework, user action behavior can be captured in real-time or near real-time. For example, the number of times that the user clicks the user in daily life within a period of time and the number of times that the user clicks the book are obtained. By calculating the operation behavior times of each category, the operation behavior of the user with large granularity is converted into the operation behavior times with small granularity. The smaller the granularity is, the finer the operation behavior of the user is, the closer the category predicted by the integrated classifier is to the reality, and the more accurate the prediction result is.
And S14, calculating the number of normal categories in the prediction categories and calculating the number of abnormal categories in the prediction categories.
After calling the integrated classifier to predict the categories of all streaming data of the user, the computer device calculates the number of categories with normal prediction results and the number of categories with abnormal prediction results, which are output by the integrated classifier, in the prediction categories.
And S15, outputting a result of whether the user behavior is abnormal or not according to the number of the normal types and the number of the abnormal types.
The computer equipment judges whether the number of the normal categories is larger than that of the abnormal categories or not, and outputs a result that the behavior of the user is normal when the judgment result shows that the number of the normal categories is larger than that of the abnormal categories; and when the judgment result shows that the number of the normal categories is smaller than the number of the abnormal categories, outputting a result of the abnormal behavior of the user.
In the embodiment, the integrated classifier can be trained offline, and used for predicting the normal or abnormal behavior of the user online, and the memory of the system is considered during training of the classifier, so that the memory can be fully utilized, the classifier with the best classification performance is obtained, and the accuracy rate of detecting the abnormal behavior of the user is improved. And (3) integrating the prediction categories of all the classifiers for each streaming data, determining the number of normal categories and the number of abnormal categories from the statistical perspective, and further determining that the behavior of the user is normal or abnormal.
It is emphasized that to further ensure privacy and security of the results of the integrated classifier and/or the detected user behavior, the results of the integrated classifier and/or the detected user behavior may also be stored in a node of a blockchain.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
Example two
Fig. 2 is a structural diagram of a user abnormal behavior detection apparatus based on an integrated classifier according to a second embodiment of the present invention.
In some embodiments, the integrated classifier based abnormal user behavior detection apparatus 20 may include a plurality of functional modules composed of computer program segments. The computer program of each program segment in the integrated classifier based user abnormal behavior detection apparatus 20 may be stored in a memory of a computer device and executed by at least one processor to perform (see detailed description of fig. 1) the function of the integrated classifier based user abnormal behavior detection.
In this embodiment, the user abnormal behavior detection apparatus 20 based on the ensemble classifier may be divided into a plurality of functional modules according to the functions performed by the apparatus. The functional module may include: the system comprises a data acquisition module 201, an increment training module 202, a category prediction module 203, a quantity calculation module 204 and a result output module 205. The module referred to herein is a series of computer program segments capable of being executed by at least one processor and capable of performing a fixed function and is stored in memory. In the present embodiment, the functions of the modules will be described in detail in the following embodiments.
The data obtaining module 201 is configured to obtain historical data streams of multiple partitions in the Kafka system and a real category of each historical data stream.
The computer equipment is provided with a Kafka system, the Kafka system is divided into a plurality of partitions, and a plurality of historical data streams of a plurality of users are stored in each partition.
The computer device may provide an annotation tool by which to annotate the true category of each historical data stream.
The real categories include normal behavior and abnormal behavior.
The increment training module 202 is configured to monitor the memory of the Kafka system, and perform increment training on multiple classifiers according to the memory of the Kafka system, the historical data streams of the multiple partitions, and the real category of each historical data stream to obtain an integrated classifier.
Because the data streams in different partitions are different, the attributes and the classification capability of the trained classifiers are different, and a plurality of classifiers are trained based on the historical data streams of a plurality of partitions and the real categories of each historical data stream, so that the detection of the abnormal behaviors of the user can exert stronger strength by virtue of the plurality of classifiers.
In addition, since not all training samples can be stored in the memory at the same time, the memory of the Kafka system is considered while training a plurality of classifiers, and the training data is gradually increased in an incremental mode according to the memory of the Kafka system to train the plurality of classifiers, so that memory leakage is avoided, and normal operation of the computer system is ensured.
The computer device may train the ensemble classifier offline.
In an optional embodiment, the incrementally training module 202 incrementally trains a plurality of classifiers according to the memory of the Kafka system, the historical data streams of the plurality of partitions, and the real category of each historical data stream to obtain an integrated classifier includes:
extracting a preset first number of historical data streams from the historical data streams of each partition, and training a classifier for the extracted preset first number of historical data streams in each partition;
obtaining memories occupied by training a plurality of classifiers, and judging whether the memories occupied by the classifiers exceed the memory of the Kafka system;
when the memory occupied by the classifiers does not exceed the memory of the Kafka system, performing incremental training on each classifier;
and when the memory occupied by the classifiers exceeds the memory of the Kafka system, finishing the training process of all the classifiers to obtain the integrated classifier consisting of the classifiers.
In this optional embodiment, because the plurality of classifiers are trained in an incremental manner, the greater the number of data streams participating in the training, the stronger the classification capability of the classifiers is, and whether the memory occupied by the plurality of classifiers exceeds the memory of the system is taken as the basis for receiving and training the classifiers, so that the number of training samples participating in the classifiers can be increased to the maximum, the efficiency of the trained classifiers reaches the maximum, the memory cannot be occupied, and the normal operation of the computer system is ensured.
In an alternative embodiment, the training a classifier for the predetermined first number of historical data streams extracted in each partition includes:
performing operation behavior classification on the preset first number of historical data streams;
constructing a training data triple based on each data stream and the corresponding real class and operation behavior class;
and inputting the training data triple into the SVM to train the classifier.
In this alternative embodiment, each historical data stream includes operation behavior information, the operation behavior class of the corresponding historical data stream is determined based on the operation behavior information, and a training data triple (historical data stream, real class, operation behavior class) is constructed based on each historical data stream and the corresponding real class and operation behavior class.
The classifier is obtained based on a plurality of constructed triple training Support Vector Machines (SVM), and the classification can be predicted by inputting the operation behavior classification and the data stream into the classifier subsequently.
In an optional embodiment, the incrementally training each classifier comprises:
obtaining the prediction category of each historical data stream output by a classifier corresponding to each partition;
constructing an initial data stream category matrix according to the real category and the prediction category of each historical data stream;
calculating a first accuracy of the initial data stream class matrix;
calculating a Kappa coefficient according to the first accuracy and the initial data stream class matrix;
judging whether the Kappa coefficient is larger than a preset coefficient threshold value or not;
when the Kappa coefficient is determined to be smaller than a preset coefficient threshold value, extracting a preset second number of data streams from the data streams of the corresponding partitions; adding the preset second number of historical data streams into the preset first number of historical data streams to obtain new historical data streams; training the classifier based on the new historical data stream;
and when the Kappa coefficient is determined to be larger than a preset coefficient threshold value, ending the training process of the classifier.
In this alternative embodiment, the Kappa coefficient represents a ratio of classification to reduction of generation errors of completely random classification, and when the calculated Kappa coefficient is smaller (smaller than a preset coefficient threshold), it indicates that the prediction capability of the classifier is not as good as that of the random classification, and therefore, it is necessary to continue to add training data and train a new classifier based on the added data until the calculated Kappa coefficient with the first accuracy obtained by the classifier is larger (larger than a preset coefficient threshold), and the prediction capability of the classifier is considered to be improved.
In an alternative embodiment, the constructing the initial data stream category matrix according to the real category and the prediction category of each historical data stream includes:
establishing an initial data stream category table by taking the real category of each historical data stream as a column key and the prediction category of each historical data stream as a row key;
calculating the number corresponding to each table in the initial data stream classification table;
and writing the number corresponding to each table into the table to obtain an initial data stream category matrix.
Illustratively, the initial data stream class matrix constructed as shown in table 1 below, the rows represent true classes and the columns represent prediction classes.
TABLE 1 initial data stream class matrix
Figure BDA0002558337940000151
The first accuracy p1= diagonal and/total = (239 +73+ 280)/664=0.891566265060241 of the initial data stream class matrix.
In an alternative embodiment, said calculating Kappa coefficients based on said first accuracy and said initial data stream class matrix comprises:
calculating a first category quantity of each real category and a second category quantity of each prediction category;
calculating a ratio of each first class quantity to the total number of the initial data stream class matrices;
calculating the product of each proportion and each second category quantity as the random classification quantity in the corresponding table;
updating the initial data stream category matrix according to the random classification quantity;
calculating a second accuracy of the updated data stream class matrix;
the Kappa coefficient is calculated using the following formula, kappa coefficient = (the first accuracy-the second accuracy)/(1-the second accuracy).
Illustratively, as shown in table 1, the first class amount of the real class a is 276, the first class amount of the real class B is 93, the first class amount of the real class C is 295, the second class amount of the predicted class a is 261, the second class amount of the predicted class B is 103, the second class amount of the predicted class C is 300, and the total number of the initial data stream class matrices is 664.
Calculating a ratio of each first class quantity to the total number of the initial data stream class matrices as follows:
ratio 1= first class amount 276/total amount 664=0.415663 as possible for prediction as class a;
ratio 2= first class quantity 93/total quantity 664=0.14006 as a possibility of prediction as class B;
ratio 3= first class amount 295/total amount 664=0.444277 as possible for prediction as class C;
the product of each ratio and each second class quantity is calculated as the random classification number in the correspondence table as follows:
p11 (row 1, column 1): 0.415663 × 261=108.488, and random classification would classify the person of ratio 1 (0.415663) as class a;
p12 (row 1, column 2): 0.415663 × 261=36.55572, the random classification will classify the person of ratio 2 (0.14006) as class B;
p12 (row 1, column 3): 0.444277 × 261=115.95, and random classification will classify ratio 3 (0.444277) as class C.
By analogy, the second row: the randomized classification will classify 0.415663 as class A (42.81 for 0.415663 of 103), 0.14006 as class B (14.42 for 0.415663 of 103), and 0.444277 as class C (45.76 for 0.444277 of 103).
The updated data stream class matrix is shown in table 2 below.
TABLE 2 updated data stream class matrix
Figure BDA0002558337940000171
Thus, a second accuracy p2= (108.488 +14.4262+ 133.2831)/644=0.385839290898534, then the Kappa coefficient = (p 1-p 2)/(1-p 2) =0.823444037801766.
The category prediction module 203 is configured to obtain multiple pieces of streaming data of a user in a monitoring period, and input each piece of streaming data into the integrated classifier to perform category prediction, so as to obtain multiple prediction categories of each piece of streaming data.
In order to monitor whether the behavior of the current user is abnormal, the computer device can acquire a plurality of pieces of streaming data of the current user in a monitoring period, and online call the integrated classifier to perform class prediction on the plurality of pieces of streaming data.
Each classifier in the integrated classifier outputs a class prediction result for the same streaming data.
The class prediction result comprises a normal class and an abnormal class.
In an alternative embodiment, the acquiring, by the category prediction module 203, pieces of streaming data of the user in the monitoring period includes:
calling a predefined interface to obtain a user operation behavior in a monitoring period based on a streaming processing frame;
classifying the user operation behaviors;
calculating the operation behavior times in each category;
and taking the user operation behavior and the corresponding operation behavior times as streaming data.
In this alternative embodiment, the streaming framework comprises: flink, spark Streaming or Storm, in a Streaming framework, user action behavior can be captured in real-time or near real-time. For example, the number of times that the user clicks the user in daily life within a period of time and the number of times that the user clicks the book are obtained. By calculating the operation behavior times of each category, the operation behavior of the user with large granularity is converted into the operation behavior times with small granularity. The smaller the granularity is, the finer the operation behavior of the user is, the closer the category predicted by the integrated classifier is to the reality, and the more accurate the prediction result is.
The number calculating module 204 is configured to calculate the number of normal classes in the prediction class and calculate the number of abnormal classes in the prediction class.
After calling the integrated classifier to predict the categories of all streaming data of the user, the computer device calculates the number of categories of which the prediction results are normal in the prediction categories output by the integrated classifier and the number of categories of which the prediction results are abnormal in the prediction categories.
The result output module 205 is configured to output a result of whether the behavior of the user is abnormal according to the number of the normal categories and the number of the abnormal categories.
The computer equipment judges whether the number of the normal categories is larger than that of the abnormal categories or not, and outputs a result that the behavior of the user is normal when the judgment result shows that the number of the normal categories is larger than that of the abnormal categories; and when the judgment result shows that the number of the normal categories is smaller than the number of the abnormal categories, outputting a result of the abnormal behavior of the user.
In the embodiment, the integrated classifier can be trained offline, and used for predicting the normal or abnormal behavior of the user online, and the memory of the system is considered during training of the classifier, so that the memory can be fully utilized, the classifier with the best classification performance is obtained, and the accuracy rate of detecting the abnormal behavior of the user is improved. And (3) integrating the prediction categories of all the classifiers for each piece of streaming data, determining the number of normal categories and the number of abnormal categories from the point of statistics, and further determining that the behavior of the user is normal or abnormal.
It is emphasized that to further ensure privacy and security of the results of the integrated classifier and/or the detected user behavior, the results of the integrated classifier and/or the detected user behavior may also be stored in a node of a blockchain.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a string of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, which is used for verifying the validity (anti-counterfeiting) of the information and generating a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a computer device according to a third embodiment of the present invention. In the preferred embodiment of the present invention, the computer device 3 includes a memory 31, at least one processor 32, at least one communication bus 33, and a transceiver 34.
It will be appreciated by those skilled in the art that the configuration of the computer apparatus shown in fig. 3 does not constitute a limitation of the embodiment of the present invention, and may be a bus-type configuration or a star-type configuration, and that the computer apparatus 3 may include more or less hardware or software than those shown, or a different arrangement of components.
In some embodiments, the computer device 3 is a computer device capable of automatically performing numerical calculation and/or information processing according to instructions set in advance or stored in advance, and the hardware thereof includes but is not limited to a microprocessor, an application specific integrated circuit, a programmable gate array, a digital processor, an embedded device and the like. The computer device 3 may also include a client device, which includes, but is not limited to, any electronic product capable of interacting with a client through a keyboard, a mouse, a remote controller, a touch pad, or a voice control device, for example, a personal computer, a tablet computer, a smart phone, a digital camera, and the like.
It should be noted that the computer device 3 is only an example, and other electronic products that are now or may come into existence in the future, such as may be adapted to the present invention, should also be included within the scope of the present invention, and are hereby incorporated by reference.
In some embodiments, a computer program is stored in the memory 31, and the at least one processor 32 may call the computer program stored in the memory 31 to perform the related functions. For example, the respective modules described in the above embodiments are computer programs stored in the memory 31 and executed by the at least one processor 32, thereby implementing the functions of the respective modules. The Memory 31 includes a Read-Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), a One-time Programmable Read-Only Memory (OTPROM), an electronically Erasable rewritable Read-Only Memory (Electrically-Erasable Programmable Read-Only Memory (EEPROM)), an optical Read-Only disk (CD-ROM) or other optical disk Memory, a magnetic disk Memory, a tape Memory, or any other medium readable by a computer capable of carrying or storing data.
In some embodiments, the at least one processor 32 is a Control Unit (Control Unit) of the computer device 3, connects various components of the entire computer device 3 by using various interfaces and lines, and executes various functions and processes data of the computer device 3 by running or executing programs or modules stored in the memory 31 and calling data stored in the memory 31. For example, the at least one processor 32, when executing the computer program stored in the memory, implements all or part of the steps of the integrated classifier based user abnormal behavior detection method according to the embodiment of the present invention. The at least one processor 32 may be composed of an integrated circuit, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same function or different functions, including one or more Central Processing Units (CPUs), microprocessors, digital Processing chips, graphics processors, and combinations of various control chips.
In some embodiments, the at least one communication bus 33 is arranged to enable connection communication between the memory 31 and the at least one processor 32 or the like.
Although not shown, the computer device 3 may further include a power supply (such as a battery) for supplying power to each component, and preferably, the power supply may be logically connected to the at least one processor 32 through a power management device, so as to implement functions of managing charging, discharging, and power consumption through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The computer device 3 may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
The integrated unit implemented in the form of a software functional module may be stored in a computer-readable storage medium. The software functional module is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a computer device, or a network device) or a processor (processor) to execute the parts of the method for detecting abnormal user behavior based on an integrated classifier according to the embodiments of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or that the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only intended to illustrate the technical solutions of the present invention and not to limit the same, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.

Claims (8)

1. A user abnormal behavior detection method based on an integrated classifier is characterized by comprising the following steps:
acquiring historical data streams of a plurality of partitions in a Kafka system and the real category of each historical data stream, wherein a plurality of historical data streams of a plurality of users are stored in each partition;
monitoring the memory of the Kafka system, and performing incremental training on a plurality of classifiers according to the memory of the Kafka system, the historical data streams of the plurality of partitions and the real category of each historical data stream to obtain an integrated classifier, wherein the integrated classifier comprises: extracting a preset first number of historical data streams from the historical data streams of each partition, and training a classifier for the extracted preset first number of historical data streams in each partition; obtaining memories occupied by training a plurality of classifiers, and judging whether the memories occupied by the classifiers exceed the memory of the Kafka system; when the memory occupied by the classifiers does not exceed the memory of the Kafka system, performing incremental training on each classifier; when the memory occupied by the classifiers exceeds the memory of the Kafka system, finishing the training process of all the classifiers to obtain an integrated classifier formed by the classifiers, wherein the integrated classifier is stored in a block chain node;
acquiring a plurality of pieces of streaming data of a user in a monitoring period, inputting each piece of streaming data into the integrated classifier for class prediction to obtain a plurality of prediction classes of each piece of streaming data, wherein each classifier in the integrated classifier outputs one prediction class for each piece of streaming data, and the streaming data comprises: calling a predefined interface to obtain user operation behaviors in a monitoring period based on a streaming processing frame, classifying the user operation behaviors, and calculating to obtain the operation behavior times in each category;
calculating the number of normal categories in the prediction categories and calculating the number of abnormal categories in the prediction categories;
and outputting a result of whether the user behavior is abnormal or not according to the number of the normal types and the number of the abnormal types.
2. The integrated classifier based user abnormal behavior detection method of claim 1, wherein training a classifier for the extracted preset first number of historical data streams in each partition comprises:
performing operation behavior classification on the preset first number of historical data streams;
constructing a training data triple based on each data stream and the corresponding real class and operation behavior class;
and inputting the training data triple into the SVM to train the classifier.
3. The integrated classifier based user abnormal behavior detection method of claim 1, wherein the incrementally training each classifier comprises:
obtaining the prediction category of each historical data stream output by a classifier corresponding to each partition;
constructing an initial data stream category matrix according to the real category and the prediction category of each historical data stream;
calculating a first accuracy of the initial data stream class matrix;
calculating a Kappa coefficient according to the first accuracy and the initial data stream class matrix;
judging whether the Kappa coefficient is larger than a preset coefficient threshold value or not;
when the Kappa coefficient is determined to be smaller than a preset coefficient threshold value, extracting a preset second number of data streams from the data streams of the corresponding partitions; adding the preset second number of historical data streams into the preset first number of historical data streams to obtain new historical data streams; training the classifier based on the new historical data stream;
and when the Kappa coefficient is determined to be larger than a preset coefficient threshold value, ending the training process of the classifier.
4. The integrated classifier based user abnormal behavior detection method of claim 3, wherein the constructing of the initial data flow category matrix from the true category and the predicted category of each historical data flow comprises:
establishing an initial data stream category table by taking the real category of each historical data stream as a column key and the prediction category of each historical data stream as a row key;
calculating the number corresponding to each table in the initial data stream classification table;
and writing the number corresponding to each table into the table to obtain an initial data stream category matrix.
5. The integrated classifier based user anomalous behavior detection method of claim 4 wherein said calculating a Kappa coefficient based on said first accuracy and said initial data flow class matrix includes:
calculating a first category quantity of each real category and a second category quantity of each prediction category;
calculating a ratio of each first class quantity to the total quantity of the initial data stream class matrix;
calculating the product of each proportion and each second category quantity as the random classification quantity in the corresponding table;
updating the initial data stream category matrix according to the random classification quantity;
calculating a second accuracy of the updated data stream class matrix;
the Kappa coefficient is calculated using the following formula, kappa coefficient = (the first accuracy-the second accuracy)/(1-the second accuracy).
6. An integrated classifier based user abnormal behavior detection apparatus, comprising:
the Kafka system comprises a data acquisition module, a data processing module and a data processing module, wherein the data acquisition module is used for acquiring historical data streams of a plurality of partitions in the Kafka system and the real category of each historical data stream, and the plurality of historical data streams of a plurality of users are stored in each partition;
an incremental training module, configured to monitor the memory of the Kafka system, and perform incremental training on multiple classifiers according to the memory of the Kafka system, the historical data streams of the multiple partitions, and the real category of each historical data stream to obtain an integrated classifier, where the incremental training module is configured to: extracting a preset first number of historical data streams from the historical data streams of each partition, and training a classifier for the extracted preset first number of historical data streams in each partition; acquiring memories occupied by training a plurality of classifiers, and judging whether the memories occupied by the classifiers exceed the memory of the Kafka system; when the memory occupied by the classifiers does not exceed the memory of the Kafka system, performing incremental training on each classifier; when the memory occupied by the classifiers exceeds the memory of the Kafka system, finishing the training process of all the classifiers to obtain an integrated classifier formed by the classifiers, wherein the integrated classifier is stored in a block chain node;
the category prediction module is configured to acquire multiple pieces of streaming data of a user in a monitoring period, input each piece of streaming data into the integrated classifier, and perform category prediction to obtain multiple prediction categories of each piece of streaming data, where each classifier in the integrated classifier outputs one prediction category for each piece of streaming data, and the streaming data includes: calling a predefined interface to obtain user operation behaviors in a monitoring period based on a streaming processing frame, classifying the user operation behaviors, and calculating to obtain the operation behavior times in each category;
the quantity calculation module is used for calculating the quantity of normal categories in the prediction categories and calculating the quantity of abnormal categories in the prediction categories;
and the result output module is used for outputting the result whether the user behavior is abnormal or not according to the number of the normal types and the number of the abnormal types.
7. A computer device comprising a processor for implementing the integrated classifier based user abnormal behavior detection method according to any one of claims 1 to 5 when executing a computer program stored in a memory.
8. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the integrated classifier based user abnormal behavior detection method according to any one of claims 1 to 5.
CN202010600018.0A 2020-06-28 2020-06-28 User abnormal behavior detection method based on integrated classifier and related equipment Active CN111756760B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010600018.0A CN111756760B (en) 2020-06-28 2020-06-28 User abnormal behavior detection method based on integrated classifier and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010600018.0A CN111756760B (en) 2020-06-28 2020-06-28 User abnormal behavior detection method based on integrated classifier and related equipment

Publications (2)

Publication Number Publication Date
CN111756760A CN111756760A (en) 2020-10-09
CN111756760B true CN111756760B (en) 2022-11-18

Family

ID=72677818

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010600018.0A Active CN111756760B (en) 2020-06-28 2020-06-28 User abnormal behavior detection method based on integrated classifier and related equipment

Country Status (1)

Country Link
CN (1) CN111756760B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112559565B (en) * 2020-12-01 2024-07-23 北京三快在线科技有限公司 Abnormality detection method, system and device
CN112528112B (en) * 2020-12-15 2024-06-04 平安科技(深圳)有限公司 Data collection and analysis method and device, electronic equipment and storage medium
CN112561389B (en) * 2020-12-23 2023-11-10 北京元心科技有限公司 Method and device for determining detection result of equipment and electronic equipment
CN112615881B (en) * 2020-12-28 2022-09-30 中软数智信息技术(武汉)有限公司 Data flow detection system based on block chain

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104751052A (en) * 2013-12-30 2015-07-01 南京理工大学常熟研究院有限公司 Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016168869A1 (en) * 2015-04-16 2016-10-20 California Institute Of Technology Systems and methods for behavior detection using 3d tracking and machine learning
CN107612938A (en) * 2017-10-27 2018-01-19 朱秋华 A kind of network user's anomaly detection method, device, equipment and storage medium
CN108881194B (en) * 2018-06-07 2020-12-11 中国人民解放军战略支援部队信息工程大学 Method and device for detecting abnormal behaviors of users in enterprise
CN109583904B (en) * 2018-11-30 2023-04-07 深圳市腾讯计算机系统有限公司 Training method of abnormal operation detection model, abnormal operation detection method and device
CN111275114A (en) * 2020-01-20 2020-06-12 黄惠芬 Network qualification image identification method based on ensemble learning under SDN architecture
CN111340502B (en) * 2020-02-24 2024-07-16 中国银联股份有限公司 Abnormal behavior identification method and device, terminal equipment and storage medium
CN111488917A (en) * 2020-03-19 2020-08-04 天津大学 Garbage image fine-grained classification method based on incremental learning

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104751052A (en) * 2013-12-30 2015-07-01 南京理工大学常熟研究院有限公司 Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm

Also Published As

Publication number Publication date
CN111756760A (en) 2020-10-09

Similar Documents

Publication Publication Date Title
CN111756760B (en) User abnormal behavior detection method based on integrated classifier and related equipment
CN112148577B (en) Data anomaly detection method and device, electronic equipment and storage medium
CN112016905B (en) Information display method and device based on approval process, electronic equipment and medium
CN113592019A (en) Fault detection method, device, equipment and medium based on multi-model fusion
JP6920378B2 (en) Repair board detectors, methods and computer readable storage media
CN115879748B (en) Enterprise informatization management integrated platform based on big data
CN112306835A (en) User data monitoring and analyzing method, device, equipment and medium
CN112396547B (en) Course recommendation method, device, equipment and medium based on unsupervised learning
CN113282514B (en) Method, device, computer equipment and storage medium for processing problem data
CN111694844A (en) Enterprise operation data analysis method and device based on configuration algorithm and electronic equipment
CN111754123A (en) Data monitoring method and device, computer equipment and storage medium
CN112598135A (en) Model training processing method and device, computer equipment and medium
CN111639706A (en) Personal risk portrait generation method based on image set and related equipment
CN114978968B (en) Micro-service abnormality detection method, micro-service abnormality detection device, computer device and storage medium
CN114662618A (en) Failure diagnosis method and device based on federal learning and related equipment
CN115757075A (en) Task abnormity detection method and device, computer equipment and storage medium
CN114490371A (en) Data testing method, device, testing equipment and medium based on artificial intelligence
CN112818028B (en) Data index screening method and device, computer equipment and storage medium
CN108696397B (en) Power grid information security assessment method and device based on AHP and big data
CN114742412A (en) Software technology service system and method
CN111651652B (en) Emotion tendency identification method, device, equipment and medium based on artificial intelligence
CN113628043A (en) Complaint validity judgment method, device, equipment and medium based on data classification
CN113505805A (en) Sample data closed loop generation method, device, equipment and storage medium
CN114662095A (en) Safety monitoring method, device and equipment based on operation data and storage medium
CN115713424A (en) Risk assessment method, risk assessment device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant