CN111913864A - Method and device for discovering abnormal operation behavior based on business operation combination - Google Patents
Method and device for discovering abnormal operation behavior based on business operation combination Download PDFInfo
- Publication number
- CN111913864A CN111913864A CN202010820755.1A CN202010820755A CN111913864A CN 111913864 A CN111913864 A CN 111913864A CN 202010820755 A CN202010820755 A CN 202010820755A CN 111913864 A CN111913864 A CN 111913864A
- Authority
- CN
- China
- Prior art keywords
- session
- probability
- degree
- records
- num
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method for discovering abnormal operation behaviors based on service operation combination, which comprises the following steps: step A: extracting historical data of service operation and acceptance logs; and B: constructing an operation sequence based on the service object and the operation time interval; and C: normal operation with a rare service layer is removed, and an operation combination is generated; step D: acquiring a relevant operation combination aiming at a specified service operation type; step E: and extracting abnormal items by using the association rule, and discovering abnormal operation behaviors and corresponding operators. The invention also provides a device based on the method. The invention has the advantages that: under the condition that no specific abnormal operation sample exists, the abnormal operation is found by dividing the session, constructing the operation combination and carrying out the abnormal detection based on the association rule, so that the method has good adaptability and popularization prospect.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a method and a device for discovering abnormal operation behaviors based on business operation combination.
Background
Banks, communication operators, e-commerce platforms and the like have respective processes when handling various services, however, many services relate to sensitive information of enterprises and individuals, such as certificate information, billing information and the like, in normal processes, operations of querying, reading or exporting the sensitive information and the like have certain combinations, for example, an account opening necessarily has an operation of reading an identity card, and if no identity card is read during the account opening or the system is directly stopped after the account opening, the operation is necessarily abnormal operation. However, the types of business operations are many, and the operation flow may also change, and all exceptions cannot be completely covered only from the rule. The invention patent application with publication number CN105376247A discloses a method and device for identifying abnormal traffic based on frequent algorithm, which performs discretization processing by web traffic data features, and obtains a frequent set by using association rules, thereby obtaining abnormal traffic. The invention patent application with publication number CN108055281A discloses an account anomaly detection method, device, server and storage medium, which utilize association rules to mine the operation behavior of known abnormal account numbers, thereby discovering the method and device of abnormal operation. However, most of these anomaly detection methods are directed at relatively simple operation objects, and since the business operation records cannot be simply distinguished and combined, and the business operation types are also diverse, these prior art techniques cannot be applied to anomaly detection of business operations.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method for combining business operations and discovering abnormal operation behaviors.
The invention solves the technical problems through the following technical scheme: a method for discovering abnormal operation behaviors based on business operation combination comprises the following steps:
step A: extracting historical data of service operation and acceptance logs;
and B: sequencing historical data based on the service objects and the operation time intervals to construct an operation sequence;
and C: normal operation with rare service level in the operation sequence is removed, and an operation combination is generated;
step D: screening relevant operation combinations aiming at the specified service operation types;
step E: and extracting abnormal items in the operation combination by using the association rule, and discovering abnormal operation behaviors and corresponding operators.
The invention obtains the operation sequence by sequencing under the condition that no specific abnormal operation sample exists, constructs the operation combination, and detects the abnormality based on the association rule, thereby realizing the discovery of the abnormal operation of the business.
Preferably, the method for constructing the operation sequence in step B comprises the following steps:
step i: grouping the records of business operation and acceptance according to business objects in a certain period, and sequencing according to operation time;
step ii: sequentially comparing two adjacent records, if the service objects are the same and the time interval between the operation records is not greater than a threshold value, adding the two records into the same session, and if the service objects are different or the time interval between the operation records is greater than the threshold value, adding the two records into the two sessions; traversing all records to obtain session data;
step iii: and sorting the operation in each session and the business operation corresponding to the acceptance record to obtain an operation sequence corresponding to each session.
Preferably, the association rule measure index in step E includes support degree, confidence degree and lift degree, the support degree and the confidence degree are smaller than the threshold, and the operation combination with the lift degree larger than the threshold is an abnormal item.
Preferably, the Support (X, Y) represents a probability that a session containing both sequences X and Y occurs in the total session, and the formula is as follows:
Support(X,Y)=P(X,Y)/P(I)=num(X∩Y)/num(I)
wherein, I represents the set of all sessions, P (X, Y) represents the probability of occurrence of a session simultaneously containing sequences X and Y, and P (I) represents the probability of occurrence of a session I, and the value is 1; num (X ≦ Y) denotes the number of sessions that include both sequences X and Y, and num (i) denotes the total number of sessions.
Preferably, the Confidence (X → Y) represents a probability that the operation behavior Y occurs when the operation behavior X occurs, and the formula is as follows:
Confidence(X→Y)=P(YX)=P(X,Y)/P(X)=num(X∩Y)/num(X)
p (Y | X) represents the probability of Y occurring in the case of X occurring, and P (X) and num (X) represent the probability and number of sessions X occurring, respectively.
Preferably, the Lift level Lift (X → Y) represents a ratio of a probability of Y being included together with a probability of Y occurrence when X is included; the formula is as follows:
Lift(X→Y)=P(Y|X)/P(Y)
if the degree of promotion is greater than 1, it indicates that there is positive correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is less than 1, there is negative correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is equal to 1, it indicates that there is no correlation, i.e. they are independent of each other.
The invention also discloses a device for discovering abnormal operation behavior based on the business operation combination, which comprises
A data acquisition module: extracting historical data of service operation and acceptance logs;
an operation sequence construction module: sequencing historical data based on the service objects and the operation time intervals to construct an operation sequence;
a normal operation rejection module: normal operation with rare service level in the operation sequence is removed, and an operation combination is generated;
a screening module: screening relevant operation combinations aiming at the specified service operation types;
an exception discovery module: and extracting abnormal items in the operation combination by using the association rule, and discovering abnormal operation behaviors and corresponding operators.
Preferably, the operation sequence building module includes:
a packet sorting unit: grouping the records of business operation and acceptance according to business objects in a certain period, and sequencing according to operation time;
a session dividing unit: sequentially comparing two adjacent records, if the service objects are the same and the time interval between the operation records is not greater than a threshold value, adding the two records into the same session, and if the service objects are different or the time interval between the operation records is greater than the threshold value, adding the two records into the two sessions; traversing all records to obtain session data;
an operation sequence output unit: and sorting the operation in each session and the business operation corresponding to the acceptance record to obtain an operation sequence corresponding to each session.
Preferably, the association rule measure index of the anomaly discovery module includes support degree, confidence degree and promotion degree, the support degree and the confidence degree are smaller than a threshold, and the operation combination with the promotion degree larger than the threshold is an anomaly item.
Preferably, the Support (X, Y) represents a probability that a session containing both sequences X and Y occurs in the total session, and the formula is as follows:
Support(X,Y)=P(X,Y)/P(I)=num(X∩Y)/num(I)
wherein, I represents the set of all sessions, P (X, Y) represents the probability of occurrence of a session simultaneously containing sequences X and Y, and P (I) represents the probability of occurrence of a session I, and the value is 1; num (X ≦ Y) denotes the number of sessions that include both sequences X and Y, num (i) denotes the total number of sessions;
the Confidence (X → Y) represents the probability of the occurrence of the operation behavior Y in the case of the occurrence of the operation behavior X, and the formula is as follows:
Confidence(X→Y)=P(Y|X)=P(X,Y)/P(X)=num(X∩Y)/num(X)
p (Y | X) represents the probability of Y occurring in the case of X occurring, P (X) and num (X) represent the probability and number of sessions X occurring, respectively;
the Lift level Lift (X → Y) represents the ratio of the probability of Y being included together with the probability of Y occurring when X is included; the formula is as follows:
Lift(X→Y)=P(Y|X)/P(Y)
if the degree of promotion is greater than 1, it indicates that there is positive correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is less than 1, there is negative correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is equal to 1, it indicates that there is no correlation, i.e. they are independent of each other.
The method and the device for discovering the abnormal operation behavior based on the service operation combination have the advantages that: under the condition that no specific abnormal operation sample exists, operations are sequenced based on the service objects and the operation time to obtain an operation sequence, an operation combination is constructed, and abnormality detection is carried out based on the association rule, so that the service operation abnormality is discovered, and the method has good adaptability and popularization prospect; the operations which possibly have association are combined together for analysis by dividing the session, so that the association rule detection is convenient.
Drawings
Fig. 1 is a flowchart of a method for discovering abnormal operation behavior based on a business operation combination according to an embodiment of the present invention.
Detailed Description
In order that the objects, technical solutions and advantages of the present invention will become more apparent, the present invention will be further described in detail with reference to the accompanying drawings in conjunction with the following specific embodiments.
As shown in fig. 1, the present embodiment provides a method for discovering abnormal operation behavior based on a business operation combination, including the following steps:
step A: extracting historical data of service operation and acceptance logs;
when a user handles a business, a general business system records all operations of an operator, at least business handling details are available, the records can be used for finding out irregular or illegal operations, and most of the operations of the operator are similar, that is, the irregular operations are in abnormal operations.
And B: constructing an operation sequence based on the service object and the operation time interval; the method specifically comprises the following steps:
step i: and grouping the business operation and the accepted records according to business objects in a certain period, and sequencing the business objects according to the operation time, wherein the business objects are instantiated objects in the system by the business handling client.
Step ii: sequentially comparing two adjacent records, if the service objects are the same and the time interval between the operation records is not greater than a threshold value, adding the two records into the same session, and if the service objects are different or the time interval between the operation records is greater than the threshold value, adding the two records into the two sessions; and traversing all records to obtain session data, wherein the threshold is a preset empirical value.
Step iii: and sorting the operation in each session and the business operation corresponding to the acceptance record to obtain an operation sequence corresponding to each session.
The following data, which have been grouped by business objects and sorted by operation time, are used as an example for illustration;
the threshold value of the time interval between the adjacent operation records is 30 minutes, the data are traversed, the time interval between the first record and the second record is within 30 minutes of the threshold value, the first record and the second record are added into the same session, the time interval between the third record and the second record is above 30 minutes, the third record is added into a new session, the time interval between the fourth record and the third record is within 30 minutes, the fourth record is added into the session of the third record, the fifth record and the fourth record are not the same business object and are independently used as a session, the sixth record and the fifth record are not the same business object and are also added into a new session, and the final division result is as follows:
the operation types of the obtained session after the sorting are 4 operation sequences: [ account opening, terminal data reset ], [ product change, charge ], [ loss report ], [ billing inquiry ].
And C: normal operation with a rare service layer is removed, and an operation combination is generated;
the terminal data reset in the operation sequence in the above example is a rare non-sensitive operation, which may cause the influence of the service level in the exception screening, so that it is removed, and the final operation combination is: [ account opening ], [ product change, charge ], [ loss of record ], [ billing inquiry ].
Step D: acquiring a relevant operation combination aiming at a specified service operation type;
for example, focusing on abnormal operation combinations related to account opening services, all operation combinations containing account opening are screened out.
Step E: extracting abnormal items by using the association rule, and finding abnormal operation behaviors and corresponding operators; the association rule measurement indexes comprise support degree, confidence degree and promotion degree;
the Support (X, Y) represents the probability of occurrence in the total session that contains both sequences X and Y, i.e. the probability of occurrence of both X and Y, and the formula is:
Support(X,Y)=P(X,Y)/P(I)=num(X∩Y)/num(I)
wherein, I represents the set of all sessions, P (X, Y) represents the probability of occurrence of a session simultaneously containing sequences X and Y, and P (I) represents the probability of occurrence of a session I, and the value is 1; num (X ≦ Y) denotes the number of sessions that include both sequences X and Y, and num (i) denotes the total number of sessions.
The Confidence factor (X → Y) represents the probability of the occurrence of the operation behavior Y when the operation behavior X occurs, that is, the proportion of the number of the simultaneous occurrences of X and Y to the total number of occurrences of X, and the formula is as follows:
Confidence(X→Y)=P(Y|X)=P(X,Y)/P(X)=num(X∩Y)/num(X)
p (Y | X) represents the probability of Y occurring in the case of X occurring, and P (X) and num (X) represent the probability and number of sessions X occurring, respectively.
The Lift level Lift (X → Y) represents the ratio of the probability of Y being included together with the probability of Y occurring when X is included; namely, it is
Lift(X→Y)=P(Y|X)/P(Y)
If the degree of promotion is greater than 1, it indicates that there is positive correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is less than 1, there is negative correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is equal to 1, it indicates that there is no correlation, i.e. they are independent of each other.
Setting thresholds of the three indexes, and screening operation combinations with the support degree and the confidence degree smaller than respective thresholds and the lifting degree larger than the thresholds from the frequent items calculated in the association rule analysis, wherein the operation combinations are abnormal items; the threshold may be set as a numerical value or a percentage, depending on the requirements.
If the operation combination completely contains any abnormal item obtained by screening based on the association rule, the corresponding operator has abnormal operation, and can perform punishment measures such as warning and the like on the operator according to the abnormal condition.
In the embodiment, under the condition that no specific abnormal operation sample exists, the abnormal operation is discovered by dividing the session, constructing the operation combination and detecting the abnormality based on the association rule.
The embodiment also provides a device for discovering abnormal operation behaviors based on the business operation combination, which comprises
A data acquisition module: extracting historical data of service operation and acceptance logs;
an operation sequence construction module: sequencing historical data based on the service objects and the operation time intervals to construct an operation sequence;
the operation sequence construction module comprises:
a packet sorting unit: grouping the records of business operation and acceptance according to business objects in a certain period, and sequencing according to operation time;
a session dividing unit: sequentially comparing two adjacent records, if the service objects are the same and the time interval between the operation records is not greater than a threshold value, adding the two records into the same session, and if the service objects are different or the time interval between the operation records is greater than the threshold value, adding the two records into the two sessions; traversing all records to obtain session data;
an operation sequence output unit: and sorting the operation in each session and the business operation corresponding to the acceptance record to obtain an operation sequence corresponding to each session.
A normal operation rejection module: normal operation with rare service level in the operation sequence is removed, and an operation combination is generated;
a screening module: screening relevant operation combinations aiming at the specified service operation types;
an exception discovery module: extracting abnormal items in the operation combination by using the association rule, and finding abnormal operation behaviors and corresponding operators; the association rule measurement indexes comprise support degree, confidence degree and promotion degree;
the Support (X, Y) represents the probability that a session containing sequences X and Y occurs in the total session, that is, the probability that X and Y occur simultaneously, and the formula is as follows:
Support(X,Y)=P(X,Y)/P(I)=num(X∩Y)/num(I)
wherein, I represents the set of all sessions, P (X, Y) represents the probability of occurrence of a session simultaneously containing sequences X and Y, and P (I) represents the probability of occurrence of a session I, and the value is 1; num (X ≦ Y) denotes the number of sessions that include both sequences X and Y, and num (i) denotes the total number of sessions.
The Confidence factor (X → Y) represents the probability of the occurrence of the operation behavior Y when the operation behavior X occurs, that is, the proportion of the number of the simultaneous occurrences of X and Y to the total number of occurrences of X, and the formula is as follows:
Confidence(X→Y)=P(Y|X)=P(X,Y)/P(X)=num(X∩Y)/num(X)
p (Y | X) represents the probability of Y occurring in the case of X occurring, and P (X) and num (X) represent the probability and number of sessions X occurring, respectively.
The Lift level Lift (X → Y) represents the ratio of the probability of Y being included together with the probability of Y occurring when X is included; namely, it is
Lift(X→Y)=P(Y|X)/P(Y)
If the degree of promotion is greater than 1, it indicates that there is positive correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is less than 1, there is negative correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is equal to 1, it indicates that there is no correlation, i.e. they are independent of each other.
Setting thresholds of the three indexes, and screening operation combinations with the support degree and the confidence degree smaller than respective thresholds and the lifting degree larger than the thresholds from the frequent items calculated in the association rule analysis, wherein the operation combinations are abnormal items; the threshold may be set as a numerical value or a percentage, depending on the requirements.
Claims (10)
1. A method for discovering abnormal operation behavior based on service operation combination is characterized in that: the method comprises the following steps:
step A: extracting historical data of service operation and acceptance logs;
and B: sequencing historical data based on the service objects and the operation time intervals to construct an operation sequence;
and C: normal operation with rare service level in the operation sequence is removed, and an operation combination is generated;
step D: screening relevant operation combinations aiming at the specified service operation types;
step E: and extracting abnormal items in the operation combination by using the association rule, and discovering abnormal operation behaviors and corresponding operators.
2. The method according to claim 1, wherein the method for discovering abnormal operation behavior based on business operation combination comprises: the method for constructing the operation sequence in the step B comprises the following steps:
step i: grouping the records of business operation and acceptance according to business objects in a certain period, and sequencing according to operation time;
step ii: sequentially comparing two adjacent records, if the service objects are the same and the time interval between the operation records is not greater than a threshold value, adding the two records into the same session, and if the service objects are different or the time interval between the operation records is greater than the threshold value, adding the two records into the two sessions; traversing all records to obtain session data;
step iii: and sorting the operation in each session and the business operation corresponding to the acceptance record to obtain an operation sequence corresponding to each session.
3. The method according to claim 1, wherein the method for discovering abnormal operation behavior based on business operation combination comprises: and E, the association rule measuring indexes comprise support degree, confidence degree and lifting degree, the support degree and the confidence degree are smaller than a threshold value, and the operation combination with the lifting degree larger than the threshold value is an abnormal item.
4. The method according to claim 3, wherein the method for discovering abnormal operation behavior based on business operation combination comprises: the Support (X, Y) represents the probability that a session containing both sequences X and Y occurs in the total session, and the formula is as follows:
Support(X,Y)=P(X,Y)/P(I)=num(X∩Y)/num(I)
wherein, I represents the set of all sessions, P (X, Y) represents the probability of occurrence of a session simultaneously containing sequences X and Y, and P (I) represents the probability of occurrence of a session I, and the value is 1; num (X ≦ Y) denotes the number of sessions that include both sequences X and Y, and num (i) denotes the total number of sessions.
5. The method of claim 4, wherein the method for discovering abnormal operation behavior based on business operation combination comprises: the Confidence (X → Y) represents the probability of the occurrence of the operation behavior Y in the case of the occurrence of the operation behavior X, and the formula is as follows:
Confidence(X→Y)=P(Y|X)=P(X,Y)/P(X)=num(X∩Y)/num(X)
p (Y | X) represents the probability of Y occurring in the case of X occurring, and P (X) and num (X) represent the probability and number of sessions X occurring, respectively.
6. The method according to claim 5, wherein the method for discovering abnormal operation behavior based on business operation combination comprises: the Lift level Lift (X → Y) represents the ratio of the probability of Y being included together with the probability of Y occurring when X is included; the formula is as follows:
Lift(X→Y)=P(Y|X)/P(Y)
if the degree of promotion is greater than 1, it indicates that there is positive correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is less than 1, there is negative correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is equal to 1, it indicates that there is no correlation, i.e. they are independent of each other.
7. A device for discovering abnormal operation behaviors based on business operation combination is characterized in that: comprises that
A data acquisition module: extracting historical data of service operation and acceptance logs;
an operation sequence construction module: sequencing historical data based on the service objects and the operation time intervals to construct an operation sequence;
a normal operation rejection module: normal operation with rare service level in the operation sequence is removed, and an operation combination is generated;
a screening module: screening relevant operation combinations aiming at the specified service operation types;
an exception discovery module: and extracting abnormal items in the operation combination by using the association rule, and discovering abnormal operation behaviors and corresponding operators.
8. The apparatus according to claim 7, wherein the apparatus for discovering abnormal operation behavior based on business operation combination is characterized in that: the operation sequence construction module comprises:
a packet sorting unit: grouping the records of business operation and acceptance according to business objects in a certain period, and sequencing according to operation time;
a session dividing unit: sequentially comparing two adjacent records, if the service objects are the same and the time interval between the operation records is not greater than a threshold value, adding the two records into the same session, and if the service objects are different or the time interval between the operation records is greater than the threshold value, adding the two records into the two sessions; traversing all records to obtain session data;
an operation sequence output unit: and sorting the operation in each session and the business operation corresponding to the acceptance record to obtain an operation sequence corresponding to each session.
9. The apparatus according to claim 7, wherein the apparatus for discovering abnormal operation behavior based on business operation combination is characterized in that: the association rule measuring indexes of the abnormity discovery module comprise support degree, confidence degree and promotion degree, wherein the support degree and the confidence degree are smaller than a threshold value, and the operation combination with the promotion degree larger than the threshold value is an abnormal item.
10. The apparatus of claim 9, wherein the apparatus for discovering abnormal operation behavior based on business operation combination is further characterized in that: the Support (X, Y) represents the probability that a session containing both sequences X and Y occurs in the total session, and the formula is as follows:
Support(X,Y)=P(X,Y)/P(I)=num(X∩Y)/num(I)
wherein, I represents the set of all sessions, P (X, Y) represents the probability of occurrence of a session simultaneously containing sequences X and Y, and P (I) represents the probability of occurrence of a session I, and the value is 1; num (X.andgate.Y) table contains the number of sessions for both sequences X and Y, num (I) represents the total number of sessions;
the Confidence (X → Y) represents the probability of the occurrence of the operation behavior Y in the case of the occurrence of the operation behavior X, and the formula is as follows:
Confidence(X→Y)=P(Y|X)=P(X,Y)/P(X)=num(X∩Y)/num(X)
p (Y | X) represents the probability of Y occurring in the case of X occurring, P (X) and num (X) represent the probability and number of sessions X occurring, respectively;
the Lift level Lift (X → Y) represents the ratio of the probability of Y being included together with the probability of Y occurring when X is included; the formula is as follows:
Lift(X→Y)=P(Y|X)/P(Y)
if the degree of promotion is greater than 1, it indicates that there is positive correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is less than 1, there is negative correlation between the operation behavior X and the operation behavior Y, and if the degree of promotion is equal to 1, it indicates that there is no correlation, i.e. they are independent of each other.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010820755.1A CN111913864B (en) | 2020-08-14 | 2020-08-14 | Method and device for discovering abnormal operation behavior based on business operation combination |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010820755.1A CN111913864B (en) | 2020-08-14 | 2020-08-14 | Method and device for discovering abnormal operation behavior based on business operation combination |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111913864A true CN111913864A (en) | 2020-11-10 |
| CN111913864B CN111913864B (en) | 2023-10-13 |
Family
ID=73278031
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010820755.1A Active CN111913864B (en) | 2020-08-14 | 2020-08-14 | Method and device for discovering abnormal operation behavior based on business operation combination |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111913864B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103475543A (en) * | 2013-09-11 | 2013-12-25 | 北京思特奇信息技术股份有限公司 | Abnormal system service call detection method and system |
| CN105262715A (en) * | 2015-03-27 | 2016-01-20 | 中国人民解放军信息工程大学 | Abnormal user detection method based on fuzzy sequential association pattern |
| US10341391B1 (en) * | 2016-05-16 | 2019-07-02 | EMC IP Holding Company LLC | Network session based user behavior pattern analysis and associated anomaly detection and verification |
| CN110933115A (en) * | 2019-12-31 | 2020-03-27 | 上海观安信息技术股份有限公司 | Analysis object behavior abnormity detection method and device based on dynamic session |
-
2020
- 2020-08-14 CN CN202010820755.1A patent/CN111913864B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103475543A (en) * | 2013-09-11 | 2013-12-25 | 北京思特奇信息技术股份有限公司 | Abnormal system service call detection method and system |
| CN105262715A (en) * | 2015-03-27 | 2016-01-20 | 中国人民解放军信息工程大学 | Abnormal user detection method based on fuzzy sequential association pattern |
| US10341391B1 (en) * | 2016-05-16 | 2019-07-02 | EMC IP Holding Company LLC | Network session based user behavior pattern analysis and associated anomaly detection and verification |
| CN110933115A (en) * | 2019-12-31 | 2020-03-27 | 上海观安信息技术股份有限公司 | Analysis object behavior abnormity detection method and device based on dynamic session |
Non-Patent Citations (7)
| Title |
|---|
| 宋万清等: "《数据挖掘》", 31 January 2019, pages: 74 - 75 * |
| 张明: "基于大数据智能化的客户服务异常行为分析", 《电信工程技术与标准化》 * |
| 张明: "基于大数据智能化的客户服务异常行为分析", 《电信工程技术与标准化》, no. 12, 15 December 2018 (2018-12-15) * |
| 石波等: "基于业务白名单的异常违规行为监测研究", 《信息网络安全》 * |
| 石波等: "基于业务白名单的异常违规行为监测研究", 《信息网络安全》, no. 09, 10 September 2015 (2015-09-10) * |
| 章小龙;: "基于数据挖掘的入侵检测系统研究", 沈阳工程学院学报(自然科学版), no. 04 * |
| 龚俭等: "《计算机网络安全导论 第2版》", 30 September 2007, pages: 266 - 267 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111913864B (en) | 2023-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2223521C (en) | Detecting mobile telephone misuse | |
| US20020147694A1 (en) | Retraining trainable data classifiers | |
| CN109640312B (en) | 'Black card' identification method, electronic equipment and computer readable storage medium | |
| CN107577452A (en) | randomness detecting method and device | |
| CN117235731B (en) | Big data monitoring and early warning system for secret equipment | |
| AU2003260194A1 (en) | Classification of events | |
| CN108921433B (en) | Risk quantitative analysis system based on business continuity | |
| CN111913864A (en) | Method and device for discovering abnormal operation behavior based on business operation combination | |
| CN109544179B (en) | Operation supporting system based on important product traceability data service | |
| CN107391551B (en) | Web service data analysis method and system based on data mining | |
| CN116720194A (en) | Method and system for evaluating data security risk | |
| CN112651433B (en) | Abnormal behavior analysis method for privileged account | |
| CN114943479A (en) | Risk identification method, device and equipment of business event and computer readable medium | |
| CN113837512A (en) | Abnormal user identification method and device | |
| CN113191712A (en) | Method, device, equipment and storage medium for identifying over-range package collecting behaviors | |
| CN111782908A (en) | WEB violation operation behavior detection method based on data mining cluster analysis | |
| CN112417007A (en) | Data analysis method and device, electronic equipment and storage medium | |
| CN111325580A (en) | User account management method, device, equipment and storage medium | |
| CN112565306B (en) | Third-party server identification method for app private data collection | |
| CN116743479B (en) | Network security detection system and method based on big data | |
| CN100505648C (en) | Method and device for detecting and blocking unauthorized access | |
| CN114915974A (en) | Method and device for preventing and treating spam short messages | |
| CN117114686A (en) | Credit supervision method and system based on bulk transaction platform | |
| Tan et al. | Efficient intrusion detection method based on Conditional Random Fields | |
| CN118041652A (en) | Cross-domain data security audit method for key information infrastructure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |