CN111949803A - Method, device and equipment for detecting network abnormal user based on knowledge graph - Google Patents
Method, device and equipment for detecting network abnormal user based on knowledge graph Download PDFInfo
- Publication number
- CN111949803A CN111949803A CN202010850232.1A CN202010850232A CN111949803A CN 111949803 A CN111949803 A CN 111949803A CN 202010850232 A CN202010850232 A CN 202010850232A CN 111949803 A CN111949803 A CN 111949803A
- Authority
- CN
- China
- Prior art keywords
- access
- user
- network
- behavior
- users
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 69
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000006399 behavior Effects 0.000 claims abstract description 165
- 238000007637 random forest analysis Methods 0.000 claims abstract description 41
- 238000001514 detection method Methods 0.000 claims abstract description 31
- 238000013507 mapping Methods 0.000 claims abstract description 8
- 238000012549 training Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 8
- 238000000605 extraction Methods 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 abstract description 6
- 238000004364 calculation method Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/24323—Tree-organised classifiers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The application discloses a method, a device and equipment for detecting network abnormal users based on a knowledge graph, wherein the method comprises the following steps: constructing a knowledge graph of user access behaviors based on the acquired network logs of the access users to obtain a network behavior graph; extracting access behavior characteristics of each access user based on the network behavior map and the network log; the access behavior characteristics of each access user are input into a preset random forest model for user type detection, the output user type is an abnormal access user, and the preset random forest model is a relational mapping model of the access behavior characteristics of the access user and the user type, so that the technical problem that in the prior art, the detection result precision of the abnormal user is low due to the fact that analysis is performed on a single log, namely the relevant attributes of a single access behavior is solved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a device for detecting a network abnormal user based on a knowledge graph.
Background
The weblog is a summary of user click information and other access behaviors of the website, and the relevant attributes of the website behaviors are recorded in detail. After a website is attacked, a network administrator typically views information of the relevant network access log. Therefore, the blog becomes an important proof for the network manager to discover and defend the attack behavior of the network intruder. However, in order to evade the pursuit, the intruder usually makes the log information generated by the attack behavior and the log information generated by the normal access behavior as similar as possible, so that the difficulty of discovering the intruder by the network manager is increased.
At present, the existing abnormal behavior analysis method based on the weblogs mainly tries to find the characteristics and differences of normal log contents and attack log contents through a weblog construction model, but the existing methods analyze a single log, namely the relevant attributes of a single access behavior, and have the problem that the accuracy of the detection result of an abnormal user is not high.
Disclosure of Invention
The application provides a method, a device and equipment for detecting abnormal users of a network based on a knowledge graph, which are used for solving the technical problems that in the prior art, analysis is carried out on a single log, namely the relevant attributes of a single access behavior exist, and the accuracy of the detection result of the abnormal user is not high.
In view of this, the first aspect of the present application provides a method for detecting a network abnormal user based on a knowledge graph, including:
constructing a knowledge graph of user access behaviors based on the acquired network logs of the access users to obtain a network behavior graph;
extracting access behavior characteristics of each access user based on the network behavior map and the network log;
and inputting the access behavior characteristics of each access user into a preset random forest model for user type detection, and outputting the access users with abnormal user types, wherein the preset random forest model is a relational mapping model of the access behavior characteristics of the access users and the user types.
Optionally, the constructing a knowledge graph of the user access behavior based on the obtained weblog of the access user to obtain a network behavior graph includes:
after obtaining a network log of an access user, taking an access address in the network log as a node, obtaining an access relation between the nodes according to the network log, and constructing a knowledge graph of user access behaviors based on the nodes and the access relation to obtain a network behavior graph;
and connecting an edge between two nodes with the access relation in the network behavior graph, wherein the weight of the edge is the access times between the two nodes.
Optionally, the extracting access behavior characteristics of each access user based on the network behavior map and the network log includes:
extracting first network access characteristics of each access user based on the network behavior map, and extracting second network access characteristics of each access user based on the network log to obtain access behavior characteristics of each access user;
wherein the first network access characteristic comprises: a user path size characteristic, a user log quantity characteristic or a user access frequency characteristic, wherein the second network access characteristic comprises: a URL length feature, a request parameter quantity feature, a special character frequency feature, or a character entropy feature.
Optionally, extracting the user path scale feature of each visiting user based on the network behavior map includes:
after the weights of all the access paths of all the access users in the network behavior map are extracted, the ratio of the sum of the weights of all the access paths of all the access users to the sum of the weights of all the access paths of all the access users in the network behavior map is calculated, and the user path scale features of all the access users are obtained.
Optionally, the configuration process of the preset random forest model includes:
acquiring historical weblogs of normal access users and abnormal access users;
extracting access behavior characteristics of the normal access user and the abnormal access user based on a network behavior map constructed by the historical weblog and the historical weblog;
performing category marking on the access behavior characteristics of the normal access user and the abnormal access user to obtain a training set;
and training a random forest through the training set until the random forest is converged to obtain the preset random forest model.
The second aspect of the present application provides a device for detecting abnormal users in a network based on a knowledge graph, comprising:
the construction unit is used for constructing a knowledge graph of the user access behavior based on the acquired network log of the access user to obtain a network behavior graph;
a feature extraction unit, configured to extract access behavior features of each access user based on the network behavior map and the network log;
and the detection unit is used for inputting the access behavior characteristics of each access user into a preset random forest model for user type detection and outputting the access users with abnormal user types, wherein the preset random forest model is a relational mapping model of the access behavior characteristics of the access users and the user types.
Optionally, the building unit is specifically configured to:
after obtaining a network log of an access user, taking an access address in the network log as a node, obtaining an access relation between the nodes according to the network log, and constructing a knowledge graph of user access behaviors based on the nodes and the access relation to obtain a network behavior graph;
and connecting an edge between two nodes with the access relation in the network behavior graph, wherein the weight of the edge is the access times between the two nodes.
Optionally, the feature extraction unit is specifically configured to:
extracting first network access characteristics of each access user based on the network behavior map, and extracting second network access characteristics of each access user based on the network log to obtain access behavior characteristics of each access user;
wherein the first network access characteristic comprises: a user path size characteristic, a user log quantity characteristic or a user access frequency characteristic, wherein the second network access characteristic comprises: a URL length feature, a request parameter quantity feature, a special character frequency feature, or a character entropy feature.
Optionally, the method further includes: a configuration unit;
the configuration unit is configured to:
acquiring historical weblogs of normal access users and abnormal access users;
extracting access behavior characteristics of the normal access user and the abnormal access user based on a network behavior map constructed by the historical weblog and the historical weblog;
performing category marking on the access behavior characteristics of the normal access user and the abnormal access user to obtain a training set;
and training a random forest through the training set until the random forest is converged to obtain the preset random forest model.
A third aspect of the present application provides a knowledge-graph based network anomaly user detection device, the device comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute any one of the methods for detecting users of abnormal knowledge-graph based network according to the first aspect according to instructions in the program code.
According to the technical scheme, the method has the following advantages:
the application provides a method for detecting network abnormal users based on a knowledge graph, which comprises the following steps: constructing a knowledge graph of user access behaviors based on the acquired network logs of the access users to obtain a network behavior graph; extracting access behavior characteristics of each access user based on the network behavior map and the network log; and inputting the access behavior characteristics of each access user into a preset random forest model for user type detection, outputting the access user with the abnormal user type, wherein the preset random forest model is a relational mapping model of the access behavior characteristics of the access user and the user type.
The method for detecting the network abnormal user based on the knowledge graph comprises the steps that the knowledge graph of the user access behavior is constructed based on the acquired network logs of the access user to obtain the network behavior graph, the behavior of the access user is reflected through a plurality of network logs together, the behavior of the access user is not reflected through one network log, and more accurate access behavior characteristics can be obtained through analysis of the network behavior graph; in addition, the access behavior characteristics of the access user are extracted based on the network behavior map and the network log, and the access behavior characteristics are extracted from two aspects, so that more comprehensive and more accurate characteristic representation can be obtained, and the accuracy rate of network abnormal user detection is improved; the user type detection is automatically carried out on the input access behavior characteristics through the preset random forest model, so that the detection efficiency is improved, and the technical problem that in the prior art, all logs are analyzed, namely the relevant attributes of single access behavior exist, and the precision of the detection result of an abnormal user is low is solved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a method for detecting an abnormal network user based on a knowledge graph according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a device for detecting abnormal users in a network based on a knowledge graph according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a network behavior map provided in the embodiment of the present application.
Detailed Description
The application provides a method, a device and equipment for detecting abnormal users of a network based on a knowledge graph, which are used for solving the technical problems that in the prior art, analysis is carried out on a single log, namely the relevant attributes of a single access behavior exist, and the accuracy of the detection result of the abnormal user is not high.
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the prior art, a machine learning method is adopted to construct a model of an abnormal log or a normal log, and the characteristics and differences of the normal log and the abnormal log are tried to be found out from the model, but the prior art aims at a single log, namely the related attributes of a single access behavior. However, in the process of accessing a website, complex relationships exist between access behaviors dominated by the same user, between different users accessing the same path, and between the user and the access path, which are not completely independent. Based on the above, in order to solve the above problems, the present application provides a method for detecting a network abnormal user based on a knowledge graph.
For easy understanding, please refer to fig. 1, an embodiment of a method for detecting an abnormal network user based on a knowledge-graph according to the present application includes:
The raw data of the weblog contains a lot of information, some of which are of no value in the detection of abnormal users. Therefore, the weblog can be preprocessed, useless information in abnormal user detection is removed, valuable information is reserved, and data processing efficiency can be improved. And constructing a knowledge graph of the user access behavior based on the processed network log to obtain a network behavior graph. The small network behavior map of each access user can be constructed according to the weblog data of each access user; and constructing a network behavior map containing the access behaviors of all the access users according to the network log data of all the access users, wherein the network behavior map can be regarded as superposition of the network behavior maps of the single access users.
Further, the specific process of constructing and obtaining the network behavior map comprises the following steps: after obtaining the weblog of the access user, taking the access address in the weblog as a node, obtaining the access relation between the nodes according to the weblog, and constructing a knowledge graph of the access behavior of the user based on the node and the access relation to obtain a network behavior graph; an edge is connected between two nodes with access relations in the network behavior graph, and the weight of the edge is the access times between the two nodes. Referring to fig. 3, nodes 1, 2 and 3 respectively represent 3 different access addresses, an edge between the nodes is an access path, and w12Weight of access path between node 1 and node 2, the weight being equal to the nodeNumber of accesses between point 1 and node 2. Other nodes are similar and will not be described herein.
And 102, extracting the access behavior characteristics of each access user based on the network behavior map and the network log.
After the network behavior map is constructed, a plurality of features are extracted from the network behavior map and the network log to be used as the access behavior features of the access users, so that more comprehensive and more accurate feature representation is obtained, and the accuracy of subsequent abnormal user detection is improved.
Further, the process of extracting the access behavior characteristics of each access user specifically includes: and extracting the first network access characteristics of each access user based on the network behavior map, and extracting the second network access characteristics of each access user based on the network log to obtain the access behavior characteristics of each access user. Wherein the first network access characteristic comprises: a user path size characteristic, a user log quantity characteristic or a user access frequency characteristic, wherein the second network access characteristic comprises: the method comprises the following steps of preferably adopting URL length characteristics, request parameter quantity characteristics, special character frequency characteristics or character entropy characteristics as access behavior characteristics in the embodiment of the application.
The extraction process of each feature is as follows:
(1) user path size feature P1:
After the weights of all the access paths of all the access users in the network behavior map are extracted, the ratio of the sum of the weights of all the access paths of all the access users to the sum of the weights of all the access paths of all the access users in the network behavior map is calculated, and the user path scale feature of all the access users is obtained, wherein the feature index is used for measuring the range of the access paths of the access users. Specifically, for the access user c, the short path set accessed by the access user c is recorded as SPcThe network behavior map composed of the paths visited by visiting user c is recorded as
The network behavior map composed of all access users is N2User path network size of visiting user cCharacteristic P1 cThe calculation formula of (2) is as follows:
in the formula, eijThe edges of node i and node j,
for the edge e of the node i and the node j in the network behavior map consisting of the path visited by the visiting user cijWeight of (1), wijFor the edge e of the node i and the node j in the network behavior map consisting of the paths visited by all visiting usersijThe weight of (c). When P is present1 cWhen large, the visiting user c is likely to be a scanner, and is intended to know the overall architecture of the network application, this type of visiting user may not launch a real attack, however, most are probing the network, trying to discover the vulnerable nodes in the network structure, which are generated due to insufficient security awareness of developers, or related to the network infrastructure, and possibly related to the vulnerability of other components on which the network application depends.
(2) User Log quantity feature P2:
The characteristic measure measures the access scope of the accessing user from another different angle. The scope of the path network focuses on the breadth and depth of the user access log, and the user log quantity characteristic is more focused on the quantity of the user access generation network logs.
(3) User access frequency characteristic P3:
And malicious software can be effectively identified by adopting the user access frequency characteristic index. In order to obtain the access frequency of the access user, a time interval can be selected, then the number of the weblogs generated by the user access in the time interval is calculated, and then the user access frequency characteristic of the access user in the time interval can be calculated by dividing the number of the weblogs by the time interval. Since the access frequency of the user varies during this time interval, the calculated user access frequency characteristic is the average frequency of accesses during this time interval. The characteristic index is used for finding out abnormal access users with high access frequency. Theoretically, the smaller the time interval, the more accurate the result is, however, the amount of calculation increases sharply. In the embodiment of the present application, in order to balance the accuracy of the result and the calculation amount, it is preferable that the time interval is 100 seconds, for each access user, the access frequency of the user every 100 seconds is calculated, and the maximum access frequency of the access user is used as the user access frequency characteristic of the user.
(4) Second network access feature
The second network access feature comprises: the method comprises the following steps of URL length characteristics, request parameter quantity characteristics, special character frequency characteristics or character entropy characteristics, wherein the calculation formula of the character entropy is as follows:
in the formula, EiFor the character entropy of the ith visiting user,
the number of times the kth character in the request occurs for the ith accessing user.
103, inputting the access behavior characteristics of each access user into a preset random forest model for user type detection, outputting the access user with the abnormal user type, wherein the preset random forest model is a relational mapping model of the access behavior characteristics of the access user and the user type.
The user type detection is automatically carried out on the input access behavior characteristics through a preset random forest model which is configured in advance, whether the corresponding access user type is abnormal or normal is detected according to the input access behavior characteristics, and finally the access user with the user type being abnormal is output, so that the purpose of detecting the network abnormal user is achieved. And the weblogs accumulated in one hour can be used as an object of one-time calculation, corresponding access behavior characteristics are extracted according to the steps, and detection is further carried out through a preset random forest model.
Further, the configuration process of the preset random forest model comprises the following steps:
1. acquiring historical weblogs of normal access users and abnormal access users;
2. extracting access behavior characteristics of normal access users and abnormal access users based on a network behavior map constructed by historical network logs and the historical network logs;
3. performing category marking on the access behavior characteristics of normal access users and abnormal access users to obtain a training set;
4. and training the random forest through the training set until the random forest is converged to obtain a preset random forest model.
The method for detecting the network abnormal user based on the knowledge graph comprises the steps that the knowledge graph of the user access behavior is constructed based on the acquired network logs of the access user to obtain the network behavior graph, the behavior of the access user is reflected through a plurality of network logs together, the behavior of the access user is not reflected through one network log, and more accurate access behavior characteristics can be obtained through analysis of the network behavior graph; in addition, the access behavior characteristics of the access user are extracted based on the network behavior map and the network log, and the access behavior characteristics are extracted from two aspects, so that more comprehensive and more accurate characteristic representation can be obtained, and the accuracy rate of network abnormal user detection is improved; the user type detection is automatically carried out on the input access behavior characteristics through the preset random forest model, so that the detection efficiency is improved, and the technical problem that in the prior art, all logs are analyzed, namely the relevant attributes of single access behavior exist, and the precision of the detection result of an abnormal user is low is solved.
The above is an embodiment of a method for detecting a network abnormal user based on a knowledge graph provided by the present application, and the following is an embodiment of a device for detecting a network abnormal user based on a knowledge graph provided by the present application.
For easy understanding, please refer to fig. 2, the present application provides an embodiment of a device for detecting abnormal users of a knowledge-graph-based network, including:
the constructing unit 201 is configured to construct a knowledge graph of the user access behavior based on the obtained weblog of the access user, so as to obtain a network behavior graph.
And the feature extraction unit 202 is configured to extract access behavior features of each access user based on the network behavior map and the network log.
The detection unit 203 is configured to input the access behavior characteristics of each access user into a preset random forest model for user type detection, output an access user with an abnormal user type, and use the preset random forest model as a relational mapping model between the access behavior characteristics of the access user and the user type.
As a further improvement, the construction unit 201 is specifically configured to:
after obtaining the weblog of the access user, taking the access address in the weblog as a node, obtaining the access relation between the nodes according to the weblog, and constructing a knowledge graph of the access behavior of the user based on the node and the access relation to obtain a network behavior graph;
an edge is connected between two nodes with access relations in the network behavior graph, and the weight of the edge is the access times between the two nodes.
As a further improvement, the feature extraction unit 202 is specifically configured to:
extracting first network access characteristics of each access user based on a network behavior map, and extracting second network access characteristics of each access user based on a network log to obtain access behavior characteristics of each access user;
wherein the first network access characteristic comprises: a user path size characteristic, a user log quantity characteristic or a user access frequency characteristic, wherein the second network access characteristic comprises: a URL length feature, a request parameter quantity feature, a special character frequency feature, or a character entropy feature.
As a further improvement, the method further comprises the following steps: a configuration unit 204;
the configuration unit 204 is configured to:
acquiring historical weblogs of normal access users and abnormal access users;
extracting access behavior characteristics of normal access users and abnormal access users based on a network behavior map constructed by historical network logs and the historical network logs;
performing category marking on the access behavior characteristics of normal access users and abnormal access users to obtain a training set;
and training the random forest through the training set until the random forest is converged to obtain a preset random forest model.
The embodiment of the application also provides a device for detecting the abnormal users of the network based on the knowledge graph, which comprises a processor and a memory, wherein the processor is used for:
the memory is used for storing the program codes and transmitting the program codes to the processor;
the processor is configured to execute the method for detecting network abnormal users based on the knowledge-graph according to the instruction in the program code.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for executing all or part of the steps of the method described in the embodiments of the present application through a computer device (which may be a personal computer, a server, or a network device). And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (10)
1. A method for detecting network abnormal users based on knowledge graph is characterized by comprising the following steps:
constructing a knowledge graph of user access behaviors based on the acquired network logs of the access users to obtain a network behavior graph;
extracting access behavior characteristics of each access user based on the network behavior map and the network log;
and inputting the access behavior characteristics of each access user into a preset random forest model for user type detection, and outputting the access users with abnormal user types, wherein the preset random forest model is a relational mapping model of the access behavior characteristics of the access users and the user types.
2. The method for detecting abnormal users of network based on knowledge-graph according to claim 1, wherein the constructing the knowledge-graph of the user access behavior based on the obtained network log of the access user to obtain the network behavior-graph comprises:
after obtaining a network log of an access user, taking an access address in the network log as a node, obtaining an access relation between the nodes according to the network log, and constructing a knowledge graph of user access behaviors based on the nodes and the access relation to obtain a network behavior graph;
and connecting an edge between two nodes with the access relation in the network behavior graph, wherein the weight of the edge is the access times between the two nodes.
3. The method for detecting abnormal users of knowledge-graph based network according to claim 1, wherein the extracting access behavior characteristics of each access user based on the network behavior graph and the network log comprises:
extracting first network access characteristics of each access user based on the network behavior map, and extracting second network access characteristics of each access user based on the network log to obtain access behavior characteristics of each access user;
wherein the first network access characteristic comprises: a user path size characteristic, a user log quantity characteristic or a user access frequency characteristic, wherein the second network access characteristic comprises: a URL length feature, a request parameter quantity feature, a special character frequency feature, or a character entropy feature.
4. The method of claim 3, wherein the extracting the user path size characteristics of each visiting user based on the network behavior graph comprises:
after the weights of all the access paths of all the access users in the network behavior map are extracted, the ratio of the sum of the weights of all the access paths of all the access users to the sum of the weights of all the access paths of all the access users in the network behavior map is calculated, and the user path scale features of all the access users are obtained.
5. The method for detecting the abnormal users of the knowledge-graph-based network according to claim 1, wherein the configuration process of the preset random forest model comprises the following steps:
acquiring historical weblogs of normal access users and abnormal access users;
extracting access behavior characteristics of the normal access user and the abnormal access user based on a network behavior map constructed by the historical weblog and the historical weblog;
performing category marking on the access behavior characteristics of the normal access user and the abnormal access user to obtain a training set;
and training a random forest through the training set until the random forest is converged to obtain the preset random forest model.
6. A device for detecting abnormal users of a network based on knowledge graph is characterized by comprising:
the construction unit is used for constructing a knowledge graph of the user access behavior based on the acquired network log of the access user to obtain a network behavior graph;
a feature extraction unit, configured to extract access behavior features of each access user based on the network behavior map and the network log;
and the detection unit is used for inputting the access behavior characteristics of each access user into a preset random forest model for user type detection and outputting the access users with abnormal user types, wherein the preset random forest model is a relational mapping model of the access behavior characteristics of the access users and the user types.
7. The apparatus according to claim 6, wherein the construction unit is specifically configured to:
after obtaining a network log of an access user, taking an access address in the network log as a node, obtaining an access relation between the nodes according to the network log, and constructing a knowledge graph of user access behaviors based on the nodes and the access relation to obtain a network behavior graph;
and connecting an edge between two nodes with the access relation in the network behavior graph, wherein the weight of the edge is the access times between the two nodes.
8. The apparatus according to claim 6, wherein the feature extraction unit is specifically configured to:
extracting first network access characteristics of each access user based on the network behavior map, and extracting second network access characteristics of each access user based on the network log to obtain access behavior characteristics of each access user;
wherein the first network access characteristic comprises: a user path size characteristic, a user log quantity characteristic or a user access frequency characteristic, wherein the second network access characteristic comprises: a URL length feature, a request parameter quantity feature, a special character frequency feature, or a character entropy feature.
9. The apparatus of claim 6, further comprising: a configuration unit;
the configuration unit is configured to:
acquiring historical weblogs of normal access users and abnormal access users;
extracting access behavior characteristics of the normal access user and the abnormal access user based on a network behavior map constructed by the historical weblog and the historical weblog;
performing category marking on the access behavior characteristics of the normal access user and the abnormal access user to obtain a training set;
and training a random forest through the training set until the random forest is converged to obtain the preset random forest model.
10. A knowledge-graph based network anomaly user detection device, the device comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute the method for knowledgegraph-based network anomaly user detection of any one of claims 1-5 according to instructions in the program code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010850232.1A CN111949803A (en) | 2020-08-21 | 2020-08-21 | Method, device and equipment for detecting network abnormal user based on knowledge graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010850232.1A CN111949803A (en) | 2020-08-21 | 2020-08-21 | Method, device and equipment for detecting network abnormal user based on knowledge graph |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111949803A true CN111949803A (en) | 2020-11-17 |
Family
ID=73359110
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010850232.1A Pending CN111949803A (en) | 2020-08-21 | 2020-08-21 | Method, device and equipment for detecting network abnormal user based on knowledge graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111949803A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572752A (en) * | 2021-07-20 | 2021-10-29 | 上海明略人工智能(集团)有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
| CN113726786A (en) * | 2021-08-31 | 2021-11-30 | 上海观安信息技术股份有限公司 | Method and device for detecting abnormal access behavior, storage medium and electronic equipment |
| CN114143049A (en) * | 2021-11-18 | 2022-03-04 | 北京明略软件系统有限公司 | Abnormal flow detection method, abnormal flow detection device, storage medium and electronic equipment |
| CN114329455A (en) * | 2022-03-08 | 2022-04-12 | 北京大学 | User abnormal behavior detection method and device based on heterogeneous graph embedding |
| CN114422267A (en) * | 2022-03-03 | 2022-04-29 | 北京天融信网络安全技术有限公司 | Flow detection method, device, equipment and medium |
| CN114710392A (en) * | 2022-03-23 | 2022-07-05 | 阿里云计算有限公司 | Event information acquisition method and device |
| CN115378988A (en) * | 2022-10-25 | 2022-11-22 | 国网智能电网研究院有限公司 | Data access abnormity detection and control method and device based on knowledge graph |
| CN116668192A (en) * | 2023-07-26 | 2023-08-29 | 国网山东省电力公司信息通信公司 | Network user behavior anomaly detection method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106599160A (en) * | 2016-12-08 | 2017-04-26 | 网帅科技(北京)有限公司 | Content rule base management system and encoding method thereof |
| WO2017084362A1 (en) * | 2015-11-18 | 2017-05-26 | 百度在线网络技术(北京)有限公司 | Model generation method, recommendation method and corresponding apparatuses, device and storage medium |
| CN108600270A (en) * | 2018-05-10 | 2018-09-28 | 北京邮电大学 | A kind of abnormal user detection method and system based on network log |
| CN109460664A (en) * | 2018-10-23 | 2019-03-12 | 北京三快在线科技有限公司 | Risk analysis method, device, Electronic Design and computer-readable medium |
| CN109816397A (en) * | 2018-12-03 | 2019-05-28 | 北京奇艺世纪科技有限公司 | A kind of fraud method of discrimination, device and storage medium |
-
2020
- 2020-08-21 CN CN202010850232.1A patent/CN111949803A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017084362A1 (en) * | 2015-11-18 | 2017-05-26 | 百度在线网络技术(北京)有限公司 | Model generation method, recommendation method and corresponding apparatuses, device and storage medium |
| CN106599160A (en) * | 2016-12-08 | 2017-04-26 | 网帅科技(北京)有限公司 | Content rule base management system and encoding method thereof |
| CN108600270A (en) * | 2018-05-10 | 2018-09-28 | 北京邮电大学 | A kind of abnormal user detection method and system based on network log |
| CN109460664A (en) * | 2018-10-23 | 2019-03-12 | 北京三快在线科技有限公司 | Risk analysis method, device, Electronic Design and computer-readable medium |
| CN109816397A (en) * | 2018-12-03 | 2019-05-28 | 北京奇艺世纪科技有限公司 | A kind of fraud method of discrimination, device and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 张繁;谢凡;江颉;: "网络威胁安全数据可视化综述", 网络与信息安全学报, no. 02 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572752A (en) * | 2021-07-20 | 2021-10-29 | 上海明略人工智能(集团)有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
| CN113572752B (en) * | 2021-07-20 | 2023-11-07 | 上海明略人工智能(集团)有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
| CN113726786B (en) * | 2021-08-31 | 2023-05-05 | 上海观安信息技术股份有限公司 | Abnormal access behavior detection method and device, storage medium and electronic equipment |
| CN113726786A (en) * | 2021-08-31 | 2021-11-30 | 上海观安信息技术股份有限公司 | Method and device for detecting abnormal access behavior, storage medium and electronic equipment |
| CN114143049A (en) * | 2021-11-18 | 2022-03-04 | 北京明略软件系统有限公司 | Abnormal flow detection method, abnormal flow detection device, storage medium and electronic equipment |
| CN114422267A (en) * | 2022-03-03 | 2022-04-29 | 北京天融信网络安全技术有限公司 | Flow detection method, device, equipment and medium |
| CN114422267B (en) * | 2022-03-03 | 2024-02-06 | 北京天融信网络安全技术有限公司 | Flow detection method, device, equipment and medium |
| CN114329455A (en) * | 2022-03-08 | 2022-04-12 | 北京大学 | User abnormal behavior detection method and device based on heterogeneous graph embedding |
| CN114329455B (en) * | 2022-03-08 | 2022-07-29 | 北京大学 | User abnormal behavior detection method and device based on heterogeneous graph embedding |
| CN114710392A (en) * | 2022-03-23 | 2022-07-05 | 阿里云计算有限公司 | Event information acquisition method and device |
| CN114710392B (en) * | 2022-03-23 | 2024-03-12 | 阿里云计算有限公司 | Event information acquisition method and device |
| CN115378988B (en) * | 2022-10-25 | 2023-02-24 | 国网智能电网研究院有限公司 | Data access abnormity detection and control method and device based on knowledge graph |
| CN115378988A (en) * | 2022-10-25 | 2022-11-22 | 国网智能电网研究院有限公司 | Data access abnormity detection and control method and device based on knowledge graph |
| CN116668192A (en) * | 2023-07-26 | 2023-08-29 | 国网山东省电力公司信息通信公司 | Network user behavior anomaly detection method and system |
| CN116668192B (en) * | 2023-07-26 | 2023-11-10 | 国网山东省电力公司信息通信公司 | Network user behavior anomaly detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111949803A (en) | Method, device and equipment for detecting network abnormal user based on knowledge graph | |
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| CN106027577B (en) | A kind of abnormal access behavioral value method and device | |
| CN105072089B (en) | A kind of WEB malice scanning behavior method for detecting abnormality and system | |
| CN107579956B (en) | User behavior detection method and device | |
| CN107465651B (en) | Network attack detection method and device | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN109831459B (en) | Method, device, storage medium and terminal equipment for secure access | |
| CN112866023A (en) | Network detection method, model training method, device, equipment and storage medium | |
| CN107679626A (en) | Machine learning method, device, system, storage medium and equipment | |
| CN110768875A (en) | Application identification method and system based on DNS learning | |
| CN114003903B (en) | Network attack tracing method and device | |
| CN111770047A (en) | Abnormal group detection method, device and equipment | |
| US20200342095A1 (en) | Rule generaton apparatus and computer readable medium | |
| CN107395553A (en) | A kind of detection method and device of network attack | |
| CN107231383B (en) | CC attack detection method and device | |
| CN110213255A (en) | A kind of pair of host carries out the method, apparatus and electronic equipment of trojan horse detection | |
| CN113726786A (en) | Method and device for detecting abnormal access behavior, storage medium and electronic equipment | |
| CN107135199B (en) | Method and device for detecting webpage backdoor | |
| CN105550250B (en) | A kind of processing method and processing device of access log | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN112347457A (en) | Abnormal account detection method and device, computer equipment and storage medium | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN110457600B (en) | Method, device, storage medium and computer equipment for searching target group | |
| CN110197066B (en) | Virtual machine monitoring method and system in cloud computing environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |