CN112348586A - Flow cheating detection method, device and equipment and readable storage medium - Google Patents

Flow cheating detection method, device and equipment and readable storage medium Download PDF

Info

Publication number
CN112348586A
CN112348586A CN202011275214.1A CN202011275214A CN112348586A CN 112348586 A CN112348586 A CN 112348586A CN 202011275214 A CN202011275214 A CN 202011275214A CN 112348586 A CN112348586 A CN 112348586A
Authority
CN
China
Prior art keywords
cheating
communication channel
detected
traffic
entropy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011275214.1A
Other languages
Chinese (zh)
Inventor
林谡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN202011275214.1A priority Critical patent/CN112348586A/en
Publication of CN112348586A publication Critical patent/CN112348586A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0241Advertisements
    • G06Q30/0248Avoiding fraud
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0241Advertisements
    • G06Q30/0251Targeted advertisements
    • G06Q30/0269Targeted advertisements based on user profile or attribute
    • G06Q30/0271Personalized advertisement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0241Advertisements
    • G06Q30/0277Online advertisement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Strategic Management (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Finance (AREA)
  • Economics (AREA)
  • Game Theory and Decision Science (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Marketing (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, equipment and a readable storage medium for detecting flow cheating, wherein the method comprises the following steps: acquiring a first information entropy of a communication channel to be detected and determining a first entropy threshold value matched with the first information entropy; determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold; and if the cheating probability of the communication channel to be detected is greater than the probability threshold value, judging that the communication channel to be detected has the traffic cheating behavior, and representing the cheating behavior probability through the information entropy corresponding to the traffic of the communication channel to be detected so as to accurately identify the communication channel with the traffic cheating behavior.

Description

Flow cheating detection method, device and equipment and readable storage medium
Technical Field
The invention relates to the technical field of big data, in particular to a method, a device and equipment for detecting flow cheating and a readable storage medium.
Background
Currently, in the field of traffic promotion of the internet, in order to improve promotion traffic (such as click rate of advertisements delivered on advertisement resources) and obtain more income, some promotion parties may use cheating software to simulate search, click, comment and the like of real users, so that false promotion traffic has no effective solution for related technologies for accurately identifying cheating traffic at present.
Disclosure of Invention
The invention mainly aims to provide a method, a device and equipment for detecting traffic cheating and a readable storage medium, aiming at realizing the technical problem of accurately identifying the traffic cheating.
In order to achieve the above object, the present invention provides a traffic cheating detection method, which comprises the following steps:
acquiring a first information entropy of a communication channel to be detected and determining a first entropy threshold value matched with the first information entropy;
determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
and if the cheating probability of the communication channel to be detected is greater than the probability threshold value, judging that the communication channel to be detected has flow cheating behaviors.
Optionally, the step of determining the entropy threshold value of the first information entropy matching includes:
acquiring the number of users corresponding to the first information entropy of the communication channel to be detected;
and determining a first entropy threshold value matched with the first information entropy according to the user number and a preset unit information entropy.
Optionally, after the step of determining that the communication channel to be detected has the traffic cheating behavior if the cheating probability of the communication channel to be detected is greater than the probability threshold, the method further includes:
acquiring the flow control times of each user of the communication channel to be detected;
and determining a target user with the maximum flow control times among the plurality of users, and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user.
Optionally, after the step of using the cheating probability of the communication channel to be detected as the cheating probability of the target user, the method further includes:
determining a target information entropy corresponding to the target user, and determining a second information entropy of the communication channel to be detected according to the target information entropy corresponding to the target user and the first information entropy of the communication channel to be detected;
determining a second entropy threshold value matched with the second information entropy, wherein the second entropy threshold value is smaller than the first entropy threshold value;
taking the second information entropy as a first information entropy and the second entropy threshold as a first entropy threshold, and returning to the step of determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
and continuing to execute the step of determining the target user with the maximum flow control times among the plurality of users and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user until the cheating probability of each user of the communication channel to be detected is obtained.
Optionally, after the step of obtaining the cheating probability of each user of the communication channel to be detected, the method includes:
according to the cheating probability of each user of the communication channel to be detected, carrying out cheating grade grouping on a plurality of users of the communication channel to be detected so as to obtain a plurality of cheating group classes;
and generating a cheating report of the communication channel to be detected according to the plurality of cheating group classes, and visually displaying the cheating report.
Optionally, after the step of determining the target user with the largest number of manipulations among the plurality of users, the method further includes:
judging whether the target user has a traffic cheating behavior or not;
and if the target user is judged to have the traffic cheating behavior, performing traffic supervision on the target user.
Optionally, the step of determining that the target user has a traffic cheating action includes:
acquiring a first information entropy fluctuation amplitude corresponding to the target user within a preset time period;
and if the fluctuation amplitude of the first information entropy is larger than the preset amplitude, judging that the target user has flow cheating behavior.
Optionally, the step of determining that the target user has a traffic cheating action further includes:
acquiring a control frequency corresponding to the target user within a first preset time period;
and if the control frequency corresponding to the target user is greater than the preset frequency, judging that the target user has a traffic cheating behavior.
Optionally, the step of performing traffic supervision on the target user includes:
detecting whether the communication connection between the target terminals corresponding to the target users is in a normal state;
if the communication connections are in a normal state, acquiring a third information entropy of the target user in a preset period;
and if the third information entropy is smaller than a third entropy threshold value, disconnecting the communication connection with the target terminal.
Optionally, after the step of obtaining the third information entropy of the target user in a preset period, the method further includes:
and if the third information entropy is smaller than a third entropy threshold value, sending warning information to the target terminal.
Optionally, after the step of determining that the traffic cheating action exists on the communication channel to be detected, the method further includes:
acquiring a second information entropy fluctuation amplitude corresponding to the communication channel to be detected in a second preset time period;
if the second information entropy fluctuation amplitude is larger than the preset amplitude, closing the communication channel to be detected
Further, to achieve the above object, the present invention further provides a flow cheating detecting device, including:
the device comprises a first acquisition module, a second acquisition module and a first entropy calculation module, wherein the first acquisition module is used for acquiring a first information entropy of a communication channel to be detected and determining a first entropy threshold value matched with the first information entropy;
the determining module is used for determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
and the judging module is used for judging that the communication channel to be detected has the traffic cheating behavior if the cheating probability of the communication channel to be detected is greater than the probability threshold.
Optionally, the determining module includes:
the first acquisition unit is used for acquiring the number of users corresponding to the first information entropy of the communication channel to be detected;
and the first determining unit is used for determining a first entropy threshold value matched with the first information entropy according to the number of the users and a preset unit information entropy.
Optionally, the determining module further comprises:
the second acquisition unit is used for acquiring the flow control times of each user of the communication channel to be detected;
and the second determining unit is used for determining a target user with the maximum flow control times among the plurality of users and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user.
Optionally, the determining module further comprises:
a third determining unit, configured to determine a target information entropy corresponding to the target user, and determine a second information entropy of the communication channel to be detected according to the target information entropy corresponding to the target user and the first information entropy of the communication channel to be detected;
a fourth determining unit, configured to determine a second entropy threshold value for entropy matching of the second information, where the second entropy threshold value is smaller than the first entropy threshold value;
a first execution unit, configured to use the second information entropy as a first information entropy and use the second entropy threshold as the first entropy threshold, and return to execute the step of determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
and the second execution unit is used for continuously executing the step of determining the target user with the maximum flow control times among the plurality of users and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user until the cheating probability of each user of the communication channel to be detected is obtained.
Optionally, the traffic cheating detection apparatus further includes:
the judging module is used for judging whether the target user has flow cheating behaviors or not;
and the supervision module is used for carrying out traffic supervision on the target user if the target user is judged to have traffic cheating behaviors.
Optionally, the determining module includes:
the third obtaining unit is used for obtaining a first information entropy fluctuation amplitude corresponding to the target user within a preset time period;
and the first judging unit is used for judging that the target user has the flow cheating behavior if the fluctuation amplitude of the first information entropy is larger than a preset amplitude.
Optionally, the determining module includes:
the fourth obtaining unit is used for obtaining a first information entropy fluctuation amplitude corresponding to the target user within a preset time period;
and the second judging unit is used for judging that the target user has the flow cheating behavior if the fluctuation amplitude of the first information entropy is larger than the preset amplitude.
Optionally, the traffic cheating detection apparatus further includes:
the second obtaining module is used for obtaining a second information entropy fluctuation amplitude corresponding to the communication channel to be detected in a second preset time period;
and the closing module is used for closing the communication channel to be detected if the fluctuation amplitude of the second information entropy is larger than a preset amplitude.
Further, in order to achieve the above object, the present invention further provides a traffic cheating detecting device, where the traffic cheating detecting device includes a memory, a processor, and a traffic cheating detecting program stored in the memory and operable on the processor, and when executed by the processor, the traffic cheating detecting program implements the steps of the traffic cheating detecting method as described above.
Further, to achieve the above object, the present invention further provides a readable storage medium, where a traffic cheating detection program is stored, and when the traffic cheating detection program is executed by a processor, the steps of the traffic cheating detection method are implemented.
The method comprises the steps of obtaining a first information entropy of a communication channel to be detected and determining a first entropy threshold value matched with the first information entropy; determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold; and if the cheating probability of the communication channel to be detected is greater than the probability threshold value, judging that the communication channel to be detected has the traffic cheating behavior, and representing the cheating behavior probability through the information entropy corresponding to the traffic of the communication channel to be detected so as to accurately identify the communication channel with the traffic cheating behavior.
Drawings
Fig. 1 is a schematic structural diagram of a hardware operating environment according to an embodiment of the traffic cheating detection apparatus in the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a traffic cheating detection method according to the present invention;
FIG. 3 is a flowchart illustrating a traffic cheating detection method according to a second embodiment of the present invention;
fig. 4 is a schematic functional block diagram of an embodiment of a traffic cheating detection apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a flow cheating detection device, and referring to fig. 1, fig. 1 is a schematic structural diagram of a hardware operating environment related to an embodiment scheme of the flow cheating detection device.
As shown in fig. 1, the traffic cheating detecting apparatus may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may optionally be a memory traffic cheating detection device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the hardware configuration of the traffic cheat-detecting device shown in fig. 1 does not constitute a limitation of the traffic cheat-detecting device, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a readable storage medium, may include therein an operating system, a network communication module, a user interface module, and a traffic cheating detection program. The operating system is a program for managing and controlling hardware and software resources of the flow cheating detection equipment, and supports the operation of a network communication module, a user interface module, the flow cheating detection program and other programs or software; the network communication module is used to manage and control the network interface 1004; the user interface module is used to manage and control the user interface 1003.
In the hardware structure of the traffic cheating detection device shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; the processor 1001 may call the traffic cheat-detection program stored in the memory 1005 and perform the following operations:
acquiring a first information entropy of a communication channel to be detected and determining a first entropy threshold value matched with the first information entropy;
determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
and if the cheating probability of the communication channel to be detected is greater than the probability threshold value, judging that the communication channel to be detected has flow cheating behaviors.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
acquiring the number of users corresponding to the first information entropy of the communication channel to be detected;
and determining a first entropy threshold value matched with the first information entropy according to the user number and a preset unit information entropy.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
acquiring the flow control times of each user of the communication channel to be detected;
and determining a target user with the maximum flow control times among the plurality of users, and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
determining a target information entropy corresponding to the target user, and determining a second information entropy of the communication channel to be detected according to the target information entropy corresponding to the target user and the first information entropy of the communication channel to be detected;
determining a second entropy threshold value matched with the second information entropy, wherein the second entropy threshold value is smaller than the first entropy threshold value;
taking the second information entropy as a first information entropy and the second entropy threshold as a first entropy threshold, and returning to the step of determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
and continuing to execute the step of determining the target user with the maximum flow control times among the plurality of users and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user until the cheating probability of each user of the communication channel to be detected is obtained.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
according to the cheating probability of each user of the communication channel to be detected, carrying out cheating grade grouping on a plurality of users of the communication channel to be detected so as to obtain a plurality of cheating group classes;
and generating a cheating report of the communication channel to be detected according to the plurality of cheating group classes, and visually displaying the cheating report.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
judging whether the target user has a traffic cheating behavior or not;
and if the target user is judged to have the traffic cheating behavior, performing traffic supervision on the target user.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
acquiring a first information entropy fluctuation amplitude corresponding to the target user within a preset time period;
and if the fluctuation amplitude of the first information entropy is larger than the preset amplitude, judging that the target user has flow cheating behavior.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
acquiring a control frequency corresponding to the target user within a first preset time period;
and if the control frequency corresponding to the target user is greater than the preset frequency, judging that the target user has a traffic cheating behavior.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
detecting whether the communication connection between the target terminals corresponding to the target users is in a normal state;
if the communication connections are in a normal state, acquiring a third information entropy of the target user in a preset period;
and if the third information entropy is smaller than a third entropy threshold value, disconnecting the communication connection with the target terminal.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
and if the third information entropy is smaller than a third entropy threshold value, sending warning information to the target terminal.
Further, the processor 1001 may call the traffic cheating detection program stored in the memory 1005 and perform the following operations:
acquiring a second information entropy fluctuation amplitude corresponding to the communication channel to be detected in a second preset time period;
and if the second information entropy fluctuation amplitude is larger than the preset amplitude, closing the communication channel to be detected.
The invention also provides a flow cheating detection method.
Referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of a traffic cheating detection method according to the present invention.
While a logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in an order different than that shown. Specifically, the traffic cheating detection method of the embodiment includes:
step S10, acquiring a first information entropy of a communication channel to be detected and determining a first entropy threshold value matched with the first information entropy;
in this embodiment, the traffic cheating detection method is applicable to a traffic monitoring system, where the traffic monitoring system is accessed in a big data cluster to monitor a traffic state of a communication channel of each node in the big data cluster, and specifically, a device with a traffic monitoring service function is accessed in the big data cluster, first, communication channel information of each node is obtained, where the communication channel information includes a device number of a client corresponding to the communication information, a user number of a current communication channel, and the like, and it is to be noted that the user refers to a user who uses the client to perform a search service and generates corresponding traffic (such as a click amount, a comment amount, and the like), and after obtaining the communication channel information of each node, the channel traffic of a communication channel to be detected is obtained, where the channel traffic includes various behaviors (such as click, comment, forward, and the like) in the channel and corresponding traffic generated by various attribute behaviors, and calculating the information entropy corresponding to the channel flow to judge the cheating behavior according to the information entropy, wherein in a real user use scene, the entropy corresponding to the real behavior is large if the real behavior is very various, but if the cheating behavior is the cheating behavior, the entropy corresponding to the cheating behavior is small if the cheating behavior is homogeneous, so that the flow cheating behavior can be accurately judged through the information entropy.
It should be further noted that, in this embodiment, the entropy threshold depends on an entropy corresponding to a real behavior, for example, an information entropy corresponding to a communication channel to be detected without a traffic cheating behavior in the period of time, optionally, a real user behavior simulation behavior model is constructed to determine the information entropy corresponding to the communication channel to be detected without the traffic cheating behavior, or a unit information entropy corresponding to a user without the traffic cheating behavior is determined according to historical traffic data, and then the information entropy corresponding to the communication channel to be detected without the traffic cheating behavior is determined according to the unit information entropy corresponding to the user without the traffic cheating behavior, where a setting manner of the specific entropy threshold is not limited.
Further, the step of determining the entropy threshold value of the first information entropy matching in step S10 includes:
step S101, acquiring the number of users corresponding to the first information entropy of the communication channel to be detected;
step S102, determining a first entropy threshold value matched with the first information entropy according to the number of the users and a preset unit information entropy;
it should be noted that, in this step, based on the unit information entropy corresponding to the user without cheating, an information entropy corresponding to the communication channel to be detected without cheating, specifically, the number of users corresponding to the first information entropy of the communication channel to be detected is obtained, for example, the number of users of the communication channel to be detected is 500, and the preset unit information entropy is 0.6, where the preset unit information entropy is an information entropy corresponding to a user without cheating in the same communication channel in the same traffic phase, and if it is currently necessary to detect whether a cheating action exists in the communication channel a at 10 am, which is No. 4 months, No. 28 am, it is necessary to determine the information entropy corresponding to the user without cheating in the communication channel a at 10 am, which is No. 4 months, so as to determine an entropy threshold corresponding to the communication channel a, further, if the current detection period is a traffic peak period, for example, it is necessary to detect whether a cheating exists in the communication channel a, which is No. 11 months, No. 11, since 11/month 11 is the traffic peak period of each year, it is necessary to determine the information entropy corresponding to the user without cheating in the communication channel a of 11/month 11 in the past year, so as to improve the accuracy of setting the entropy threshold, and further improve the accuracy of accurately judging the traffic cheating through the information entropy.
Step S20, determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
step S30, if the cheating probability of the communication channel to be detected is larger than the probability threshold, determining that the communication channel to be detected has a traffic cheating behavior.
After the first information entropy and the first entropy threshold are obtained, determining the cheating probability of the communication channel to be detected according to a preset cheating probability calculation rule, such as: mu-alpha-beta or mu-alpha/beta, wherein mu refers to a cheating probability, alpha refers to a first entropy threshold value, beta refers to a first information entropy, and whether the communication channel to be detected currently has cheating behavior is detected according to the cheating probability.
It should be further noted that, in a real user usage scenario, since real behaviors are very diverse, the entropy corresponding to the real behaviors is large, but if the real behaviors are cheating behaviors, since the cheating behaviors tend to be homogeneous, the entropy corresponding to the cheating behaviors is small, so if the communication channel to be detected has the cheating behaviors, the first information entropy of the communication channel to be detected is smaller than the first entropy threshold, for example, when the preset cheating probability calculation rule is: if the probability of cheating the communication channel to be detected is greater than 0, determining that the communication channel to be detected has a traffic cheating behavior, or when a preset cheating probability calculation rule is: if the cheating probability of the communication channel to be detected is greater than 1, it is determined that the traffic cheating behavior exists in the communication channel to be detected.
Optionally, after determining that the communication channel to be detected has the traffic cheating behavior according to the information entropy, the secondary cheating detection may be performed on the communication channel to be detected through the cheating detection model, and if the result of the secondary cheating detection performed on the communication channel to be detected through the cheating detection model is still the traffic cheating behavior, the communication channel with the traffic cheating behavior is closed.
Further, after the step of determining that the traffic cheating action exists on the communication channel to be detected in step S30, the method further includes:
step S40, acquiring a second information entropy fluctuation amplitude corresponding to the communication channel to be detected in a second preset time period;
and step S50, if the fluctuation amplitude of the second information entropy is larger than the preset amplitude, closing the communication channel to be detected.
After it is determined that the communication channel to be detected has the traffic cheating behavior according to the information entropy, secondary cheating detection is continuously performed on the communication channel to be detected through the information entropy fluctuation range to prevent misjudgment, and it is to be noted that the information entropy of normal non-cheating behavior is kept to change within a minimum range.
The traffic cheating detection method provided by the embodiment comprises the steps of obtaining a first information entropy of a communication channel to be detected and determining a first entropy threshold value matched with the first information entropy; determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold; if the cheating probability of the communication channel to be detected is larger than the probability threshold value, the fact that the communication channel to be detected has the traffic cheating behavior is judged, therefore, the cheating behavior probability is represented through the information entropy corresponding to the traffic of the communication channel to be detected, and the communication channel with the traffic cheating behavior can be accurately identified.
Further, based on the first embodiment of the traffic cheating detection method of the present invention, a second embodiment of the traffic cheating detection method of the present invention is proposed.
Referring to fig. 3, fig. 3 is a flowchart illustrating a flow cheating detection method according to a second embodiment of the present invention.
The difference between the second embodiment of the traffic cheating detection method and the first embodiment of the traffic cheating detection method is that, after the step of determining that the traffic cheating action exists on the communication channel to be detected if the cheating probability of the communication channel to be detected is greater than the probability threshold, the method further includes:
step S60, acquiring the flow control times of each user of the communication channel to be detected;
step S70, determining a target user with the largest number of traffic operations among the multiple users, and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user.
In this embodiment, in order to improve the accuracy of detecting the flow cheating behavior, after determining the communication channel with the flow cheating behavior, the target user with the cheating behavior is further screened out, specifically, the flow control times (such as click, comment, forwarding and other behavior control times) of each user of the communication channel to be detected are obtained, and the cheating probability of the current communication channel to be detected is used as the cheating probability of the target user with the largest suspicion of cheating (that is, the target user with the largest flow control times).
Further, after step S70, the method further includes:
step S80, determining a target information entropy corresponding to the target user, and determining a second information entropy of the communication channel to be detected according to the target information entropy corresponding to the target user and the first information entropy of the communication channel to be detected;
step S90, determining a second entropy threshold value matched with the second information entropy, wherein the second entropy threshold value is smaller than the first entropy threshold value;
step S100, taking the second information entropy as a first information entropy and the second entropy threshold as a first entropy threshold, and returning to the step of determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
step S110, continuously executing the step of determining a target user with the largest number of flow manipulations among the plurality of users, and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user until the cheating probability of each user of the communication channel to be detected is obtained.
In the step, after the target user with the largest cheating suspicion is screened out, the cheating probability of other users is continuously determined, specifically, the target information entropy corresponding to the target user is determined, then, the first information entropy of the communication channel to be detected is subtracted by the target information entropy corresponding to the target user, obtaining second information entropies corresponding to all other users of the communication channel to be detected, determining a second entropy threshold value corresponding to the second information entropy based on the unit information entropy corresponding to the users without cheating behaviors and the number of the remaining users, taking the second information entropy as the first information entropy and taking the second entropy threshold value as the first entropy threshold value, returning to the step of continuously executing the step of calculating the cheating probability until the cheating probability of each user of the communication channel to be detected is obtained, or the cheating probability of the communication channel to be detected is equal to the probability threshold value, so that users with flow cheating behaviors and users without cheating behaviors can be screened out.
Further, after the step of obtaining the cheating probability of each user of the communication channel to be detected, the method includes:
step S111, according to the cheating probability of each user of the communication channel to be detected, carrying out cheating grade grouping on a plurality of users of the communication channel to be detected so as to obtain a plurality of cheating group classes;
and step S112, generating a cheating report of the communication channel to be detected according to the plurality of cheating group classes, and visually displaying the cheating report.
In the embodiment, in monitoring the traffic states of the communication channels of each node and the users of each communication channel in the big data cluster through the information entropy and the cheating probabilities, the cheating grades of each user are firstly classified according to the cheating probabilities of each user, for example, the cheating probability corresponding to the primary cheating is greater than 2, the cheating probability corresponding to the secondary cheating is between 1 and 2, the cheating probability corresponding to the tertiary cheating (no cheating) is 1, and then the users with the same cheating grade are classified into the same class, so that a plurality of cheating group classes are formed. And finally, generating a cheating report of the communication channel to be detected according to each cheating group class, and optionally, generating an abnormal data report by the users in the same cheating group class so as to show the flow conditions of the users with the same cheating grade.
Further, the number of communication channels with traffic cheating behaviors of the big data cluster and the number of users with traffic cheating behaviors of each communication channel are counted, and the communication channel occupation ratio with traffic cheating behaviors and the user occupation ratio with traffic cheating behaviors of each cheating level are calculated respectively according to the communication channel occupation ratio and the user occupation ratio. And further generating a communication channel occupation ratio with flow cheating behaviors and a cheating report corresponding to the user occupation ratio with the flow cheating behaviors in each cheating level. And outputting the generated various cheating reports to an operation and maintenance terminal for displaying, and optionally displaying different cheating reports or different levels of cheating information in the reports in different display colors so as to be convenient for quick distinguishing. Therefore, the visualization of monitoring the large data cluster flow cheating behaviors is realized through displaying various cheating reports.
Further, after the step of determining the target user with the largest number of manipulations in the plurality of users in step S70, the method further includes:
step S113, judging whether the target user has a traffic cheating behavior;
and step S114, if the target user is judged to have the traffic cheating behavior, performing traffic supervision on the target user.
In this embodiment, the criterion for determining whether the target user has the traffic cheating behavior is not limited, and optionally, the determination method for determining whether the target user has the traffic cheating behavior is as follows: and acquiring a first information entropy fluctuation amplitude corresponding to the target user within a preset time period, and if the first information entropy fluctuation amplitude is larger than the preset amplitude, judging that the target user has a flow cheating behavior.
Optionally, the determination method for determining whether the target user has the traffic cheating behavior may also be: acquiring a control frequency corresponding to a target user within a first preset time period; and if the control frequency corresponding to the target user is greater than the preset frequency, judging that the target user has a traffic cheating behavior.
Further, the step of traffic policing the target user includes:
step S1141, detecting whether the communication connection between the target terminals corresponding to the target users is in a normal state;
step S1142, if the communication connections are all in a normal state, acquiring a third information entropy of the target user in a preset period;
step S1143, if the third information entropy is smaller than a third entropy threshold, the communication connection with the target terminal is disconnected.
In this step, optionally, when it is detected that the communication connections between the target terminals corresponding to the target users are all in a normal state, since the entropy corresponding to the real behavior is large and the entropy corresponding to the cheating behavior is small, if the third information entropy of the target user in the preset period is smaller than the third entropy threshold, it is determined that the target user has cheating on the traffic, and the communication connections with the target terminals are disconnected.
Optionally, since the information entropy of the normal cheating-free behavior is kept to be changed within a very small range, in this embodiment, the information entropy corresponding to the target user at each time node within the preset time period is obtained to obtain the information entropy fluctuation amplitude of the preset time period, and when the information entropy fluctuation amplitude is greater than the preset amplitude, it is determined that the target user has the flow cheating behavior, and the communication connection with the target terminal is disconnected.
Further, after step S1142, the method further includes:
and if the third information entropy is smaller than a third entropy threshold value, sending warning information to the target terminal.
In the step, after the target user is judged to have the traffic cheating behavior, warning information is sent to a target terminal corresponding to the target user to warn the target user, and then the traffic monitoring behavior is visualized.
In the embodiment, the flow control times of each user of the communication channel to be detected are obtained; the target user with the largest flow control times among the multiple users is determined, the cheating probability of the communication channel to be detected is used as the cheating probability of the target user until the cheating probability of each user of the communication channel to be detected is obtained, therefore, not only the communication channel with the cheating behavior is detected, but also the user with the cheating behavior in the communication channel is detected, and the accurate flow cheating detection rate is further improved.
The invention also provides a flow cheating detection device. Referring to fig. 4, the traffic cheating detection apparatus includes:
a first obtaining module 10, configured to obtain a first information entropy of a communication channel to be detected and determine a first entropy threshold matched with the first information entropy;
a determining module 20, configured to determine a cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
the determining module 30 is configured to determine that a traffic cheating action exists on the communication channel to be detected if the cheating probability of the communication channel to be detected is greater than a probability threshold.
In addition, the embodiment of the invention also provides a readable storage medium.
The readable storage medium stores thereon a traffic cheating detection program, and the traffic cheating detection program, when executed by the processor, implements the steps of the traffic cheating detection method as described above.
The readable storage medium of the present invention may be a computer readable storage medium, and the specific implementation manner of the readable storage medium of the present invention is basically the same as that of each embodiment of the foregoing traffic cheating detection method, and details are not described herein again.
The present invention is described in connection with the accompanying drawings, but the present invention is not limited to the above embodiments, which are only illustrative and not restrictive, and those skilled in the art can make various changes without departing from the spirit and scope of the invention as defined by the appended claims, and all changes that come within the meaning and range of equivalency of the specification and drawings that are obvious from the description and the attached claims are intended to be embraced therein.

Claims (10)

1. A traffic cheating detection method is characterized by comprising the following steps:
acquiring a first information entropy of a communication channel to be detected and determining a first entropy threshold value matched with the first information entropy;
determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
and if the cheating probability of the communication channel to be detected is greater than the probability threshold value, judging that the communication channel to be detected has flow cheating behaviors.
2. The traffic cheating detection method according to claim 1, wherein after the step of determining that the traffic cheating action exists on the communication channel to be detected if the cheating probability of the communication channel to be detected is greater than the probability threshold, the method further comprises:
acquiring the flow control times of each user of the communication channel to be detected;
and determining a target user with the maximum flow control times among the plurality of users, and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user.
3. The traffic cheat detection method according to claim 2, wherein after the step of using the cheating probability of the communication channel to be detected as the cheating probability of the target user, the method further comprises:
determining a target information entropy corresponding to the target user, and determining a second information entropy of the communication channel to be detected according to the target information entropy corresponding to the target user and the first information entropy of the communication channel to be detected;
determining a second entropy threshold value matched with the second information entropy, wherein the second entropy threshold value is smaller than the first entropy threshold value;
taking the second information entropy as a first information entropy and the second entropy threshold as a first entropy threshold, and returning to the step of determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
and continuing to execute the step of determining the target user with the maximum flow control times among the plurality of users and taking the cheating probability of the communication channel to be detected as the cheating probability of the target user until the cheating probability of each user of the communication channel to be detected is obtained.
4. The traffic cheat detection method according to claim 3, wherein said step of obtaining the cheating probabilities of the respective users of the communication channel to be detected comprises, after:
according to the cheating probability of each user of the communication channel to be detected, carrying out cheating grade grouping on a plurality of users of the communication channel to be detected so as to obtain a plurality of cheating group classes;
and generating a cheating report of the communication channel to be detected according to the plurality of cheating group classes, and visually displaying the cheating report.
5. The traffic cheat detection method of claim 4, wherein said step of determining that traffic cheating behavior exists for said target user comprises:
acquiring a first information entropy fluctuation amplitude corresponding to the target user within a preset time period;
and if the fluctuation amplitude of the first information entropy is larger than the preset amplitude, judging that the target user has flow cheating behavior.
6. The traffic cheat detection method of claim 4, wherein said step of determining that traffic cheating behavior exists for said target user further comprises:
acquiring a control frequency corresponding to the target user within a first preset time period;
and if the control frequency corresponding to the target user is greater than the preset frequency, judging that the target user has a traffic cheating behavior.
7. The traffic cheat detection method of claim 4, wherein said step of policing said target user comprises:
detecting whether the communication connection between the target terminals corresponding to the target users is in a normal state;
if the communication connections are in a normal state, acquiring a third information entropy of the target user in a preset period;
and if the third information entropy is smaller than a third entropy threshold value, disconnecting the communication connection with the target terminal.
8. A traffic cheating detecting device, comprising:
the device comprises a first acquisition module, a second acquisition module and a first entropy calculation module, wherein the first acquisition module is used for acquiring a first information entropy of a communication channel to be detected and determining a first entropy threshold value matched with the first information entropy;
the determining module is used for determining the cheating probability of the communication channel to be detected according to the first information entropy and the first entropy threshold;
and the judging module is used for judging that the communication channel to be detected has the traffic cheating behavior if the cheating probability of the communication channel to be detected is greater than the probability threshold.
9. A traffic cheating detection device, comprising a memory, a processor, and a traffic cheating detection program stored on said memory and executable on said processor, said traffic cheating detection program when executed by said processor implementing the steps of the traffic cheating detection method as recited in any one of claims 1-7.
10. A readable storage medium, characterized in that the readable storage medium has stored thereon a traffic cheating detection program, which when executed by a processor implements the steps of the traffic cheating detection method according to any one of claims 1-7.
CN202011275214.1A 2020-11-13 2020-11-13 Flow cheating detection method, device and equipment and readable storage medium Pending CN112348586A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011275214.1A CN112348586A (en) 2020-11-13 2020-11-13 Flow cheating detection method, device and equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011275214.1A CN112348586A (en) 2020-11-13 2020-11-13 Flow cheating detection method, device and equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN112348586A true CN112348586A (en) 2021-02-09

Family

ID=74363860

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011275214.1A Pending CN112348586A (en) 2020-11-13 2020-11-13 Flow cheating detection method, device and equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN112348586A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070000728A (en) * 2005-06-28 2007-01-03 서원대학교산학협력단 A method for the detection of network traffic anomalies by the entropy of destination network distributions
EP2693715A1 (en) * 2012-08-02 2014-02-05 Alcatel Lucent A system and a method for detecting cheating applications
CN104424433A (en) * 2013-08-22 2015-03-18 腾讯科技(深圳)有限公司 Anti-cheating method and anti-cheating system of application program
CN106485507A (en) * 2015-09-01 2017-03-08 阿里巴巴集团控股有限公司 A kind of software promotes the detection method of cheating, apparatus and system
CN108876464A (en) * 2018-06-27 2018-11-23 珠海市君天电子科技有限公司 A kind of cheating detection method, device, service equipment and storage medium
CN110189165A (en) * 2019-05-14 2019-08-30 微梦创科网络科技(中国)有限公司 Channel abnormal user and abnormal channel recognition methods and device
CN110213209A (en) * 2018-05-11 2019-09-06 腾讯科技(深圳)有限公司 A kind of cheat detection method, device and storage medium that pushed information is clicked
CN111404835A (en) * 2020-03-30 2020-07-10 北京海益同展信息科技有限公司 Flow control method, device, equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070000728A (en) * 2005-06-28 2007-01-03 서원대학교산학협력단 A method for the detection of network traffic anomalies by the entropy of destination network distributions
EP2693715A1 (en) * 2012-08-02 2014-02-05 Alcatel Lucent A system and a method for detecting cheating applications
CN104424433A (en) * 2013-08-22 2015-03-18 腾讯科技(深圳)有限公司 Anti-cheating method and anti-cheating system of application program
CN106485507A (en) * 2015-09-01 2017-03-08 阿里巴巴集团控股有限公司 A kind of software promotes the detection method of cheating, apparatus and system
CN110213209A (en) * 2018-05-11 2019-09-06 腾讯科技(深圳)有限公司 A kind of cheat detection method, device and storage medium that pushed information is clicked
CN108876464A (en) * 2018-06-27 2018-11-23 珠海市君天电子科技有限公司 A kind of cheating detection method, device, service equipment and storage medium
CN110189165A (en) * 2019-05-14 2019-08-30 微梦创科网络科技(中国)有限公司 Channel abnormal user and abnormal channel recognition methods and device
CN111404835A (en) * 2020-03-30 2020-07-10 北京海益同展信息科技有限公司 Flow control method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107391538B (en) Click data acquisition, processing and display method, device, equipment and storage medium
US10592308B2 (en) Aggregation based event identification
US20110055799A1 (en) Collection and processing of code development information
US10592327B2 (en) Apparatus, system, and method for analyzing logs
CN111045879B (en) Method, device and storage medium for generating pressure test report
CN111401722A (en) Intelligent decision method and intelligent decision system
CN110597694A (en) Method and terminal for monitoring front-end page
CN112702184A (en) Fault early warning method and device and computer-readable storage medium
CN106998336B (en) Method and device for detecting user in channel
CN110262955B (en) Application performance monitoring tool based on pinpoint
EP4145290A1 (en) Transactions impact analysis
CN110943887B (en) Probe scheduling method, device, equipment and storage medium
CN105162931A (en) Method and device for classifying communication numbers
CN112348586A (en) Flow cheating detection method, device and equipment and readable storage medium
CN112699048A (en) Program fault processing method, device and equipment based on artificial intelligence and storage medium
CN107357703B (en) Terminal application power consumption detection method and server
CN109218062B (en) Internet service alarm method and device based on confidence interval
JP2011244098A (en) Traffic analysis system and traffic analysis method
CN113835961B (en) Alarm information monitoring method, device, server and storage medium
JP2001256032A (en) Fault message display
CN113901153A (en) Data processing method and related equipment
CN111427874B (en) Quality control method and device for medical data production and electronic equipment
CN114531338A (en) Monitoring alarm and tracing method and system based on call chain data
CN107872349B (en) Real-time snapshot statistical method and device and readable storage medium
CN113961565A (en) Data detection method, system, computer system and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210209

RJ01 Rejection of invention patent application after publication