CN112491602A - Behavior data monitoring method and device, computer equipment and medium - Google Patents

Behavior data monitoring method and device, computer equipment and medium Download PDF

Info

Publication number
CN112491602A
CN112491602A CN202011286429.3A CN202011286429A CN112491602A CN 112491602 A CN112491602 A CN 112491602A CN 202011286429 A CN202011286429 A CN 202011286429A CN 112491602 A CN112491602 A CN 112491602A
Authority
CN
China
Prior art keywords
log
behavior
user identifier
target
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011286429.3A
Other languages
Chinese (zh)
Other versions
CN112491602B (en
Inventor
邱贵昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Property and Casualty Insurance Company of China Ltd
Original Assignee
Ping An Property and Casualty Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Property and Casualty Insurance Company of China Ltd filed Critical Ping An Property and Casualty Insurance Company of China Ltd
Priority to CN202011286429.3A priority Critical patent/CN112491602B/en
Publication of CN112491602A publication Critical patent/CN112491602A/en
Application granted granted Critical
Publication of CN112491602B publication Critical patent/CN112491602B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/14Details of searching files based on file metadata
    • G06F16/148File search processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/185Hierarchical storage management [HSM] systems, e.g. file migration or policies thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching

Abstract

The invention relates to the field of artificial intelligence, and discloses a behavior data monitoring method, a behavior data monitoring device, computer equipment and a storage medium, wherein the behavior data monitoring method comprises the following steps: the method comprises the steps of acquiring a user identifier from an access request each time the access request is detected, generating a random character string based on the user identifier, adding the random character string into a request message and a response message, generating log data according to the request message and the response message, storing the log data into a log cloud platform, acquiring the user identifier contained in the query request as a target user identifier when the query request aiming at the user operation behavior is received, acquiring the log data corresponding to the target user identifier from the log cloud platform as a target log, analyzing the behavior trajectory of the target log to obtain a visual behavior trajectory corresponding to the target user identifier, and judging whether the operation behavior corresponding to the target user identifier is abnormal or not based on the visual behavior trajectory.

Description

Behavior data monitoring method and device, computer equipment and medium
Technical Field
The invention relates to the field of artificial intelligence, in particular to a behavior data monitoring method, a behavior data monitoring device, computer equipment and a medium.
Background
With the rapid development of social economy, the business range related to some enterprise units is more and more extensive, most enterprises adopt a distributed log cloud platform to store logs of different business sites or APPs, and the existing log cloud platform mainly comprises modules such as log acquisition, log analysis, log storage, log search and log analysis. And massive log data are collected and are cut and stored according to fields, so that a developer can conveniently check logs and locate problems, and statistical analysis and data mining are performed according to the logs. The enterprise system is many, and the host computer quantity is big, does not have unified log cloud platform, is difficult to carry out the complete correlation analysis to some security incident audit or business abnormal access. The unified log cloud platform is an important platform for enterprise security monitoring and data mining.
The existing log cloud platform only can see one fixed record and cannot be serially connected for analysis. It is very clear that what a certain log comes from and goes to, what page and what system initiate the request, and jump to what system and whole flow. When the account number of the salesman needs to be investigated whether the account number is abnormal or not, due to the fact that the time sequence is disordered, it is difficult for a system which is associated with all jumps to analyze whether the request is a request initiated by a client or not, and the monitoring efficiency of user behavior data is low.
Disclosure of Invention
The embodiment of the invention provides a behavior data monitoring method and device, computer equipment and a storage medium, and aims to improve the monitoring efficiency of behavior data.
In order to solve the foregoing technical problem, an embodiment of the present application provides a method for monitoring behavior data, including:
when an access request is detected each time, acquiring a user identifier from the access request, and generating a random character string based on the user identifier;
adding the random character string into a request message and a response message, generating log data according to the request message and the response message, and storing the log data to a log cloud platform;
if an inquiry request aiming at user operation behaviors is received, acquiring a user identifier contained in the inquiry request as a target user identifier, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log;
analyzing the behavior track of the target log to obtain a visual behavior track corresponding to the target user identifier;
and judging whether the operation behavior corresponding to the target user identification is abnormal or not based on the visual behavior track.
Optionally, the request packet and the response packet contain a log jump parameter field, and adding the random character string into the request packet and the response packet includes:
analyzing the request message, and adding the random character string into a log jump parameter field of the request message to obtain an updated request message;
and generating the response message based on the updated request message.
Optionally, the storing the log data to a log cloud platform includes:
collecting the log data according to a preset time interval by adopting a timing script, and compressing the collected log data to obtain compressed data;
uploading the compressed log data to a distributed file system for storage;
slicing the program running logs stored in the distributed file system to form a plurality of slicing tasks, and analyzing log files corresponding to each slicing task;
and storing the data classification statistical result into a log cloud platform according to the request interface path for the log file corresponding to each slice task after analysis.
Optionally, the query request includes a query time range and a query path range, and the obtaining, from the log cloud platform, log data corresponding to the target user identifier as a target log includes:
executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;
and traversing the initial query result to obtain log data containing the target user identification as the target log.
Optionally, the analyzing the behavior trace of the target log to obtain a visual behavior trace corresponding to the target user identifier includes:
acquiring a random character string contained in each target log, and taking the target logs with the same random character string as a group of behavior logs;
for each group of behavior logs, sequencing according to log generation time points to obtain access sequences corresponding to the behavior logs;
and for each access sequence, extracting the behavior record of each log in the access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.
Optionally, after determining whether the operation behavior corresponding to the target user identifier is abnormal based on the visualized behavior trajectory, the method for monitoring behavior data further includes:
and if the judgment result shows that the operation behavior corresponding to the target user identification is abnormal, executing early warning processing according to a preset early warning mode.
In order to solve the foregoing technical problem, an embodiment of the present application further provides a monitoring device for behavior data, including:
the character string generating module is used for acquiring a user identifier from an access request every time the access request is detected, and generating a random character string based on the user identifier;
the log acquisition module is used for adding the random character string into a request message and a response message, generating log data according to the request message and the response message, and storing the log data into a log cloud platform;
the log query module is used for acquiring a user identifier contained in a query request as a target user identifier if the query request aiming at the user operation behavior is received, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log;
the behavior visualization module is used for analyzing the behavior track of the target log to obtain a visualization behavior track corresponding to the target user identifier;
and the abnormity judgment module is used for judging whether the operation behavior corresponding to the target user identifier is abnormal or not based on the visual behavior track.
Optionally, the log collection module includes:
a request message updating unit, configured to parse the request message, and add the random character string to a log skip parameter field of the request message, to obtain an updated request message;
and the response message generating unit is used for generating the response message based on the updated request message.
Optionally, the log collection module further includes:
the timing acquisition unit is used for collecting the log data according to a preset time interval by adopting a timing script and compressing the collected log data to obtain compressed data;
the distributed transmission unit is used for uploading the compressed log data to a distributed file system for storage;
the slicing analysis unit is used for slicing the program running logs stored in the distributed file system to form a plurality of slicing tasks and analyzing log files corresponding to the slicing tasks;
and the classification storage unit is used for storing the data classification statistical result into the log cloud platform according to the request interface path of the log file corresponding to each analyzed slicing task.
Optionally, the log query module includes:
the initial query unit is used for executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;
and the traversal query unit is used for traversing the initial query result to acquire log data containing the target user identifier as the target log.
Optionally, the behavior visualization module comprises:
the grouping unit is used for acquiring the random character strings contained in each target log and taking the target logs with the same random character strings as a group of behavior logs;
the sorting unit is used for sorting each group of behavior logs according to the log generation time point to obtain an access sequence corresponding to the behavior logs;
and the log association unit is used for extracting the behavior record of each log in the access sequence aiming at each access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.
Optionally, the monitoring device for behavior data further includes:
and the early warning module is used for executing early warning processing according to a preset early warning mode if the judgment result shows that the operation behavior corresponding to the target user identification is abnormal.
In order to solve the above technical problem, an embodiment of the present application further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the monitoring method for behavior data when executing the computer program.
In order to solve the above technical problem, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and the computer program, when executed by a processor, implements the steps of the above behavior data monitoring method.
The behavior data monitoring method, the behavior data monitoring device, the computer equipment and the storage medium provided by the embodiment of the invention acquire the user identification from the access request when the access request is detected each time, generate the random character string based on the user identification, add the random character string into the request message and the response message, generate the log data according to the request message and the response message, store the log data into the log cloud platform, generate different random codes through each behavior, distinguish the log data of the access behavior of the same user at different times, are favorable for improving the accuracy of subsequent log query, simultaneously, when the query request aiming at the user operation behavior is received, acquire the user identification contained in the query request as the target user identification, acquire the log data corresponding to the target user identification from the log cloud platform as the target log, and analyzing the behavior track of the target log to obtain a visual behavior track corresponding to the target user identifier, judging whether the operation behavior corresponding to the target user identifier is abnormal or not based on the visual behavior track, realizing visual analysis and judgment of the behavior track, and improving the monitoring efficiency of behavior data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow diagram of one embodiment of a method for monitoring behavioral data of the present application;
FIG. 3 is a schematic block diagram of one embodiment of a behavioral data monitoring apparatus according to the present application;
FIG. 4 is a schematic block diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, as shown in fig. 1, a system architecture 100 may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like.
The terminal devices 101, 102, 103 may be various electronic devices having display screens and supporting web browsing, including but not limited to smart phones, tablet computers, E-book readers, MP3 players (Moving Picture E interface shows a properties Group Audio Layer III, motion Picture experts compress standard Audio Layer 3), MP4 players (Moving Picture E interface shows a properties Group Audio Layer IV, motion Picture experts compress standard Audio Layer 4), laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background server providing support for pages displayed on the terminal devices 101, 102, 103.
It should be noted that the monitoring method for behavior data provided in the embodiments of the present application is executed by a server, and accordingly, a monitoring device for behavior data is disposed in the server.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. Any number of terminal devices, networks and servers may be provided according to implementation needs, and the terminal devices 101, 102 and 103 in this embodiment may specifically correspond to an application system in actual production.
Referring to fig. 2, fig. 2 shows a method for monitoring behavior data according to an embodiment of the present invention, which is described by taking the method applied to the server in fig. 1 as an example, and is detailed as follows:
s201: and when the access request is detected each time, acquiring the user identification from the access request, and generating a random character string based on the user identification.
Specifically, the embodiment is applied to a scenario of a multi-application system, and after an access request is detected each time, a user identifier is obtained from the access request, and a random character string is generated based on the user identifier.
The user identifier may specifically be a symbol used for uniquely determining the user identity, such as a user name, a user certificate number, a user job number, and the like, and may specifically be one or a combination of multiple characters, numbers, and letters.
The random character string is generated based on the user identifier, and the generation manner may be set according to actual needs, for example, the user identifier and a specific encryption algorithm are used to generate the random character string, and the like, which is not limited herein.
S202: adding the random character string into the request message and the response message, generating log data according to the request message and the response message, and storing the log data to a log cloud platform.
Specifically, the original request message and response message include a source IP, a target IP, a uuid, a UID, an operation time, and the like, and in the present application, the random character string generated in step S10 according to the user identifier is added to the request message and response message, so that when log data is generated, the generated log file includes the random character string corresponding to the user identifier, and the generated log data is stored in the log cloud platform.
It is easy to understand that the application scenario of this embodiment includes multiple application systems, and therefore, in a conventional log platform, storage locations of log files of different systems may be different, and when a user uses multiple systems, it is difficult to analyze a jump address (from which), a destination address (to which), a request source (from which page, which system initiates a request), and the like of a certain log, so that the whole process makes log analysis, for access logs associated with multiple systems, it is difficult to perform association analysis, and logs are disordered, which is a difficulty of log analysis. In this embodiment, based on the original log cloud platform, logs are collected, user access request packets, response packets (html, js, jpg, css, and other unnecessary sensitive fields, and response packets can be collected), and basic elements such as source IP, destination IP, uuid, UID, user-agent, x-forward-for, time, and the like, in this embodiment, the original log cloud platform is modified, a field log skip parameter is added to each request packet and response packet, and a random character string is generated by a background according to a user request to identify and track the skip condition of the user access log, so that each request access log of a user, and the access logs of a system and the skip can be connected in series in order.
And searching a system which is jumped after a user clicks a certain link or inquires certain data according to the field, and collecting and storing the user access log. If any log of the user needs to be searched in the log cloud platform subsequently if a certain user click behavior needs to be checked, the client behavior track can be visualized according to the character string of the jump parameter, and the access behavior of the user can be clearly seen.
The log cloud platform is a distributed log storage cloud platform, and the distributed log storage cloud platform is beneficial to processing in a distributed task mode during log analysis and retrieval in the follow-up process, so that the processing efficiency is improved.
S203: and if an inquiry request aiming at the user operation behavior is received, acquiring a user identifier contained in the inquiry request as a target user identifier, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log.
Specifically, when an inquiry request of a user operation behavior is received, a user identifier included in the inquiry request is obtained and used as a target user identifier, and log data corresponding to the target user identifier is obtained and used as target data in a log cloud platform in an inquiry mode.
It should be understood that, in steps S201 and S202, each access request of each user identifier is added with a random character string to generate a log file, and the log file is stored in the log cloud platform, so that the log cloud platform includes multiple query records of a plurality of user identifiers, and in order to improve query efficiency, this embodiment provides an optimal manner, in a query request of a user operation behavior, a time range of query and a system range of query are defined, so as to reduce a data amount of query and improve query efficiency, and at the same time, data of a target log is also reduced, which is beneficial to precise positioning of a subsequent user behavior trajectory.
S204: and analyzing the behavior track of the target log to obtain a visual behavior track corresponding to the target user identifier.
Specifically, data analysis is performed on the obtained target log, a behavior trace of the operation behavior of the user is determined, the behavior trace is visualized, and for visualization of the behavior trace, data visualization tool modeling can be adopted to realize, and data visualization tools of the scene include but are not limited to: leaffet, Ali DataV, etc. The specific process of analyzing the behavior trace of the target log to obtain the visual behavior trace corresponding to the target user identifier may refer to the description of the subsequent embodiment, and is not repeated here to avoid repetition.
S205: and judging whether the operation behavior corresponding to the target user identification is abnormal or not based on the visual behavior track.
Specifically, according to the visual behavior track, the operation required to be executed when the target operation is achieved is compared, whether the operation behavior corresponding to the target user identification is abnormal or not is judged, and if the operation behavior is abnormal, the reason of the abnormality is analyzed and early warning is performed according to the difference between the operation behavior and the operation behavior.
In a specific implementation mode, according to the obtained visual behavior track, when the log does not record js, html and jpg file requests, the interface is directly accessed to inquire data, the account of the user possibly uses a crawler or a robot to crawl data in a traversing manner, abnormal operation behavior logs of a service worker are accurately positioned, an early warning mail is sent out, and timely notification processing is carried out.
In the embodiment, each time an access request is detected, a user identifier is obtained from the access request, a random character string is generated based on the user identifier, the random character string is added into a request message and a response message, log data is generated according to the request message and the response message, the log data is stored in a log cloud platform, different random codes are generated through each behavior, the log data of different access behaviors of the same user are distinguished, the accuracy of subsequent log query is improved, meanwhile, when a query request aiming at user operation behaviors is received, a user identifier contained in the query request is obtained to serve as a target user identifier, the log data corresponding to the target user identifier is obtained from the log cloud platform to serve as a target log, behavior trajectory analysis is carried out on the target log, and a visual behavior trajectory corresponding to the target user identifier is obtained, and judging whether the operation behavior corresponding to the target user identification is abnormal or not based on the visualized behavior track, so that the behavior track is analyzed and judged visually, and the monitoring efficiency of behavior data is improved.
In some optional implementation manners of this embodiment, in step S201, the request packet and the response packet include a log jump parameter field, and adding the random character string to the request packet and the response packet includes:
analyzing the request message, and adding the random character string into a log jump parameter field of the request message to obtain an updated request message;
and generating a response message based on the updated request message.
In the embodiment, the generated random character strings are added into the request message, so that each behavior has the same random character string, different behavior character strings are different, and the accuracy of grouping the behaviors of the same user each time is improved.
In some optional implementation manners of this embodiment, in step S202, storing the log data to the log cloud platform includes:
collecting log data according to a preset time interval by adopting a timing script, and compressing the collected log data to obtain compressed data;
uploading the compressed log data to a distributed file system for storage;
slicing program running logs stored in a distributed file system to form a plurality of slicing tasks, and analyzing log files corresponding to the slicing tasks;
and storing the data classification statistical result into a log cloud platform according to the request interface path for the log file corresponding to each slice task after analysis.
The preset time interval can be set according to actual requirements.
Specifically, by adopting the timing script, log data are collected according to a preset time interval, the collected log data are compressed and stored through the distributed file system, slicing analysis is performed, an analysis result is stored in the log cloud platform, and then the subsequent process is directly inquired through the analyzed result to obtain the result, so that the generation efficiency of the subsequent visual track is improved.
In some optional implementation manners of this embodiment, in step S203, the query request includes a query time range and a query path range, and the obtaining of the log data corresponding to the target user identifier from the log cloud platform includes, as the target log:
executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;
and traversing the initial query result, and acquiring log data containing the target user identifier as a target log.
Specifically, query processing is executed in the log cloud platform according to the query time range and the query path range to obtain an initial query result, and then log data containing the target user identifier is traversed from the initial query result to serve as a target log, so that the query efficiency is improved.
The query time range refers to a query time interval, for example, 3/month 2/2020 to 3/month 5/2020, and the query path range refers to a system or an application corresponding to the query generation log.
In the embodiment, the query time range and the query system range are limited in the query request of the user operation behavior, so that the query data volume is reduced, the query efficiency is improved, and meanwhile, the data of the target log is reduced, which is beneficial to the accurate positioning of the user behavior track in the follow-up process.
In some optional implementation manners of this embodiment, in step S204, performing behavior trajectory analysis on the target log to obtain a visual behavior trajectory corresponding to the target user identifier includes:
acquiring a random character string contained in each target log, and taking the target logs with the same random character string as a group of behavior logs;
for each group of behavior logs, sequencing according to the log generation time point to obtain an access sequence corresponding to the behavior logs;
and extracting the behavior record of each log in the access sequence aiming at each access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.
Specifically, target logs of the same random character string are divided into a group, so that each user accesses the behavior logs independently and packages the behavior logs, sequencing is performed according to time points to obtain access sequences corresponding to the behavior logs, for each access sequence, behavior records of each log in the access sequences are extracted, and the behavior records are connected in series according to the sequence of the behavior logs in the access sequences to obtain behavior tracks.
Specifically, a visualization tool can be adopted to obtain the time of the behavior record, the corresponding access path and the access behavior, the data are used as node data to be input into the visualization tool, and the node data are connected in series through the visualization tool to obtain the behavior track.
In the embodiment, the behavior track of the target log is analyzed to obtain the visual behavior track corresponding to the target user identifier, so that whether the abnormality exists or not can be quickly determined through the visual behavior track subsequently, and the monitoring efficiency of behavior data can be improved.
In some optional implementations of this embodiment, the method for monitoring the behavior data after step S205 further includes:
and if the judgment result is that the operation behavior corresponding to the target user identification is abnormal, executing early warning processing according to a preset early warning mode.
Specifically, when the judgment result is that the operation behavior corresponding to the target user identifier is abnormal, an early warning is triggered, and early warning processing is executed according to a preset early warning mode.
The preset early warning mode can be divided into different early warning levels according to the degree of the abnormal behavior, for example, notification reminding, mail early warning, telephone early warning and the like
In the embodiment, the early warning of the abnormal behavior is facilitated to be improved.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Fig. 3 shows a schematic block diagram of a monitoring device for behavior data, which corresponds one-to-one to the above-described monitoring method implemented as data. As shown in fig. 3, the monitoring apparatus for behavior data includes a character string generation module 31, a log collection module 32, a log query module 33, a behavior visualization module 34, and an abnormality determination module 35. The functional modules are explained in detail as follows:
a character string generating module 31, configured to, each time an access request is detected, obtain a user identifier from the access request, and generate a random character string based on the user identifier;
the log acquisition module 32 is used for adding the random character string into the request message and the response message, generating log data according to the request message and the response message, and storing the log data into the log cloud platform;
the log query module 33 is configured to, if a query request for a user operation behavior is received, obtain a user identifier included in the query request as a target user identifier, and obtain log data corresponding to the target user identifier from the log cloud platform as a target log;
the behavior visualization module 34 is configured to perform behavior trajectory analysis on the target log to obtain a visualization behavior trajectory corresponding to the target user identifier;
and the abnormality judgment module 35 is configured to judge whether the operation behavior corresponding to the target user identifier is abnormal based on the visualized behavior trajectory.
Optionally, the log collection module 32 includes:
the request message updating unit is used for analyzing the request message and adding the random character string into the log jump parameter field of the request message to obtain an updated request message;
and the response message generating unit is used for generating a response message based on the updated request message.
Optionally, the log collection module 32 further includes:
the timing acquisition unit is used for collecting log data according to a preset time interval by adopting a timing script and compressing the collected log data to obtain compressed data;
the distributed transmission unit is used for uploading the compressed log data to a distributed file system for storage;
the slicing analysis unit is used for slicing the program running logs stored in the distributed file system to form a plurality of slicing tasks and analyzing the log files corresponding to the slicing tasks;
and the classification storage unit is used for storing the data classification statistical result into the log cloud platform according to the request interface path of the log file corresponding to each analyzed slicing task.
Optionally, the log query module 33 includes:
the initial query unit is used for executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;
and the traversal query unit is used for traversing the initial query result to acquire log data containing the target user identification as a target log.
Optionally, the behavior visualization module 34 includes:
the grouping unit is used for acquiring the random character strings contained in each target log and taking the target logs with the same random character strings as a group of behavior logs;
the sorting unit is used for sorting each group of behavior logs according to the log generation time point to obtain an access sequence corresponding to the behavior logs;
and the log association unit is used for extracting the behavior record of each log in the access sequence aiming at each access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.
Optionally, the monitoring device for behavior data further includes:
and the early warning module is used for executing early warning processing according to a preset early warning mode if the judgment result shows that the operation behavior corresponding to the target user identification is abnormal.
For specific limitations of the monitoring device for behavior data, reference may be made to the above limitations of the monitoring method for behavior data, which are not described herein again. The modules in the behavior data monitoring device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 4, fig. 4 is a block diagram of a basic structure of a computer device according to the present embodiment.
The computer device 4 comprises a memory 41, a processor 42, a network interface 43 communicatively connected to each other via a system bus. It is noted that only the computer device 4 having the components connection memory 41, processor 42, network interface 43 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 41 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or D interface display memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the memory 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, the memory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 4. Of course, the memory 41 may also include both internal and external storage devices of the computer device 4. In this embodiment, the memory 41 is generally used for storing an operating system installed in the computer device 4 and various types of application software, such as program codes for controlling electronic files. Further, the memory 41 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 42 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, the processor 42 is configured to execute the program code stored in the memory 41 or process data, such as program code for executing control of an electronic file.
The network interface 43 may comprise a wireless network interface or a wired network interface, and the network interface 43 is generally used for establishing communication connection between the computer device 4 and other electronic devices.
The present application further provides another embodiment, which is to provide a computer-readable storage medium, wherein the computer-readable storage medium stores an interface display program, and the interface display program can be executed by at least one processor, so as to enable the at least one processor to execute the steps of the monitoring method for behavior data as described above.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
It is to be understood that the above-described embodiments are merely illustrative of some, but not restrictive, of the broad invention, and that the appended drawings illustrate preferred embodiments of the invention and do not limit the scope of the invention. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.

Claims (10)

1. A method for monitoring behavior data is characterized by comprising the following steps:
when an access request is detected each time, acquiring a user identifier from the access request, and generating a random character string based on the user identifier;
adding the random character string into a request message and a response message, generating log data according to the request message and the response message, and storing the log data to a log cloud platform;
if an inquiry request aiming at user operation behaviors is received, acquiring a user identifier contained in the inquiry request as a target user identifier, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log;
analyzing the behavior track of the target log to obtain a visual behavior track corresponding to the target user identifier;
and judging whether the operation behavior corresponding to the target user identification is abnormal or not based on the visual behavior track.
2. The method for monitoring behavioral data according to claim 1, wherein the request message and the response message contain log jump parameter fields, and the adding the random string to the request message and the response message includes:
analyzing the request message, and adding the random character string into a log jump parameter field of the request message to obtain an updated request message;
and generating the response message based on the updated request message.
3. The method for monitoring behavioral data according to claim 1, wherein the storing the log data to a log cloud platform includes:
collecting the log data according to a preset time interval by adopting a timing script, and compressing the collected log data to obtain compressed data;
uploading the compressed log data to a distributed file system for storage;
slicing the program running logs stored in the distributed file system to form a plurality of slicing tasks, and analyzing log files corresponding to each slicing task;
and storing the data classification statistical result into a log cloud platform according to the request interface path for the log file corresponding to each slice task after analysis.
4. The method for monitoring behavioral data according to claim 1, wherein the query request includes a query time range and a query path range, and the obtaining, from the log cloud platform, log data corresponding to the target user identifier as a target log includes:
executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;
and traversing the initial query result to obtain log data containing the target user identification as the target log.
5. The method for monitoring behavioral data according to any one of claims 1 to 4, wherein the performing behavior trace analysis on the target log to obtain a visual behavior trace corresponding to the target user identifier includes:
acquiring a random character string contained in each target log, and taking the target logs with the same random character string as a group of behavior logs;
for each group of behavior logs, sequencing according to log generation time points to obtain access sequences corresponding to the behavior logs;
and for each access sequence, extracting the behavior record of each log in the access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.
6. The method for monitoring behavioral data according to claim 1, wherein after determining whether the operation behavior corresponding to the target user identifier is abnormal based on the visualized behavior trajectory, the method for monitoring behavioral data further comprises:
and if the judgment result shows that the operation behavior corresponding to the target user identification is abnormal, executing early warning processing according to a preset early warning mode.
7. A device for monitoring behavior data, comprising:
the character string generating module is used for acquiring a user identifier from an access request every time the access request is detected, and generating a random character string based on the user identifier;
the log acquisition module is used for adding the random character string into a request message and a response message, generating log data according to the request message and the response message, and storing the log data into a log cloud platform;
the log query module is used for acquiring a user identifier contained in a query request as a target user identifier if the query request aiming at the user operation behavior is received, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log;
the behavior visualization module is used for analyzing the behavior track of the target log to obtain a visualization behavior track corresponding to the target user identifier;
and the abnormity judgment module is used for judging whether the operation behavior corresponding to the target user identifier is abnormal or not based on the visual behavior track.
8. The apparatus for monitoring behavioral data according to claim 7, wherein the log collection module includes:
a request message updating unit, configured to parse the request message, and add the random character string to a log skip parameter field of the request message, to obtain an updated request message;
and the response message generating unit is used for generating the response message based on the updated request message.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method of monitoring behavioural data as claimed in any one of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out a method of monitoring behavioural data as claimed in any one of claims 1 to 6.
CN202011286429.3A 2020-11-17 2020-11-17 Behavior data monitoring method and device, computer equipment and medium Active CN112491602B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011286429.3A CN112491602B (en) 2020-11-17 2020-11-17 Behavior data monitoring method and device, computer equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011286429.3A CN112491602B (en) 2020-11-17 2020-11-17 Behavior data monitoring method and device, computer equipment and medium

Publications (2)

Publication Number Publication Date
CN112491602A true CN112491602A (en) 2021-03-12
CN112491602B CN112491602B (en) 2023-09-26

Family

ID=74931646

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011286429.3A Active CN112491602B (en) 2020-11-17 2020-11-17 Behavior data monitoring method and device, computer equipment and medium

Country Status (1)

Country Link
CN (1) CN112491602B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113127319A (en) * 2021-04-06 2021-07-16 北京大米科技有限公司 Information monitoring method, related device and computer storage medium
CN113407415A (en) * 2021-06-28 2021-09-17 四川虹美智能科技有限公司 Log management method and device of intelligent terminal
CN113592919A (en) * 2021-08-02 2021-11-02 金茂智慧科技(广州)有限公司 Security control method and related device
CN113608907A (en) * 2021-07-21 2021-11-05 阿里巴巴(中国)有限公司 Database auditing method, device, equipment, system and storage medium
CN114040312A (en) * 2021-11-29 2022-02-11 四川虹美智能科技有限公司 Microphone detection method and system of voice air conditioner
CN114499962A (en) * 2021-12-24 2022-05-13 深圳开源互联网安全技术有限公司 File detection method and device, computer equipment and storage medium
CN115514779A (en) * 2022-09-30 2022-12-23 湖北大学 Method and system for recording weblog

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104252453A (en) * 2013-06-25 2014-12-31 腾讯科技(深圳)有限公司 Detection method and system for write operation in webpage recommendation location content access track
CN105592121A (en) * 2014-10-31 2016-05-18 中国科学院声学研究所 RDP data acquisition apparatus and method
CN107609871A (en) * 2017-09-07 2018-01-19 携程旅游网络技术(上海)有限公司 Pay track replay method, device, system, electronic equipment, storage medium
CN108108495A (en) * 2018-01-19 2018-06-01 厦门欣旅通科技有限公司 A kind of method and device for identifying user and accessing track
CN108737549A (en) * 2018-05-25 2018-11-02 江苏联盟信息工程有限公司 A kind of log analysis method and device of big data quantity
CN108829693A (en) * 2018-04-13 2018-11-16 拉扎斯网络科技(上海)有限公司 A kind of user accesses acquisition methods, device and the storage medium of track
CN110659349A (en) * 2019-09-23 2020-01-07 深圳前海微众银行股份有限公司 Log query method, device, equipment and computer readable storage medium
CN111199423A (en) * 2019-12-25 2020-05-26 平安证券股份有限公司 User behavior track generation method, device, equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104252453A (en) * 2013-06-25 2014-12-31 腾讯科技(深圳)有限公司 Detection method and system for write operation in webpage recommendation location content access track
CN105592121A (en) * 2014-10-31 2016-05-18 中国科学院声学研究所 RDP data acquisition apparatus and method
CN107609871A (en) * 2017-09-07 2018-01-19 携程旅游网络技术(上海)有限公司 Pay track replay method, device, system, electronic equipment, storage medium
CN108108495A (en) * 2018-01-19 2018-06-01 厦门欣旅通科技有限公司 A kind of method and device for identifying user and accessing track
CN108829693A (en) * 2018-04-13 2018-11-16 拉扎斯网络科技(上海)有限公司 A kind of user accesses acquisition methods, device and the storage medium of track
CN108737549A (en) * 2018-05-25 2018-11-02 江苏联盟信息工程有限公司 A kind of log analysis method and device of big data quantity
CN110659349A (en) * 2019-09-23 2020-01-07 深圳前海微众银行股份有限公司 Log query method, device, equipment and computer readable storage medium
CN111199423A (en) * 2019-12-25 2020-05-26 平安证券股份有限公司 User behavior track generation method, device, equipment and storage medium

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113127319A (en) * 2021-04-06 2021-07-16 北京大米科技有限公司 Information monitoring method, related device and computer storage medium
CN113407415A (en) * 2021-06-28 2021-09-17 四川虹美智能科技有限公司 Log management method and device of intelligent terminal
CN113608907A (en) * 2021-07-21 2021-11-05 阿里巴巴(中国)有限公司 Database auditing method, device, equipment, system and storage medium
CN113608907B (en) * 2021-07-21 2024-03-29 阿里巴巴(中国)有限公司 Database auditing method, device, equipment, system and storage medium
CN113592919A (en) * 2021-08-02 2021-11-02 金茂智慧科技(广州)有限公司 Security control method and related device
CN114040312A (en) * 2021-11-29 2022-02-11 四川虹美智能科技有限公司 Microphone detection method and system of voice air conditioner
CN114040312B (en) * 2021-11-29 2023-08-22 四川虹美智能科技有限公司 Microphone detection method and system of voice air conditioner
CN114499962A (en) * 2021-12-24 2022-05-13 深圳开源互联网安全技术有限公司 File detection method and device, computer equipment and storage medium
CN114499962B (en) * 2021-12-24 2023-09-08 深圳开源互联网安全技术有限公司 File detection method, device, computer equipment and storage medium
CN115514779A (en) * 2022-09-30 2022-12-23 湖北大学 Method and system for recording weblog

Also Published As

Publication number Publication date
CN112491602B (en) 2023-09-26

Similar Documents

Publication Publication Date Title
CN112491602B (en) Behavior data monitoring method and device, computer equipment and medium
CN108667855B (en) Network flow abnormity monitoring method and device, electronic equipment and storage medium
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN109543891B (en) Method and apparatus for establishing capacity prediction model, and computer-readable storage medium
CN114817968B (en) Method, device and equipment for tracing path of featureless data and storage medium
CN112162965A (en) Log data processing method and device, computer equipment and storage medium
CN112394908A (en) Method and device for automatically generating embedded point page, computer equipment and storage medium
CN115757495A (en) Cache data processing method and device, computer equipment and storage medium
CN110807050B (en) Performance analysis method, device, computer equipment and storage medium
CN115329381A (en) Sensitive data-based analysis and early warning method and device, computer equipment and medium
CN115033876A (en) Log processing method, log processing device, computer device and storage medium
CN112528295B (en) Vulnerability restoration method and device for industrial control system
CN113836237A (en) Method and device for auditing data operation of database
CN111797297A (en) Page data processing method and device, computer equipment and storage medium
CN111767262A (en) Log display method, device, equipment and storage medium
CN111368039B (en) Data management system
CN110851346A (en) Method, device and equipment for detecting boundary problem of query statement and storage medium
CN115150261B (en) Alarm analysis method, device, electronic equipment and storage medium
CN113656044B (en) Android installation package compression method and device, computer equipment and storage medium
CN110719260B (en) Intelligent network security analysis method and device and computer readable storage medium
CN107609008A (en) A kind of data importing device and method from relevant database to Kafka based on Apache Sqoop
CN116627778A (en) Service system performance monitoring method and device, computer equipment and storage medium
CN115150261A (en) Alarm analysis method and device, electronic equipment and storage medium
CN114611113A (en) Vulnerability repairing method and device, computer equipment and storage medium
CN115878460A (en) Regression testing method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant