CN112685272A - Interpretable user behavior abnormity detection method - Google Patents

Interpretable user behavior abnormity detection method Download PDF

Info

Publication number
CN112685272A
CN112685272A CN202011590113.3A CN202011590113A CN112685272A CN 112685272 A CN112685272 A CN 112685272A CN 202011590113 A CN202011590113 A CN 202011590113A CN 112685272 A CN112685272 A CN 112685272A
Authority
CN
China
Prior art keywords
user
graph
node
classification model
users
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011590113.3A
Other languages
Chinese (zh)
Other versions
CN112685272B (en
Inventor
彭佳
计畅
李敏
高能
屠晨阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202011590113.3A priority Critical patent/CN112685272B/en
Publication of CN112685272A publication Critical patent/CN112685272A/en
Application granted granted Critical
Publication of CN112685272B publication Critical patent/CN112685272B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method for detecting user behavior abnormity with interpretability, which comprises the following steps: 1) collecting the characteristic information of the users in the target network by using a characteristic extraction module; 2) the graph matrix module constructs an adjacency matrix according to the characteristic information of each user; the graph matrix module determines whether direct contact exists between users according to the user characteristic information, and determines contact between the users according to similarity between the users; 3) training a neural network of the graph by using the adjacency matrix to obtain a classification model; 4) training the classification model by using a graph interpretation module to set an optimization objective function to obtain a graph mask M and a feature selector F; 5) inputting the characteristics of a user to be detected into the trained classification model to obtain a classification result, if the user is an abnormal node, obtaining the associated node of the abnormal node from the classification model by using M, and obtaining the associated characteristic which is most relevant to the abnormal node in the characteristics of each node of the classification model by using F.

Description

Interpretable user behavior abnormity detection method
Technical Field
The invention belongs to the field of machine learning, and particularly relates to a user behavior abnormity detection method with interpretability by using a graph convolution network.
Background
As can be seen in security incidents in recent years, internal threats have become a major cause of enterprise or organizational threats. Internal threats refer to the act of internal personnel making harm to the trusted organization using the acquired trust. These benefits include the economic benefits of the enterprise, business operations, foreign services, and credentialing agent reputations, among others. Internal threats include not only behaviors where an organization's legitimate members intentionally or unintentionally compromise the interests of the organization, but also attacks where an external masquerade as an internal member. With the popularization of informatization, people commonly use electronic equipment in work, and more behavior data are generated and accumulated. By mining and applying the behavior data, the user behavior data is subjected to abnormal detection, so that the detection of the internal threat can be realized, and the early warning of the internal threat is provided for enterprises or organizations.
Earlier methods of detecting user behavioral anomalies were mainly based on classification methods. Methods such as Support Vector Machines (Support Vector Machines) and Multi-layer perceptrons (Multi Layered Perceptron) are mainly used for converting the anomaly detection into a binary problem. In the testing phase, it is often fast to use such algorithms that are already trained. However, such an algorithm has a problem that large-scale labeling of data is required. Especially in the case that the abnormal data of the user behavior is usually very unbalanced data, the method can not achieve the ideal effect in the training due to the fact that the abnormal data is too less than the normal data.
Compared with the traditional method, the method based on deep learning which is popular recently has multiple advantages, namely that the characteristics for anomaly detection can be automatically found through a deep learning model in learning, the deep learning model represented by a Recurrent Neural Network (Recurrent Neural Network) has excellent performance on modeling sequence data, and the deep learning model can be fused with heterogeneous data so as to introduce more information to enhance the final effect of anomaly detection.
Of the mainstream algorithms described above, the conventional algorithm based on classification has difficulty in acquiring proper training data in the task of detecting the user behavior abnormality, and the method based on deep learning is generally called as a "black box". Although the deep learning model achieves exciting effects in some fields, the lack of interpretability causes uncertainty in the use of deep learning in some fields. Particularly, on the task of detecting the abnormal behavior of the user, even if the deep learning model has good performance, the accuracy cannot reach 100%, and if the model is misreported and the reason causing the abnormal behavior cannot be explained, certain staff are likely to be unnecessarily injured.
Disclosure of Invention
In view of the above-mentioned state of the art, it is an object of the present invention to provide an interpretable user behavior anomaly detection method using a graph and volume network. The invention can construct a topological graph by the information of user attribute, relationship and the like, so that the nodes on the graph not only contain the attribute information of the nodes, such as IP addresses, ports and the like, but also contain some structural information, such as modes of communication between the nodes; and then, carrying out abnormity detection on user behaviors by using a Graph Convolutional network (Graph relational Networks), and then analyzing the Graph Convolutional network by using a Graph interpretation network to enhance interpretability.
In order to achieve the purpose, the invention adopts the following scheme:
an interpretable user behavior anomaly detection method comprises the following steps:
1) collecting the characteristic information of the users in the target network by using a characteristic extraction module;
2) the graph matrix module constructs an adjacency matrix according to the characteristic information of each user; the graph matrix module determines whether direct connection exists between users according to the user characteristic information, and then uses a weight equation A (i, j) ═ w × cos (F)i,Fj)+(1-w)*CijCalculating the similarity A (i, j) between the user i and the user j, and determining the relation between the users according to the similarity; fiIs a special of user iSign information, FjIs the characteristic information of user j, w is the weight coefficient, CijRepresenting whether there is a direct contact between user i and user j, if so C ij1, otherwise Cij=0;
3) Utilizing the adjacency matrix training diagram neural network to obtain a classification model for anomaly detection;
4) inputting the characteristic information of the user into the obtained classification model to obtain a classification result (namely abnormal or non-abnormal);
5) training the classification model by using a graph interpretation module to set an optimization objective function to obtain a graph mask M and a feature selector F; wherein the optimization objective function of the graph interpretation module is
Figure BDA0002868380790000021
6) Inputting the characteristics of a user to be detected into the trained classification model to obtain a classification result, if the user is an abnormal node, obtaining the associated node of the abnormal node from the classification model by using a graph mask M, obtaining the associated characteristic most relevant to the abnormal node in the characteristics of each node of the classification model by using a characteristic selector F, and taking the obtained associated node and the associated characteristic as the interpretation information of the abnormal node.
And training according to the target function by using the GCN classification model obtained after training to obtain a graph mask M and a feature selector F. And obtaining nodes which contribute more to the classification result in the trained GCN classification model by using the graph mask M (edges which are lower than the threshold value in the graph mask are removed by adjusting the size of the threshold value, and the reserved nodes are the nodes which contribute more to the classification result). And obtaining the nodes with larger contribution in the characteristics of the nodes by using the characteristic selector F. The interpretation model is an operation performed on the trained classification model after the classification model is obtained, the detection result is not influenced, but the obtained result is interpreted, and by the nodes and the features with larger contribution values, the relationship between the abnormal node and the nodes and the features is larger, so that the obtained interpretation is realized.
The invention relates to a method for detecting user behavior abnormity with interpretability, which comprises the steps of firstly using a characteristic extraction module to collect characteristic information of each user in a network, wherein the characteristic information comprises user behavior characteristics such as login and logout characteristics, equipment characteristics, file characteristics, mail characteristics, webpage browsing characteristics and the like. Then, the adjacency matrix is constructed by utilizing the graph matrix module to embody the connection between users, and because a plurality of users are isolated on the social network in the internal threat monitoring application, the weak connection of some users is established by using the weight equation through the similarity of the user behavior characteristics when the adjacency matrix (namely the topological graph of the user relationship) is constructed. Then, the invention trains a GCN classification model for anomaly detection by using the adjacency matrix and the user attribute characteristics as input. The invention then uses a graph interpretation module to perform structural and feature interpretation on the trained classification model.
The feature extraction module is a module that contains all users and their behavior features (the final result obtained by the feature extraction module is a matrix, each row represents a user, and each column represents a feature). The module collects the behavior of each user on the target network and extracts specific behavior characteristics, including device usage characteristics, login characteristics, file usage characteristics, social characteristics, browsing characteristics, and the like. These features provide attribute information for the user as a node of the graph.
Further, the feature extraction module obtains a feature matrix F as a matrix of N × D, where N represents the number of users included in the network, and D represents the behavior feature number of each user.
The graph matrix module is a module for constructing an adjacency matrix, which embodies the connection between users and provides important information for constructing the social network graph. In a conventional neural network, the adjacency matrix is usually represented by 1 and 0, respectively, indicating that there is or is not a connection between nodes. The invention defines that the users with mail communication have direct contact, and the users without mail communication records have no contact. But different from social networks and knowledge graphs, in the user data of internal threats, a plurality of isolated users without mail communication records exist, and each user corresponds to one node. Because of the existence of this part of users, the invention uses a weight equation to establish the connection with other nodes for these isolated users.
Furthermore, an adjacent matrix in the graph matrix module defines an N × N matrix a, which represents the relationship between users.
Further, direct contact between user i and user j uses CijAnd (0, 1).
Further, the adjacency matrix is formed by using the weight equation a (i, j) ═ w × cos (F) to solve the problem of isolated usersi,Fj)+(1-w)*CijEstablishing a relation for users, wherein the relation between direct relation and similarity between the users is balanced by using a parameter w (01) (namely the value of a weight coefficient w is 0-1); cijRepresenting whether there is a direct contact between user i and user j, if so C ij1, otherwise Cij=0。
Further, when A (i, j) > 0.5, the invention establishes the contact between the user i and the user j.
The graph convolution network module is used as a user behavior abnormity detection classification model. The present invention uses a Graph Convolution Network (GCN) to train an anomaly classification model. The input is a feature extraction matrix and an adjacency matrix, and after the feature extraction matrix and the adjacency matrix pass through a graph convolution network, the classification result of each node is output, namely whether each node is abnormal or not is determined.
Further, the graph volume network module uses a two-layer graph volume network.
Further, a specific expression of the graph convolution network is Z ═ f (X, a) ═ soft max (a ReLU (AXW)0)W1) Wherein W is0Representing a weight matrix from the input layer to the hidden layer, W1A weight matrix representing the weights from the hidden layer to the output layer; x is a matrix of node feature vectors, corresponding to the preceding feature matrix F.
Further, in order to calculate the classification result of each node, the invention uses the softmax activation function to calculate the output of each node, and the specific equation is
Figure BDA0002868380790000041
xiIs representative of softmax (AReLU (AXW)0)W1) AReLU (AXW) in (C)0)W1The ith row in the matrix, namely the output result of the graph convolution network, has a value range of 0-N.
Further, W in the training graph convolutional network model0And W1In matrix, the present invention uses a batch gradient descent (batch gradient device) method.
Further, a cross entropy loss function is used in the training
Figure BDA0002868380790000042
Wherein Y islfIs true probability, ZlfIs the prediction probability, yL represents the number of operation samples (i.e., the number of users in the adjacency matrix), and F is the number of class labels.
The diagram interpretation module analyzes and interprets the trained diagram convolution network classification model. The invention analyzes the classification model from the structural and characteristic information of the graph. The module obtains partial graph structure information and characteristic information which are most helpful to the classification result through training, so that the classification model is explained to a certain extent on the contribution value.
Further, for a node, the structure and features as it is most relevant to the model prediction result Y are G respectivelysAnd XsThen the importance of the correlation can be measured by Mutual Information (Mutual Information):
Figure BDA0002868380790000043
where H (Y) is the result of the computation of the information entropy function H () on Y, the above equation is equivalent to minimizing H (Y | G ═ G) because the model is interpreted on the GCN that has been trained wells,X=Xs)。
Further, due to
Figure BDA0002868380790000044
The new optimization objective is
Figure BDA0002868380790000045
Figure BDA0002868380790000046
Indicates the expected value, PΦ() Representing a probability value XSFor the feature G that node S contributes most to the abnormal node YSFor the sub-graph of the optimal contribution of node S to the abnormal node Y, H () is an information entropy function.
Further, by using the Jensen inequality and the convexity assumption, an upper limit can be obtained, and the optimization objective becomes
Figure BDA0002868380790000051
Figure BDA0002868380790000052
Is a random graph variable
Figure BDA0002868380790000053
Is calculated from the expected value of (c).
Further, the random graph variables are approximated by mean field variation
Figure BDA0002868380790000054
Is decomposed
Figure BDA0002868380790000055
A hereins[j,k]Representative edge (upsilon)j,υk) With the expectation that Gc represents all subgraphs.
Further, in the above-mentioned case,
Figure BDA0002868380790000056
can be used as AcAs an alternative, Ac is a contiguous matrix, M is a Mask to be learned by the block (Graph Mask), which is a Hadamard product, i.e., an in-bit element corresponding multiplication.
Further, for the explanation part of the graph structure of the classification model, the optimization function is
Figure BDA0002868380790000057
P hereΦIs a probability value that is a function of,
Figure BDA00028683807900000517
is an indication function that, when y ═ c,
Figure BDA0002868380790000058
when y is not equal to c, the total weight of the alloy is less than c,
Figure BDA0002868380790000059
further, the interpretation of the feature selection part is similar to the interpretation of the graph structure, and the model interpretation is realized by selecting the part most relevant to the prediction result, and the specific formula is
Figure BDA00028683807900000510
Buckle r
Figure BDA00028683807900000511
Wherein
Figure BDA00028683807900000512
Is the most contributing sub-graph GsIs determined by the node characteristics of (1),
Figure BDA00028683807900000513
is a node feature that is not covered by a mask, vjIs node j in the graph structure, F is the feature selector, F is the {0, 1}dAnd d is a feature number.
Further, considering the choice of structure and features, the diagram illustrates the final optimization goal of the module as
Figure BDA00028683807900000514
Wherein
Figure BDA00028683807900000515
Is the feature selector for target learning, d is the feature number, MI () mutual information function.
Further, the classification model is trained by setting an optimization objective function by using a graph interpretation module to obtainTo the graph mask M and feature selector F; wherein the optimization objective function of the graph interpretation module is
Figure BDA00028683807900000516
XSFeatures, G, for optimal contribution of node S to abnormal node YSA subgraph and H () of the optimal contribution of the node S to the abnormal node Y are information entropy functions; by training the obtained graph mask M and the feature selector F, the invention can obtain the nodes which have great contribution to the classification result in structure; features that characteristically contribute significantly to the classification result. Thereby giving a degree of interpretation of the classification results.
Compared with the prior art, the invention has the following positive effects:
the method has the advantages that the abnormal behaviors of the users are detected by using the graph neural network, so that the connection and the similarity between the users can be better captured, meanwhile, the connection between isolated users is increased by using a weight equation, and the most relevant structures and characteristics are obtained by analyzing the detected results structurally and characteristically through an image interpretation model.
The method can capture deep level relation of the user from the relevance and the behavior characteristics of the user by utilizing the graph neural network, thereby discovering abnormal users, better understanding other nodes and the most relevant characteristics on the graph structure which are most relevant to the classification result through the graph interpretable module to obtain abnormal reasons, including relevant users, obvious abnormal behavior characteristics and the like, and obtaining good effect on user behavior abnormality detection.
Drawings
FIG. 1 is a schematic diagram of the overall system;
FIG. 2 is a schematic diagram of a graph convolution network module;
FIG. 3 is a diagram illustrating the results of a module;
(a) structurally contributing to larger nodes, (b) characteristically contributing to larger eigenvalues.
Detailed Description
In order to make the objects, schemes and advantages of the present invention more apparent, the present invention is further described in detail below by taking an experiment performed on a real data set as an example. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Taking the CMU CERT v4.2 dataset as an example, a specific implementation step of the interpretable user behavior anomaly detection scheme is described.
The CMU CERT v4.2 data set simulates three main types of attack behavior data of system destruction, information stealing and internal fraud implemented by malicious internal persons and a large amount of normal background data. The CMU CERT v4.2 dataset relates to 1000 user behavior data of multiple dimensions, such as file access (file name, type, etc. for creation, modification, deletion, etc.), mail sending and receiving, device usage (mobile storage device, printer, etc.), HTTP access, system login, etc. behaviors, and also includes information of user's work position and work department. The CMU CERT v4.2 dataset provides comprehensive behavioral observations of the user to characterize the user behavior model.
In the embodiment, the task of the method is to detect the user behavior abnormity and discover the internal threat user. The overall system architecture of the present invention is shown in FIG. 1. The example takes 160 normal nodes and 40 abnormal nodes in the CMU CERT v4.2 dataset as training sets, and 170 normal nodes and 30 abnormal nodes as test sets. The evaluation criteria were accuracy, precision and recall.
Firstly, describing a characteristic extraction module, wherein the behavior characteristics of each user comprise 30, the login and logout characteristics comprise daily login and logout time, login and logout time of rest period, login and logout time of the rest period, the equipment characteristics comprise the number of daily connected equipment, the number of rest period connected equipment and the number of connected equipment, the file characteristics comprise the number of daily modified files, the total number of files, the number of modified files of rest period, the number of exe files and the number of computers containing files, the mail characteristics comprise the number of daily sending, the number of out-of-organization sending, the number of in-organization sending, the average mail size, the number of recipients, the number of mails related to topics and the number of mails related to emotions, the webpage browsing characteristics comprise the number of daily browsed webpages, the number of emotionally related webpages, the number of topics related webpages, the number of webpages related to topics, the average mail size, the mail size and the like, The number of web pages associated with a particular web site. The feature extraction matrix F defines a matrix of N × D, where N represents the number of users included in the network and D represents the number of behavior features of each user.
Then, to construct the input to the graph convolution network, the present invention constructs N x N adjacency matrix a using the graph matrix module. In the network of 1000 users in this embodiment, 3556 sides are constructed in total by using the conventional method of direct contact or non-direct contact. Using the weight equation a (i, j) ═ w cos (F) of the present inventioni,Fj)+(1-w)*CijThe new adjacency matrix then constructs over 1,000,000 non-zero edges, building a rich association for isolated users.
Then, the graph convolution network module outputs the classification result using the matrix F and the matrix a constructed above as input, and a two-layer graph convolution network as shown in fig. 2. Wherein the convolution network expression is Z ═ f (X, A) ═ soft max (A ReLU (AXW)0)W1) To calculate the classification result of each node, the present invention uses the softmax activation function
Figure BDA0002868380790000071
Using a gradient-specific descent method and a cross-entropy loss function in a training graph convolutional network
Figure BDA0002868380790000072
And then, the graph interpretation module analyzes the interpretability of the graph volume network, and the invention analyzes the graph structure and the characteristic information of the graph volume network. The present invention uses this module to get the graph structure and feature information that most contributes to the classification result as shown in fig. 3, resulting in an interpretation of the classification result in terms of the contribution value. For the explanation part of the graph structure of the classification model obtained after training, the optimization function is
Figure BDA0002868380790000073
Only the threshold needs to be set to shift the edge of M which is partially lower than the thresholdIn addition, this results in the graph structure that contributes most to the result from a structural point of view. The explanation of the feature selection part is similar to the explanation of the graph structure, and the model is explained by selecting the part most relevant to the prediction result, and the specific formula is
Figure BDA0002868380790000074
for
Figure BDA0002868380790000075
Considering the selection of structure and characteristics at the same time, the final optimization goal of the graph interpretation module is
Figure BDA0002868380790000081
Wherein
Figure BDA0002868380790000082
In the embodiment, compared with the traditional methods such as supporting a perceptron, a random forest, Logistic regression and a convolution neural network, the method has the best experimental effect on accuracy, precision and recall rate. Meanwhile, contribution analysis on graph structure and attribute characteristics can be provided for the classification result, and the interpretability of the classification result is improved.
The above description is intended to be illustrative of the present invention and is not to be construed as limiting the invention, and any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (6)

1. An interpretable user behavior anomaly detection method comprises the following steps:
1) collecting the characteristic information of the users in the target network by using a characteristic extraction module;
2) the graph matrix module constructs an adjacency matrix according to the characteristic information of each user; the graph matrix module determines whether direct connection exists between users according to the user characteristic information, and then uses a weight equation A (i, j) ═ w × cos (F)i,Fj)+(1-w)*CijCalculate user i andsimilarity A (i, j) between users j, and determining the relation between the users according to the similarity; fiCharacteristic information for user i, FjIs the characteristic information of user j, w is the weight coefficient, CijRepresenting whether there is a direct contact between user i and user j, if so Cij1, otherwise Cij=0;
3) Utilizing the adjacency matrix training diagram neural network to obtain a classification model for anomaly detection;
4) training the classification model by using a graph interpretation module to set an optimization objective function to obtain a graph mask M and a feature selector F; wherein the optimization objective function of the graph interpretation module is
Figure FDA0002868380780000011
XSFeatures, G, for optimal contribution of node S to abnormal node YSFor the subgraph of the node S which contributes most to the abnormal node Y, H () is an information entropy function, and MI () is a mutual information function;
5) inputting the characteristics of a user to be detected into the trained classification model to obtain a classification result, if the user is an abnormal node, obtaining the associated node of the abnormal node from the classification model by using a graph mask M, obtaining the associated characteristic most relevant to the abnormal node in the characteristics of each node of the classification model by using a characteristic selector F, and taking the obtained associated node and the associated characteristic as the interpretation information of the abnormal node.
2. The method of claim 1, wherein the user characteristic information comprises device usage characteristics, login characteristics, file usage characteristics, social characteristics, and browsing characteristics.
3. The method of claim 2, wherein the graph matrix module determines whether there is direct contact between corresponding users according to whether there is email communication between users, and determines that there is direct contact between users having email communication records.
4. The method of claim 1, wherein user i is associated with user j when a (i, j) > 0.5.
5. The method of claim 1, wherein the random map variables are approximated using mean field variation
Figure FDA0002868380780000015
Is decomposed
Figure FDA0002868380780000012
Wherein A iss[j,k]Representative edge (upsilon)j,υk) Is expected value of presence, vjFor nodes j, v in the classification modelkAs a node j in the classification model, (upsilon)j,υk) Edge, G, connecting nodes j, kCIs a set of subgraphs.
6. The method of claim 1,
Figure FDA0002868380780000013
wherein
Figure FDA0002868380780000014
Is GsIs determined by the node characteristics of (1),
Figure FDA0002868380780000021
are node features that are not covered by the graph mask M.
CN202011590113.3A 2020-12-29 2020-12-29 Interpretable user behavior abnormity detection method Active CN112685272B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011590113.3A CN112685272B (en) 2020-12-29 2020-12-29 Interpretable user behavior abnormity detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011590113.3A CN112685272B (en) 2020-12-29 2020-12-29 Interpretable user behavior abnormity detection method

Publications (2)

Publication Number Publication Date
CN112685272A true CN112685272A (en) 2021-04-20
CN112685272B CN112685272B (en) 2022-10-14

Family

ID=75454861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011590113.3A Active CN112685272B (en) 2020-12-29 2020-12-29 Interpretable user behavior abnormity detection method

Country Status (1)

Country Link
CN (1) CN112685272B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113989574A (en) * 2021-11-04 2022-01-28 中国科学技术大学 Image interpretation method, image interpretation apparatus, electronic device, and storage medium
CN115098563A (en) * 2022-07-14 2022-09-23 中国海洋大学 Time sequence abnormity detection method and system based on GCN and attention VAE

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108648095A (en) * 2018-05-10 2018-10-12 浙江工业大学 A kind of nodal information hidden method accumulating gradient network based on picture scroll
CN109670446A (en) * 2018-12-20 2019-04-23 泉州装备制造研究所 Anomaly detection method based on linear dynamic system and depth network
CN109889436A (en) * 2019-02-20 2019-06-14 北京航空航天大学 A kind of discovery method of spammer in social networks
US20200285944A1 (en) * 2019-03-08 2020-09-10 Adobe Inc. Graph convolutional networks with motif-based attention

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108648095A (en) * 2018-05-10 2018-10-12 浙江工业大学 A kind of nodal information hidden method accumulating gradient network based on picture scroll
CN109670446A (en) * 2018-12-20 2019-04-23 泉州装备制造研究所 Anomaly detection method based on linear dynamic system and depth network
CN109889436A (en) * 2019-02-20 2019-06-14 北京航空航天大学 A kind of discovery method of spammer in social networks
US20200285944A1 (en) * 2019-03-08 2020-09-10 Adobe Inc. Graph convolutional networks with motif-based attention

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
仲丽君等: "社交网络异常用户识别技术综述", 《计算机工程与应用》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113989574A (en) * 2021-11-04 2022-01-28 中国科学技术大学 Image interpretation method, image interpretation apparatus, electronic device, and storage medium
CN113989574B (en) * 2021-11-04 2024-04-02 中国科学技术大学 Image interpretation method, image interpretation device, electronic device, and storage medium
CN115098563A (en) * 2022-07-14 2022-09-23 中国海洋大学 Time sequence abnormity detection method and system based on GCN and attention VAE

Also Published As

Publication number Publication date
CN112685272B (en) 2022-10-14

Similar Documents

Publication Publication Date Title
Cai et al. Structural temporal graph neural networks for anomaly detection in dynamic graphs
Koc et al. A network intrusion detection system based on a Hidden Naïve Bayes multiclass classifier
Dewa et al. Data mining and intrusion detection systems
Xiang et al. Modeling relationship strength in online social networks
Adebowale et al. Comparative study of selected data mining algorithms used for intrusion detection
Tajbakhsh et al. Intrusion detection using fuzzy association rules
Nguyen et al. Vasabi: Hierarchical user profiles for interactive visual user behaviour analytics
CN112685272B (en) Interpretable user behavior abnormity detection method
Ahmed et al. Network sampling designs for relational classification
Bose A comparative study of social networking approaches in identifying the covert nodes
Singh et al. Computational method to prove efficacy of datasets
Silva et al. A statistical analysis of intrinsic bias of network security datasets for training machine learning mechanisms
Katar Combining multiple techniques for intrusion detection
Rabbi et al. An Approximation For Monitoring The Efficiency Of Cooperative Across Diverse Network Aspects
Kaiser et al. Attack hypotheses generation based on threat intelligence knowledge graph
Sönmez et al. Anomaly detection using data mining methods in it systems: a decision support application
Ourston et al. Coordinated internet attacks: responding to attack complexity
Zeng et al. Influential simplices mining via simplicial convolutional network
Riad et al. Visualize network anomaly detection by using k-means clustering algorithm
Huang et al. Network-traffic anomaly detection with incremental majority learning
Zekri et al. Immunological approach for intrusion detection
Rahim et al. An intelligent approach for preserving the privacy and security of a smart home based on IoT using LogitBoost techniques
Ball et al. Anomaly detection using autoencoders with network analysis features
Corral et al. Explanations of unsupervised learning clustering applied to data security analysis
CN109063721A (en) A kind of method and device that behavioural characteristic data are extracted

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant