CN112966732A - Multi-factor interactive behavior anomaly detection method with periodic attribute - Google Patents
Multi-factor interactive behavior anomaly detection method with periodic attribute Download PDFInfo
- Publication number
- CN112966732A CN112966732A CN202110228567.4A CN202110228567A CN112966732A CN 112966732 A CN112966732 A CN 112966732A CN 202110228567 A CN202110228567 A CN 202110228567A CN 112966732 A CN112966732 A CN 112966732A
- Authority
- CN
- China
- Prior art keywords
- user
- behavior
- time
- attribute
- interactive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a multi-factor interactive behavior abnormity detection method with periodic attributes, which is characterized in that each user is considered independently, the historical normal interactive behavior of the user is analyzed, and the current interactive behavior of the user is detected according to the historical normal interactive behavior mode of the user. Not only the login time attribute, the working time login attribute, the login interval and the key page dwell time attribute are considered, but also the user interaction duration and the key path trigger attribute are considered, and the system interaction behavior of the user is more fully described; the provided interactive behavior period division algorithm analyzes the period characteristics of the user behaviors, meanwhile, the interactive behaviors are measured by using the adjusted cosine similarity in the abnormal behavior detection model, and the depiction of behavior direction characteristics is increased on the basis of ensuring that the numerical characteristics of the behavior vectors are not damaged. And technical support is provided for abnormal judgment and detection of the interactive behaviors.
Description
Technical Field
The invention relates to the technical field of information, in particular to a multi-factor interactive behavior abnormity detection method with periodic attributes.
Background
In recent years, the economy of China is rapidly developed, computer technology is continuously applied to the field of financial transactions, online payment is more and more popular with the arrival of the 'internet +' era, and internet finance becomes the mainstream trend of the development of the financial industry. Also, network payments and cardless payments (e.g., PayPal and AliPay) are becoming more popular, with the attendant growth in transaction fraud being quite rapid.
Most of the existing identity authentication technologies are based on the account name and the password of the user. The identity of the user is authenticated in a short time, and then all actions performed by the user are regarded as legal actions no matter what the real identity of the user is. In order to make up for the defects caused by the identity authentication mode of a single user name and password, in recent years, many scholars also tend to adopt a data characteristic mining and behavior analysis method in the field of identity recognition. For example, the behavior modeling and prediction are carried out on the user Web logs by adopting methods such as association rule mining, a hidden Markov process, a semi Markov process, a Bayesian network, a neural network, a random forest and the like. Despite the current efforts to solve the user identification problem, difficulties remain.
At present, an individual behavior portrait is mainly applied to the fields of intelligent marketing, click prediction, software system optimization and the like, statistical characteristics such as interaction frequency, interaction time delay, browsing path and other information are extracted by analyzing historical interaction behavior data of a user, a label is marked on the operation behavior of the user, and advertisement recommendation, marketing, prediction and the like are realized according to the label to which the user belongs. However, in the field of detecting the abnormal interactive behavior, according to the fact that each user has a unique interactive behavior habit, such as different time for logging in a system, different interactive time, different clicking frequency and the like, a user behavior model is constructed by analyzing an interactive behavior pattern of the user, and then the model is utilized to detect the matching degree of the interactive characteristics of the user, so that whether the operation of the user is triggered by the user is identified.
However, due to the stimulation of different external scenes, it is difficult for a user to generate interactive behaviors in a stable period all the time, for example, in ticket buying scenes of the double eleven shopping festivals and the hot holidays, the interactive behaviors of the user are often greatly different from those in a common interactive scene. Due to the randomness and the discreteness of the scene and the behavior difference of the user, the time sequence characteristics of the interaction behavior of the user often have certain periodicity, so that the methods for quickly calculating the time domain sequence period by using fast Fourier transform and the like cannot be well applied to the analysis of the interaction behavior of the user, and the periodic characteristics of the behavior are often ignored in the conventional interaction behavior anomaly detection research, so that the judgment of the model on the interaction behavior in the scene often has deviation.
Disclosure of Invention
The invention provides a multi-factor interactive behavior abnormity detection method with periodic attributes, aiming at the problem of interactive behavior abnormity detection in the Internet, and starting from user individuals, differences among different users and periodic characteristics of interactive behaviors are fully considered, and legality judgment is carried out on the interactive behaviors of the users.
The technical scheme of the invention is a multi-factor interactive behavior anomaly detection method with periodic attributes, which specifically comprises the following steps:
1) establishing a normal user interaction behavior portrait: extracting normal transaction data of the user from a user historical transaction database, establishing a login time attribute, a working time login attribute, a login interval, a key page dwell time attribute, a user interaction duration attribute and a key path trigger attribute, and constructing an interactive behavior portrait IBC of the user comprising a multi-dimensional attributeu;
2) On the basis of the step 1), generating a behavior interval sequence of the user according to the user behavior record, and calculating a periodic stability threshold of the user; secondly, according to a behavior period division method, sequentially comparing whether adjacent elements in a behavior interval sequence meet a period stability threshold value, outputting an interactive behavior period sequence of a user, and finally calculating a normal interactive behavior portrait UCP with a period attributeu;
3) Calculating the maximum deviation benchmark of the interactive behavior: repeating the steps 1) and 2) to obtain an interactive behavior portrait UCP 'with a periodic attribute of the user according to all transaction data of the user'uAs user historical interaction behavior, for UCP'uEach interactive behavior record in the UCP is associated with a normal user interactive behavior portrait having a periodic attributeuMatching, calculating the similarity between each historical interactive behavior image of the user and the interactive behavior image of the normal user in sequence, and calculating according to the maximum similarity MaxsimAnd minimum similarity MinsimThe range of (4) is sequentially valued from the range, the historical interactive behaviors of the user are divided into normal behaviors and abnormal behaviors, the division effect DB is calculated, the value with the best division effect is taken as the maximum deviation Benchmark of the interactive behaviors of the user and is marked as Benchmarku;
4) Establishing a multi-factor interactive behavior recognition method: calculating the UCP of the current interaction behavior portrait of the user according to the step 1)nowCalculating the deviation degree of the current interactive behavior from the user normal interactive behavior portrait obtained in the step 3), wherein the deviation degree is in BenchmarkuIf the deviation degree is not within the acceptable range of (2), the interaction is judged to be normal, if the deviation degree is not in the BenchmarkuIs within the acceptable range, the interaction is determined to be abnormal.
Preferably, the specific implementation method of step 1) is as follows:
1.1) extracting the history normal interaction behavior record of the user:
marking positive and negative fields for the sample according to normal interaction and abnormal interaction of the historical interaction behavior data set of the user, and extracting normal interaction data of the user to serve as positive sample data;
1.2) calculating the login time attribute:
extracting the login time set of the user from the positive sample data, and dividing one day into a plurality of time intervals according to a daily hour division method1,time2,...,timenCalculating the probability of login occurrence of the user in each interval, calculating the attribute of the login time of the user by using the following formula,
wherein, timenIs n time interval attributes, | ltan| is the number of logins in the nth time interval,the total number of logins for user u per day. Further, the log-in time attribute LTA of the user u is obtainedu=(time1,time2,...,timen);
1.3) calculating the working time login attribute:
extracting a set of transaction time, respectively calculating the transaction probability of the transaction occurring in working time and non-working time, and obtaining whether the transaction of the user u is a working time login attribute WTAu=(isworktime,noworktime);
1.4) calculating the login interval attribute:
whereinElements in the set of login intervals;the time of logging in the system for the ith time of the user u;the time of logging in the system for the i-1 st time of the user u;
obtaining a time interval change amplitude set of two adjacent logins of the user by using the formula, extracting the login time interval set of the user, obtaining a first quartile, a second quartile and a third quartile of the set by using a quantile analysis method, obtaining the upper limit and the lower limit of the set, wherein the first quartile, the second quartile and the third quartile are variable values which are positioned at the 25 th position, the 50 th position and the 75 th position after all data of the set are arranged according to the size sequence, and dividing the set into 5 sub-sets period1,period2,...,periodnThe 5 user login interval attributes are calculated by the following formula:
wherein periodnFor login interval attributeTerm of (1), | lianThe number of times the user login interval time is within the nth subset,logging in for the user u; further, the log-in interval attribute LIA of the user u is obtainedu=(period1,period2,period3,period4,period5);
1.5) calculating the stay time attribute of the key page of the user:
sequentially calculating the key page a of the user in the normal interaction behavior log of the user upage_noSum of residence time for key to get setWhereinCalculating to obtain the key page residence time attribute KSA of the user u by using a quantile analysis method according to the same calculation method in the step 1.4)u=(distance1,distance2,distance3,distance4,distance5);
1.6) calculate user interaction duration attribute:
in the normal interaction behavior log of the user u, calculating the sum of the browsing time of each page in one interaction operation of the user u to obtain a setCalculating to obtain the user u interaction duration time attribute IDA by using quantile analysis method according to the same calculation method in 1.4)u=(duration1,duration2,...,durationn);
1.7) calculating the triggering attribute of the user critical path:
sequentially calculating the retention time of a key page and a non-key page of a system in one interactive operation of a user in a normal interactive behavior log of the user u; using quantile analysis according to the phase in 1.4)With the same calculation method, the user critical path trigger attribute CTA is obtained by calculationu=(ratio1,ratio2);
1.8) constructing a user interaction behavior portrait:
obtaining the attribute of each dimension of the user u, and constructing an interactive behavior portrait IBC of the useru,IBCu=(LTAu,WTAu,LIAu,KSAu,IDAu,CTAu)。
Preferably, the step 2) is implemented by the following steps:
2.1) extracting the login interval sequence: the log-in interval sequence calculated in step 1.4) is lisu={t1,t2,...,tn},tnThe nth login interval time is used, and n +1 is the number of all interaction behavior records of the user; login interval lisuIs represented by lis'u={t'1,t'2,...,t'n}, subsequence lis'uI.e. in the original sequence lisuA sequence consisting of any one of the moieties in (a);
2.2) traversing the login interval sequence in sequence:
initialize a null array C from lisu={t1,t2,...,tnBeginning from head to tail, sequentially traversing all subsequences, and sequentially calculating a period stability threshold value mu corresponding to a subsequence and a stability state TPF of a subsequence of a user u for each subsequenceuPeriodic stability threshold μ and subsequence stability status TPF for user uuThe calculation is as follows:
μ=1/length(list),
where list represents a certain subsequence of the sequence of login time intervals, length (list) represents the length of the subsequence; TPFuMiddle tiRepresents lis'uEach of the elements of (a) to (b),is lis'uMean value of all elements in (A), mu represents a partition threshold value, and the larger mu is lis'uThe fewer the middle elements are, the more discrete and sparse the user behavior cycle is; conversely, the smaller mu is, lis'uThe more elements in the user, the more continuous the user behavior cycle is;
2.3) dividing sequence:
according to the period stability threshold value and the sub-sequence stability state TPF of the user uuThe log interval sequence is divided according to the following formula,
and storing the subsequence meeting the formula into an array C, wherein the subsequence meets the following requirements in the traversal process: traversing the longer subsequence preferentially, and if the calculated value in the longer subsequence meets the period stability threshold value mu, not judging all subsequences in the subsequence; similarly, if the current subsequence is a subsequence of any sequence in the periodic behavior sequence set C, the judgment is not performed;
2.4) outputting a periodic sequence of the interactive behaviors:
and outputting an array C, namely a periodic behavior sequence set of the user:
2.5) constructing an interactive behavior portrait with periodic attributes:
obtaining pbc images of the interaction behavior in different periods according to the periodic sequence output in 2.4) and also according to the method for characterizing the interaction behavior in 1.2) -1.8) aboveu,By usingRepresenting an interactive behavior image set corresponding to j behavior periods of a user u; finally defining the combined normal interactive behavior portrait with periodic attribute asWherein And the interactive behavior portrait corresponding to the latest k cycles in the normal user cycle interactive behavior portrait collection.
The invention has the beneficial effects that: the invention discloses a multi-factor interactive behavior abnormity detection method with periodic attributes. Not only the login time attribute, the working time login attribute, the login interval and the key page dwell time attribute are considered, but also the user interaction duration and the key path trigger attribute are considered, and the system interaction behavior of the user is more fully described; the provided interactive behavior period division algorithm analyzes the period characteristics of the user behaviors, meanwhile, the interactive behaviors are measured by using the adjusted cosine similarity in the abnormal behavior detection model, and the depiction of behavior direction characteristics is increased on the basis of ensuring that the numerical characteristics of the behavior vectors are not damaged. And technical support is provided for abnormal judgment and detection of the interactive behaviors.
Drawings
FIG. 1 is a general framework diagram of the interactive behavior multi-factor anomaly detection method with periodic attributes according to the present invention;
FIG. 2 is a flowchart illustrating an implementation of the method for detecting abnormal multi-factor interactive behavior with periodic attributes according to the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments. The present embodiment is implemented on the premise of the technical solution of the present invention, and a detailed implementation manner and a specific operation process are given, but the scope of the present invention is not limited to the following embodiments.
The method is mainly characterized in that the interaction behaviors of users can show certain fluctuation and mutation due to the influence of different scenes, the description of the mutation behaviors is often ignored in the existing research, and in order to better describe the interaction behavior characteristics of the users, the invention provides an interaction behavior period division method, and the interaction behaviors meeting the threshold are divided into different behavior periods by calculating the period stability threshold of the users; on the basis, a method for depicting the maximum deviation of the user interaction behavior from the reference is provided, and the depiction of the directional characteristic of the behavior reference vector is enhanced on the basis of ensuring that the numerical characteristic of the behavior reference vector is not damaged; and finally, providing a multi-factor interactive behavior anomaly detection model with periodic attributes.
The invention discloses a multi-factor interactive behavior detection method with periodic attributes, which is an overall frame diagram of the multi-factor abnormal detection method with the periodic attributes shown in FIG. 1, and an interactive behavior model is constructed through the following three steps: firstly, establishing a user interactive behavior portrait with periodic attribute on the basis of normal user interactive behavior data; secondly, calculating the maximum deviation benchmark of the interactive behavior; and thirdly, establishing a multi-factor interactive behavior recognition method.
Firstly, establishing a normal user interaction behavior portrait: normal transaction data of the user are extracted from a user historical transaction database, not only are login time attributes, working time login attributes, login intervals and key page dwell time attributes considered, but also user interaction duration attributes and key path trigger attributes are considered, and on the basis, interaction behaviors of the user are described, and a user interaction behavior portrait is constructed. Mainly by the following steps, as shown in fig. 2.
S101: extracting a user historical normal interaction behavior record:
collecting historical interactive behavior data of a user, and extracting positive sample data of the user according to positive and negative (normal transaction and abnormal transaction) sample mark fields;
s102: calculating the login time attribute:
in the normal interaction behavior record of the user obtained in the step S101, a login time set of the user is further extracted, and one day is divided into a plurality of times according to a daily hour division methodInterval time1,time2,...,timenAnd calculating the probability of login occurrence of the user in each interval, and calculating the login time attribute of the user by using the following formula.
Wherein, timenIs n time interval attributes, | ltan| is the number of logins in the nth time interval,the total number of logins for user u per day. Further, the log-in time attribute LTA of the user u is obtainedu=(time1,time2,...,timen)。
S103: calculating a working time login attribute:
extracting a set of transaction time, respectively calculating the transaction probability of the transaction occurring in working time and non-working time (working day off duty time, double break and holiday), and obtaining whether the transaction of the user u is a working time login attribute WTAu=(isworktime,noworktime)。
S104: calculating the login interval attribute:
whereinElements in the set of login intervals;the time of logging in the system for the ith time of the user u;the time of logging in the system for the i-1 st time of the user u.
Obtaining the user by using the formulaAnd (3) extracting a login time interval set of the user from the time interval change amplitude set of two adjacent logins, solving a first quartile, a second quartile and a third quartile of the set by using a quantile analysis method, and solving an upper limit and a lower limit of the set. The first, second, and third quartiles are values of variables at the 25 th, 50 th, and 75 th positions after all data of the whole set are arranged in order of size. The set is divided into 5 sub-sets period1,period2,...,periodnThese 5 constitute the user login interval attribute. The user login interval attribute is calculated using the following formula.
Wherein periodnFor entry in the Interval Attribute, | lianThe number of times the user login interval time is within the nth subset,the number of logins for user u. Further, the log-in interval attribute LIA of the user u is obtainedu=(period1,period2,period3,period4,period5)。
S105: calculating the stay time attribute of the key page of the user:
sequentially calculating the key page a of the user in the normal interaction behavior log of the user upage_noSum of residence time for key to get setWhereinCalculating to obtain the key page residence time attribute KSA of the user u by using a quantile analysis method according to the same calculation method in the S104u=(distance1,distance2,distance3,distance4,distance5)。
S106: calculating a user interaction duration attribute:
in the normal interaction behavior log of the user u, calculating the sum of the browsing time of each page in one interaction operation of the user u to obtain a setCalculating to obtain the user u interaction duration time attribute IDA by using quantile analysis method according to the same calculation method in S104u=(duration1,duration2,...,durationn)。
S107: calculating the triggering attribute of the user critical path:
and sequentially calculating the retention time of the key page and the retention time of the non-key page of the system in one interactive operation of the user in the normal interactive behavior log of the user u. Calculating to obtain the user critical path trigger attribute CTA by using quantile analysis method according to the same calculation method in S104u=(ratio1,ratio2)。
S108: constructing a user interaction behavior portrait:
according to the attributes of the user u in each dimension obtained in the last step, an interactive behavior portrait IBC of the user is constructedu,IBCu=(LTAu,WTAu,LIAu,KSAu,IDAu,CTAu)。
Secondly, constructing an interactive behavior portrait with periodic attributes: the periodic attribute characteristics of the user are extracted on the basis of the interactive behavior of the user, and the system interactive behavior of the user is more fully described. Firstly, generating a behavior interval sequence of a user according to a user behavior record, and calculating a periodic stability threshold of the user; secondly, according to a behavior period division method, sequentially comparing whether adjacent elements in a behavior interval sequence meet a period stability threshold value, outputting an interactive behavior period sequence of a user, and finally calculating an interactive behavior portrait UCP with a period attributeuThe method comprises the following steps:
s201: extracting a login interval sequence:
lis according to the login interval sequence calculated in step S104u={t1,t2,...,tn},tnThe nth login interval time is used, and n +1 is the number of all interaction behavior records of the user; login interval lisuIs represented by lis'u={t'1,t'2,...,t'n}, subsequence lis'uI.e. in the original sequence lisuA sequence consisting of any one of the parts.
S202: sequentially traversing the login interval sequence
Initialize a null array C from lisu={t1,t2,...,tnBeginning from head to tail, sequentially traversing all subsequences, and sequentially calculating a period stability threshold value mu corresponding to a subsequence and a stable state TPF of a subsequence of a user u for each subsequenceu. Periodic stability threshold μ and subsequence steady state TPF for user uuThe calculation is as follows:
μ=1/length(list)
where list represents a certain subsequence of the sequence of login time intervals, length (list) represents the length of the subsequence; TPFuMiddle tiRepresents lis'uEach of the elements of (a) to (b),is lis'uMean value of all elements in (A), mu represents a partition threshold value, and the larger mu is lis'uThe fewer the middle elements are, the more discrete and sparse the user behavior cycle is; conversely, the smaller mu is, lis'uThe more elements in (a), the more continuous the user behavior cycle.
S203: partitioning sequences
According to the period stability threshold value and the stable state TPF of the subsequence of the user uuThe log interval sequence is divided as follows.
The subsequences that satisfy the above formula are stored in array C. And in the traversing process, the following conditions are satisfied: traversing the longer subsequence preferentially, and if the calculated value in the longer subsequence meets the period stability threshold value mu, not judging all subsequences in the subsequence; similarly, if the current subsequence is a subsequence of any one of the periodic behavior sequence sets C, it is not judged any more.
S204: outputting a periodic sequence of interactive actions
And outputting an array C, namely a periodic behavior sequence set of the user.
S205: constructing an interactive behavior portrait with periodic attributes:
obtaining an interactive behavior image pbc in different periods according to the period sequence outputted in S204 and the method for describing interactive behavior in S102-S108u,By usingAnd representing the corresponding interactive behavior image set in j behavior periods of the user u. Finally defining the combined normal interactive behavior portrait with periodic attribute asWherein And the interactive behavior portrait corresponding to the latest k cycles in the normal user cycle interactive behavior portrait collection. Since the extracted data is only normal interaction behavior data of user u, the resulting UCPuOnly portray the user's normal interaction behavior.
Thirdly, calculating the maximum deviation benchmark of the interactive behavior: the method for calculating the maximum deviation standard of the interactive behavior is provided in consideration of differences among different users, the maximum deviation standard of the interactive behavior of each user is determined for each user according to the interactive behavior portrait of the user and the interactive behavior record of the user, and the method comprises the following steps.
S301: extracting a historical interaction record:
extracting all historical interactive behavior data sets of the user, wherein all the historical interactive behavior data sets comprise all positive samples and all negative samples;
s302: generating a user interaction behavior portrait:
using the data in S301, a user interaction behavior representation UCP 'with a period attribute is obtained from the step of "creating a user interaction behavior representation with a period attribute'u。
S303: calculating the similarity between the normal interaction behaviors of the user and the portrait of the interaction behaviors of the user:
recording UCP 'for each interaction behavior'uIt will be associated with the normal user interaction behavior portrait UCP with periodic attributeuAnd matching, and sequentially calculating the similarity between each piece of historical interactive behavior of the user and the normal interactive behavior portrait according to the following calculation method:
in the formula AiAnd BiRespectively represent normal interaction behavior vectors UCP consisting of n componentsuAnd a historical Interactive behavior Picture UCP 'consisting of n components'u;Andrespectively representing the mean values of the two vector components; the cosine similarity, i.e. the value in all dimensions of each component of the vector, is adjusted minus the mean of the component. The similarity set between the normal interaction behavior of the user and the historical interaction behavior portrait can be calculated in sequence by using a formulaCan calculate S in the setuMax of maximum similaritysimAnd minimum similarity Minsim。
S304: calculating the partitioning effect according to the historical transaction of the user:
according to the maximum similarity MaxsimAnd minimum similarity MinsimThe value is sequentially taken from the range, the historical interactive behaviors of the user are divided into normal behaviors and abnormal behaviors, and the division effect DB is calculated.
DB=λ*PP+(1-λ)*NN
PP in the formula represents the proportion of the actual normal behavior in the normal behavior; the NN representation model result in the formula is the proportion of the actual abnormal behavior in the abnormal behavior; DB represents the partitioning effect, and is the sum of different weights of PP and NN, and lambda is the weight. It can be seen that the larger the λ value is, the higher the attention of the model to the normal behavior is, and conversely, the smaller the λ value is, the higher the attention of the model to the abnormal behavior is.
S305: calculating the maximum deviation reference:
taking the value with the best division effect as the maximum deviation reference of the interactive behavior of the user, and recording the value as Benchmarku。
Fourthly, establishing a multi-factor interactive behavior recognition method: the normal interaction behavior vector UCP of the user u can be obtained through calculation in the stepsuInteraction behavior with user u deviates maximally from reference Benchmarku. The maximum deviation standard of the user is the optimal division parameter of normal and abnormal behaviors in the historical interactive behaviors of the user, so that the deviation degree of the current interactive behavior and the historical interactive behavior portrait of the user can be calculated, and the deviation degree is judged to beWhether in BenchmarkuWithin an acceptable range of.
S401: calculating the current interaction behavior portrait:
according to the step one, the UCP of the current (to be judged) interactive behavior picture of the user is calculatednow。
S402: judging a model:
calculating the deviation degree of the current interactive behavior and the user normal interactive behavior portrait, and judging whether the deviation degree is at BenchmarkuWithin an acceptable range of. The calculation method is as follows:
f(u)=similarity[UCPu,UCPnow]-Benchmarku
model f (u) divides the interaction behavior space into two parts, f (u) > 0 and f (u) ≦ 0. Wherein the space of f (u) ≦ 0 is considered the user normal trading behavior space and the space of f (u) > 0 is considered the user abnormal behavior space. Therefore, if f (u) is less than or equal to 0, the current interaction behavior of the user u is normal; otherwise, if f (u) is greater than 0, the current interaction behavior of the user u is abnormal.
Claims (3)
1. A multi-factor interactive behavior anomaly detection method with periodic attributes is characterized by specifically comprising the following steps:
1) establishing a normal user interaction behavior portrait: extracting normal transaction data of the user from a user historical transaction database, establishing a login time attribute, a working time login attribute, a login interval, a key page dwell time attribute, a user interaction duration attribute and a key path trigger attribute, and constructing an interactive behavior portrait IBC of the user comprising a multi-dimensional attributeu;
2) On the basis of the step 1), generating a behavior interval sequence of the user according to the user behavior record, and calculating a periodic stability threshold of the user; secondly, according to a behavior period division method, sequentially comparing whether adjacent elements in a behavior interval sequence meet a period stability threshold value, outputting an interactive behavior period sequence of a user, and finally calculating a normal interactive behavior portrait UCP with a period attributeu;
3) Calculating the maximum deviation benchmark of the interactive behavior: according to all deals of the userEasy data, repeating the steps 1) and 2) to obtain the UCP (interactive behavior portrait) with the periodic attribute of the useru' As user historical interaction behavior, for UCPu'Each interactive behavior record in the' section, with a normal user interactive behavior profile UCP having a periodic attributeuMatching, calculating the similarity between each historical interactive behavior image of the user and the interactive behavior image of the normal user in sequence, and calculating according to the maximum similarity MaxsimAnd minimum similarity MinsimThe range of (4) is sequentially valued from the range, the historical interactive behaviors of the user are divided into normal behaviors and abnormal behaviors, the division effect DB is calculated, the value with the best division effect is taken as the maximum deviation Benchmark of the interactive behaviors of the user and is marked as Benchmarku;
4) Establishing a multi-factor interactive behavior recognition method: calculating the UCP of the current interaction behavior portrait of the user according to the step 1)nowCalculating the deviation degree of the current interactive behavior from the user normal interactive behavior portrait obtained in the step 3), wherein the deviation degree is in BenchmarkuIf the deviation degree is not within the acceptable range of (2), the interaction is judged to be normal, if the deviation degree is not in the BenchmarkuIs within the acceptable range, the interaction is determined to be abnormal.
2. The method for detecting the abnormal multi-factor interactive behavior with the periodic attribute according to claim 1, wherein the step 1) is specifically realized by the following steps:
1.1) extracting the history normal interaction behavior record of the user:
marking positive and negative fields for the sample according to normal interaction and abnormal interaction of the historical interaction behavior data set of the user, and extracting normal interaction data of the user to serve as positive sample data;
1.2) calculating the login time attribute:
extracting the login time set of the user from the positive sample data, and dividing one day into a plurality of time intervals according to a daily hour division method1,time2,...,timenCalculating the probability of login occurrence of the user in each interval, calculating the attribute of the login time of the user by using the following formula,
wherein, timenIs n time interval attributes, | ltan| is the number of logins in the nth time interval,the total number of logins for user u per day. Further, the log-in time attribute LTA of the user u is obtainedu=(time1,time2,...,timen);
1.3) calculating the working time login attribute:
extracting a set of transaction time, respectively calculating the transaction probability of the transaction occurring in working time and non-working time, and obtaining whether the transaction of the user u is a working time login attribute WTAu=(isworktime,noworktime);
1.4) calculating the login interval attribute:
whereinElements in the set of login intervals;the time of logging in the system for the ith time of the user u;the time of logging in the system for the i-1 st time of the user u;
obtaining a time interval change amplitude set of two adjacent logins of the user by using the formula, extracting the login time interval set of the user, and obtaining a first quartile, a second quartile and a third quartile of the set by using a quantile analysis methodCounting, and obtaining the upper and lower limits of the set, wherein the first, second and third quartiles are variable values at 25%, 50% and 75% positions after all data of the set are arranged according to the size sequence, and the set is divided into 5 sub-sets period1,period2,...,periodnThe 5 user login interval attributes are calculated by the following formula:
wherein periodnFor entry in the Interval Attribute, | lianThe number of times the user login interval time is within the nth subset,logging in for the user u; further, the log-in interval attribute LIA of the user u is obtainedu=(period1,period2,period3,period4,period5);
1.5) calculating the stay time attribute of the key page of the user:
sequentially calculating the key page a of the user in the normal interaction behavior log of the user upage_noSum of residence time for key to get setWhereinCalculating to obtain the key page residence time attribute KSA of the user u by using a quantile analysis method according to the same calculation method in the step 1.4)u=(distance1,distance2,distance3,distance4,distance5);
1.6) calculate user interaction duration attribute:
calculating one-time interaction of the user u in a normal interaction behavior log of the user uThe sum of browsing time of each page in the interoperation is obtained to obtain a setCalculating to obtain the user u interaction duration time attribute IDA by using quantile analysis method according to the same calculation method in 1.4)u=(duration1,duration2,...,durationn);
1.7) calculating the triggering attribute of the user critical path:
sequentially calculating the retention time of a key page and a non-key page of a system in one interactive operation of a user in a normal interactive behavior log of the user u; calculating to obtain the user key path trigger attribute CTA by using quantile analysis method according to the same calculation method in 1.4)u=(ratio1,ratio2);
1.8) constructing a user interaction behavior portrait:
obtaining the attribute of each dimension of the user u, and constructing an interactive behavior portrait IBC of the useru,IBCu=(LTAu,WTAu,LIAu,KSAu,IDAu,CTAu)。
3. The method for detecting the abnormal multi-factor interactive behavior with the periodic attribute according to claim 2, wherein the step 2) is implemented by the following steps:
2.1) extracting the login interval sequence: the log-in interval sequence calculated in step 1.4) is lisu={t1,t2,...,tn},tnThe nth login interval time is used, and n +1 is the number of all interaction behavior records of the user; login interval lisuIs represented by lis'u={t1',t'2,...,t'n}, subsequence lis'uI.e. in the original sequence lisuA sequence consisting of any one of the moieties in (a);
2.2) traversing the login interval sequence in sequence:
initialize a null array C from lisu={t1,t2,...,tnBeginning from head to tail, sequentially traversing all subsequences, and sequentially calculating a period stability threshold value mu corresponding to a subsequence and a stability state TPF of a subsequence of a user u for each subsequenceuPeriodic stability threshold μ and subsequence stability status TPF for user uuThe calculation is as follows:
μ=1/length(list),
where list represents a certain subsequence of the sequence of login time intervals, length (list) represents the length of the subsequence; TPFuMiddle tiRepresents lis'uEach of the elements of (a) to (b),is lis'uMean value of all elements in (A), mu represents a partition threshold value, and the larger mu is lis'uThe fewer the middle elements are, the more discrete and sparse the user behavior cycle is; conversely, the smaller mu is, lis'uThe more elements in the user, the more continuous the user behavior cycle is;
2.3) dividing sequence:
according to the period stability threshold value and the sub-sequence stability state TPF of the user uuThe log interval sequence is divided according to the following formula,
and storing the subsequence meeting the formula into an array C, wherein the subsequence meets the following requirements in the traversal process: traversing the longer subsequence preferentially, and if the calculated value in the longer subsequence meets the period stability threshold value mu, not judging all subsequences in the subsequence; similarly, if the current subsequence is a subsequence of any sequence in the periodic behavior sequence set C, the judgment is not performed;
2.4) outputting a periodic sequence of the interactive behaviors:
and outputting an array C, namely a periodic behavior sequence set of the user:
2.5) constructing an interactive behavior portrait with periodic attributes:
obtaining pbc images of the interaction behavior in different periods according to the periodic sequence output in 2.4) and also according to the method for characterizing the interaction behavior in 1.2) -1.8) aboveu,By usingRepresenting an interactive behavior image set corresponding to j behavior periods of a user u; finally defining the combined normal interactive behavior portrait with periodic attribute asWherein And the interactive behavior portrait corresponding to the latest k cycles in the normal user cycle interactive behavior portrait collection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110228567.4A CN112966732B (en) | 2021-03-02 | 2021-03-02 | Multi-factor interactive behavior anomaly detection method with periodic attribute |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110228567.4A CN112966732B (en) | 2021-03-02 | 2021-03-02 | Multi-factor interactive behavior anomaly detection method with periodic attribute |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112966732A true CN112966732A (en) | 2021-06-15 |
CN112966732B CN112966732B (en) | 2022-11-18 |
Family
ID=76276385
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110228567.4A Active CN112966732B (en) | 2021-03-02 | 2021-03-02 | Multi-factor interactive behavior anomaly detection method with periodic attribute |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112966732B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117708436A (en) * | 2024-02-05 | 2024-03-15 | 福州掌中云科技有限公司 | Network literature short-play recommendation management system based on big data |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103532797A (en) * | 2013-11-06 | 2014-01-22 | 网之易信息技术(北京)有限公司 | Abnormity monitoring method and device for user registration |
CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
CN107481090A (en) * | 2017-07-06 | 2017-12-15 | 众安信息技术服务有限公司 | A kind of user's anomaly detection method, device and system |
CN108881194A (en) * | 2018-06-07 | 2018-11-23 | 郑州信大先进技术研究院 | Enterprises user anomaly detection method and device |
CN110163618A (en) * | 2019-05-31 | 2019-08-23 | 深圳前海微众银行股份有限公司 | Extremely detection method, device, equipment and the computer readable storage medium traded |
CN110519208A (en) * | 2018-05-22 | 2019-11-29 | 华为技术有限公司 | Method for detecting abnormality, device and computer-readable medium |
CN110611684A (en) * | 2019-09-27 | 2019-12-24 | 国网电力科学研究院有限公司 | Method, system and storage medium for detecting periodic Web access behavior |
CN110992041A (en) * | 2019-06-18 | 2020-04-10 | 东华大学 | Individual behavior hypersphere construction method for online fraud detection |
CN111400357A (en) * | 2020-02-21 | 2020-07-10 | 中国建设银行股份有限公司 | Method and device for identifying abnormal login |
CN111611519A (en) * | 2020-05-28 | 2020-09-01 | 上海观安信息技术股份有限公司 | Method and device for detecting personal abnormal behaviors |
-
2021
- 2021-03-02 CN CN202110228567.4A patent/CN112966732B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103532797A (en) * | 2013-11-06 | 2014-01-22 | 网之易信息技术(北京)有限公司 | Abnormity monitoring method and device for user registration |
CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
CN107481090A (en) * | 2017-07-06 | 2017-12-15 | 众安信息技术服务有限公司 | A kind of user's anomaly detection method, device and system |
CN110519208A (en) * | 2018-05-22 | 2019-11-29 | 华为技术有限公司 | Method for detecting abnormality, device and computer-readable medium |
CN108881194A (en) * | 2018-06-07 | 2018-11-23 | 郑州信大先进技术研究院 | Enterprises user anomaly detection method and device |
CN110163618A (en) * | 2019-05-31 | 2019-08-23 | 深圳前海微众银行股份有限公司 | Extremely detection method, device, equipment and the computer readable storage medium traded |
CN110992041A (en) * | 2019-06-18 | 2020-04-10 | 东华大学 | Individual behavior hypersphere construction method for online fraud detection |
CN110611684A (en) * | 2019-09-27 | 2019-12-24 | 国网电力科学研究院有限公司 | Method, system and storage medium for detecting periodic Web access behavior |
CN111400357A (en) * | 2020-02-21 | 2020-07-10 | 中国建设银行股份有限公司 | Method and device for identifying abnormal login |
CN111611519A (en) * | 2020-05-28 | 2020-09-01 | 上海观安信息技术股份有限公司 | Method and device for detecting personal abnormal behaviors |
Non-Patent Citations (4)
Title |
---|
KE XIAO ET AL: "Abnormal Behavior Detection Scheme of UAV Using Recurrent Neural Networks", 《SPECIAL SECTION ON ARTIFICIAL INTELLIGENCE IN CYBERSECURITY》 * |
匡石磊等: "基于内网用户异常行为安全管理研究", 《邮电设计技术》 * |
胡珉等: "多维时间序列异常检测算法综述", 《计算机应用》 * |
赵刚和姚兴仁: "基于用户画像的异常行为检测模型", 《技术研究》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117708436A (en) * | 2024-02-05 | 2024-03-15 | 福州掌中云科技有限公司 | Network literature short-play recommendation management system based on big data |
CN117708436B (en) * | 2024-02-05 | 2024-04-26 | 福州掌中云科技有限公司 | Network literature short-play recommendation management system based on big data |
Also Published As
Publication number | Publication date |
---|---|
CN112966732B (en) | 2022-11-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Benchaji et al. | Enhanced credit card fraud detection based on attention mechanism and LSTM deep model | |
CN111784528B (en) | Abnormal community detection method and device, computer equipment and storage medium | |
CN111784348B (en) | Account risk identification method and device | |
CN110298249A (en) | Face identification method, device, terminal and storage medium | |
US20120173465A1 (en) | Automatic Variable Creation For Adaptive Analytical Models | |
CN109840413B (en) | Phishing website detection method and device | |
CN108470052B (en) | Anti-trust attack recommendation algorithm based on matrix completion | |
CN111143838B (en) | Database user abnormal behavior detection method | |
CN112464058B (en) | Telecommunication Internet fraud recognition method based on XGBoost algorithm | |
Nguyen et al. | An efficient local region and clustering-based ensemble system for intrusion detection | |
CN113378160A (en) | Graph neural network model defense method and device based on generative confrontation network | |
CN114240659A (en) | Block chain abnormal node identification method based on dynamic graph convolutional neural network | |
Kumar et al. | An information theoretic approach for feature selection | |
CN110290101B (en) | Deep trust network-based associated attack behavior identification method in smart grid environment | |
Rahmadeyan et al. | Phishing Website Detection with Ensemble Learning Approach Using Artificial Neural Network and AdaBoost | |
CN115438102A (en) | Space-time data anomaly identification method and device and electronic equipment | |
CN112966732B (en) | Multi-factor interactive behavior anomaly detection method with periodic attribute | |
He et al. | Self-Adaptive bagging approach to credit rating | |
Sundaram et al. | Detecting phishing websites using an efficient feature-based machine learning framework | |
Pandey et al. | A review of credit card fraud detection techniques | |
CN115277205B (en) | Model training method and device and port risk identification method | |
Ikeda et al. | New feature engineering framework for deep learning in financial fraud detection | |
Wang et al. | Conscience online learning: an efficient approach for robust kernel-based clustering | |
CN114519605A (en) | Advertisement click fraud detection method, system, server and storage medium | |
CN110197066B (en) | Virtual machine monitoring method and system in cloud computing environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |