CN113204476A - User behavior data security detection method - Google Patents
User behavior data security detection method Download PDFInfo
- Publication number
- CN113204476A CN113204476A CN202110590131.XA CN202110590131A CN113204476A CN 113204476 A CN113204476 A CN 113204476A CN 202110590131 A CN202110590131 A CN 202110590131A CN 113204476 A CN113204476 A CN 113204476A
- Authority
- CN
- China
- Prior art keywords
- target
- information
- acquisition
- data
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/211—Selection of the most significant subset of features
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The application provides a user behavior data security detection method, which relates to the technical field of security detection, and judges whether a target analysis object is in an abnormal state or not by comparing the feature quantity proportion of security class tags in all feature tags corresponding to user behavior data with the reference data proportion; compared with the prior art, whether the target analysis object is in an abnormal state or not can be directly detected, and the detection capability of the user behavior data is improved.
Description
Technical Field
The application relates to the technical field of security detection, in particular to a user behavior data security detection method.
Background
With the expansion of the application range of internet technology, more and more internet applications are active in the life of people, and people can greatly improve the convenience of life and reduce the loss caused by property loss by means of the services provided by the internet applications.
In which, a large amount of user data is generated during the use of internet applications, and service providers of the respective internet applications can optimize their own services by means of the user data, thereby providing users with better services.
However, it is also the nature of the user data that causes some lawless persons to be able to offer the service provider with the user data, so that a high risk of the user data may cause damage to the service provider.
Disclosure of Invention
The present application is directed to a method for detecting user behavior data security, so as to solve at least some of the above technical problems.
In order to achieve the purpose, the technical scheme adopted by the application is as follows:
in a first aspect, the present application provides a method for detecting user behavior data security, where the method includes:
performing feature extraction based on user behavior data of a target analysis object to obtain target feature data;
acquiring the characteristic quantity proportion of security class labels in all characteristic labels of the target characteristic data;
obtaining a reference quantity proportion of security class labels in the target analysis object;
and comparing the characteristic quantity proportion with the reference quantity proportion to determine whether the target analysis object is in an abnormal state.
Optionally, the obtaining of the feature quantity ratio of the security class tag in all the feature tags of the target feature data includes:
performing feature screening on all the feature tags to obtain feature tag distribution information of all the feature tags;
screening the characteristic label distribution information to obtain screened characteristic label distribution information;
acquiring a security level label and a minimum reference threshold value key degree index of each security category label from the user behavior data;
generating a priority order corresponding to each security category label according to the security level label and the minimum reference threshold value key degree index;
selecting a target feature tag from the screened feature tag distribution information based on the priority order;
acquiring the corresponding quantity proportion of each target characteristic label in all the characteristic labels;
and determining the characteristic quantity proportion of the security class label according to the quantity proportion.
Optionally, the obtaining a reference quantity ratio of security class tags in the target analysis object includes:
extracting security tag metadata from the user behavior data, wherein the security tag metadata includes at least: a reference number, a lowest reference threshold and a highest reference threshold;
calculating an expected reference proportion corresponding to each security class label in the target analysis object according to the reference times, the lowest reference threshold and the highest reference threshold;
generating a reference quantity ratio of the security class label according to the expected reference ratio.
Optionally, the comparing the characteristic quantity ratio with the reference quantity ratio to determine whether the target analysis object is in an abnormal state includes:
calculating a ratio difference between the characteristic quantity ratio and the reference quantity ratio;
judging whether the proportion difference value is smaller than a set proportion difference threshold value or not;
if so, judging that the target analysis object is in a normal state;
if not, judging that the target analysis object is in an abnormal state.
Optionally, the performing feature extraction on the user behavior data based on the target analysis object to obtain target feature data includes:
acquiring original acquisition information acquired by at least one data acquisition node in a data maintenance system, acquiring target acquisition information aiming at a target analysis object in the original acquisition information, and converting the target acquisition information into target acquisition parameters corresponding to the target analysis object;
packaging the target acquisition information and the target acquisition parameters to obtain an evaluation data packet, and if the evaluation data packet passes verification in a data verification network cluster, adding the evaluation data packet to a key information extraction node;
responding to a feature extraction request aiming at the target analysis object in the data maintenance system, acquiring key information of the key information extraction node, and acquiring target key information corresponding to the target analysis object in the key information extraction node; the target key information comprises the target acquisition information and the target acquisition parameters;
determining target characteristic data corresponding to the target analysis object according to the target key information; wherein the target feature data is used to instruct the at least one data collection node to collect the extracted features for the parameters of the target analysis object.
Optionally, the acquiring, in the data maintenance system, raw acquisition information acquired by at least one data acquisition node includes:
acquiring to-be-verified acquisition information acquired by at least one data acquisition node in the data maintenance system, and acquiring information verification strategies corresponding to the at least one data acquisition node respectively so as to acquire node verification results corresponding to the at least one data acquisition node respectively according to the information verification strategies;
acquiring node configuration information corresponding to a data acquisition node which passes node verification, acquiring a first node secret key corresponding to the data acquisition node which passes the node verification from the node configuration information, and performing key decryption on an encrypted field in a node verification result by using the first node secret key; wherein the node configuration information corresponds to the at least one data acquisition node;
if the encryption field in the node verification result succeeds in key decryption, determining the node verification result as a common verification result, and obtaining a second node key corresponding to the data verification node from the common verification result;
and decrypting the encryption field in the information verification strategy by using the second node key, if the decryption of the encryption field in the information verification strategy is successful, determining the information verification strategy as a common verification strategy, and determining the acquired information to be verified as the original acquired information according to the common verification result and the common verification strategy.
Optionally, the method further comprises:
responding to an information input request in the data maintenance system, acquiring an information input parameter indicated by the information input request, and uploading the information input parameter to a user information verification cluster;
when the information input parameter is verified in the user information verification cluster, acquiring target acquisition information for a target analysis object from the original acquisition information, including:
obtaining key information of the data verification network, and obtaining the information input parameters corresponding to the target analysis object in the data verification network;
and determining the acquisition information corresponding to the information input parameter in the original acquisition information as the target acquisition information corresponding to the target analysis object.
Optionally, the converting the target acquisition information into the target acquisition parameter corresponding to the target analysis object includes:
acquiring a preset parameter extraction strategy in the data maintenance system; wherein, the preset parameter extraction strategy records the corresponding relation between the acquisition information and the acquisition parameter type;
and determining the acquisition parameters included in the acquisition parameter types corresponding to the target acquisition information in the preset parameter extraction strategy as the target acquisition parameters corresponding to the target analysis object.
Optionally, the target acquisition information includes behavior information, and the preset parameter extraction policy includes an acquisition parameter type corresponding to a behavior type;
the determining, as the target acquisition parameter corresponding to the target analysis object, the acquisition parameter included in the acquisition parameter type corresponding to the target acquisition information in the preset parameter extraction policy includes:
acquiring a behavior type corresponding to the behavior information, and acquiring a target acquisition parameter type associated with the behavior type corresponding to the behavior information according to the preset parameter extraction strategy;
and extracting target acquisition parameters corresponding to the target analysis object from the target acquisition information according to the target acquisition parameter types.
Optionally, the target acquisition information includes behavior evaluation information, and the target acquisition parameters include general acquisition parameters and special acquisition parameters;
the determining, as the target acquisition parameter corresponding to the target analysis object, the acquisition parameter included in the acquisition parameter type matched with the target acquisition information in the preset parameter extraction policy includes:
acquiring a target evaluation value corresponding to the behavior evaluation information and acquiring a target evaluation interval corresponding to the target analysis object;
if the target evaluation value is located in the target evaluation interval, acquiring a general acquisition parameter corresponding to the behavior evaluation information in the preset parameter extraction strategy;
and if the target evaluation value is not located in the target evaluation interval, acquiring a special acquisition parameter corresponding to the behavior evaluation information in the preset parameter extraction strategy.
Optionally, the packing the target acquisition information and the target acquisition parameters to obtain an evaluation data packet includes:
packing the target acquisition information and the target acquisition parameters to obtain an intermediate data packet, and sending the intermediate data packet to an evaluation data node;
and utilizing the evaluation data node to evaluate the intermediate data packet, generating evaluation data corresponding to the intermediate data packet, and packaging the intermediate data packet and the evaluation data to generate the evaluation data packet.
Optionally, the responding to the feature extraction request for the target analysis object in the data maintenance system, performing key information acquisition on the key information extraction node, and acquiring target key information corresponding to the target analysis object in the key information extraction node includes:
responding to a feature extraction request aiming at the target analysis object in the data maintenance system, acquiring a request ID corresponding to the feature extraction request, and acquiring key information of the key information extraction node;
and if the request ID is judged to be the legal request ID of the target analysis object in the key information extraction node, acquiring target key information corresponding to the target analysis object in the key information extraction node.
Optionally, the determining, according to the target key information, target feature data corresponding to the target analysis object includes:
counting target acquisition parameters contained in the target key information to obtain a target acquisition parameter set corresponding to the target analysis object;
if the quantity of the parameter values contained in the target acquisition parameter set is smaller than a first set threshold, determining that the target characteristic data of the target analysis object is abnormal characteristic data;
if the quantity of the parameter values contained in the target acquisition parameter set is larger than a second set threshold, determining that the target characteristic data of the target analysis object is standard characteristic data; wherein the first set threshold is less than the second set threshold;
and if the quantity of the parameter values contained in the target acquisition parameter set is between the first set threshold and the second set threshold, determining that the target characteristic data of the target analysis object is normal characteristic data.
In a second aspect, the present application provides a device for detecting user behavior data security, the device comprising:
the processing module is used for extracting features based on the user behavior data of the target analysis object to obtain target feature data;
the processing module is further configured to obtain a feature quantity ratio of security class tags among all feature tags of the target feature data;
the processing module is further used for obtaining a reference quantity proportion of the security class labels in the target analysis object;
and the detection module is used for comparing the characteristic quantity proportion with the reference quantity proportion to determine whether the target analysis object is in an abnormal state.
According to the user behavior data safety detection method, whether the target analysis object is in an abnormal state or not is judged by comparing the characteristic quantity proportion of the safety class label in all the characteristic labels corresponding to the user behavior data with the reference data proportion; compared with the prior art, whether the target analysis object is in an abnormal state or not can be directly detected, and the detection capability of the user behavior data is improved.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly explain the technical solutions of the present application, the drawings needed for the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also derive other related drawings from these drawings without inventive effort.
Fig. 1 is a block diagram of an electronic device provided in the present application.
Fig. 2 is a flowchart of a user behavior data security detection method provided in the present application.
Fig. 3 is a structural diagram of a user behavior data security detection apparatus provided in the present application.
Detailed Description
To make the purpose, technical solutions and advantages of the present application clearer, the technical solutions in the present application will be clearly and completely described below with reference to the accompanying drawings in some embodiments of the present application, and it is obvious that the described embodiments are some, but not all embodiments of the present application. The components of the present application, as generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, as presented in the figures, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments obtained by a person of ordinary skill in the art based on a part of the embodiments in the present application without any creative effort belong to the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a block diagram of an electronic device 100 provided in the present application, where the electronic device 100 includes a memory 101, a processor 102, and a communication interface 103, and the memory 101, the processor 102, and the communication interface 103 are electrically connected to each other directly or indirectly to implement data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
The memory 101 may be used to store software programs and modules, such as program instructions/modules corresponding to the user behavior data security detection apparatus provided in the present application, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 101, so as to execute the steps of the user behavior data security detection method provided in the present application. The communication interface 103 may be used for communicating signaling or data with other node devices.
The Memory 101 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Programmable Read-Only Memory (EEPROM), and the like.
The processor 102 may be an integrated circuit chip having signal processing capabilities. The Processor 102 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
Referring to fig. 2, fig. 2 is a flowchart of a user behavior data security detection method provided in the present application, in this embodiment, the user behavior data security detection method includes the following steps:
s310, feature extraction is carried out on the basis of the user behavior data of the target analysis object, and target feature data are obtained.
In this embodiment, the target feature data is used to instruct the at least one data acquisition node to acquire the extracted features for the parameter acquisition of the target analysis object.
S320, acquiring the feature quantity proportion of the security class tags in all the feature tags of the target feature data.
In this embodiment, the target feature data includes all feature tags of the target analysis object, where the all feature tags include at least part of security class tags.
S330, obtaining the reference quantity proportion of the security class labels in the target analysis object.
S340, comparing the characteristic quantity proportion with the reference quantity proportion to determine whether the target analysis object is in an abnormal state.
In this embodiment, based on the above scheme provided by the present application, whether the target analysis object is in an abnormal state is determined by comparing the feature quantity ratio of the security class tag in all the feature tags corresponding to the user behavior data with the reference data ratio; compared with the prior art, whether the target analysis object is in an abnormal state or not can be directly detected, and the detection capability of the user behavior data is improved.
As an implementation manner, in the process of executing step S310, original acquisition information acquired by at least one data acquisition node may be acquired in a data maintenance system, target acquisition information for a target analysis object may be acquired in the original acquisition information, and the target acquisition information may be converted into a target acquisition parameter corresponding to the target analysis object.
In this embodiment, the data maintenance system includes a plurality of data acquisition nodes, each of which may be configured to acquire original acquisition information, where the original acquisition information may include acquisition information of an analysis object, an environmental parameter of the analysis object, address information of the analysis object, and the like. In addition, each acquisition information may correspond to an acquisition parameter, such as an acquired value, and the like.
And then, packaging the target acquisition information and the target acquisition parameters to obtain an evaluation data packet, and if the evaluation data packet passes verification in the data verification network cluster, adding the evaluation data packet to a key information extraction node.
In this embodiment, the data verification network cluster may be used to perform network verification on the data packet, such as verifying the security of the data packet or performing a consistency check.
Next, responding to a feature extraction request aiming at the target analysis object in the data maintenance system, and acquiring key information of the key information extraction node, and acquiring target key information corresponding to the target analysis object in the key information extraction node; the target key information comprises the target acquisition information and the target acquisition parameters.
In this embodiment, the feature extraction request may be sent by a client in the data maintenance system, and the user operates the client to send the feature extraction request.
Then, determining target characteristic data corresponding to the target analysis object according to the target key information; wherein the target feature data is used to instruct the at least one data collection node to collect the extracted features for the parameters of the target analysis object.
Optionally, as an embodiment, when the step of obtaining raw collection information collected by at least one data collection node in the data maintenance system is performed: acquiring information to be verified acquired by at least one data acquisition node in the data maintenance system, and acquiring information verification strategies corresponding to the at least one data acquisition node respectively, so as to acquire node verification results corresponding to the at least one data acquisition node respectively according to the information verification strategies; then, acquiring node configuration information corresponding to the data acquisition node which passes the node verification, acquiring a first node secret key corresponding to the data acquisition node which passes the node verification in the node configuration information, and performing key decryption on an encrypted field in a node verification result by using the first node secret key; wherein the node configuration information corresponds to the at least one data acquisition node; then, if the encryption field in the node verification result succeeds in key decryption, determining the node verification result as a common verification result, and obtaining a second node key corresponding to the data verification node from the common verification result; and then, decrypting the encryption field in the information verification strategy by using the second node key, if the decryption of the encryption field in the information verification strategy is successful, determining the information verification strategy as a common verification strategy, and determining the to-be-verified acquisition information as the original acquisition information according to the common verification result and the common verification strategy.
It should be noted that the above-mentioned common verification result is used to indicate that the decryption key of the corresponding encryption field is successful; and if the corresponding encryption field fails to decrypt the secret key, the corresponding verification result is a failure verification result.
Optionally, as an implementation manner, when the step of converting the target acquisition information into the target acquisition parameter corresponding to the target analysis object is executed, a preset parameter extraction policy may be first obtained in the data maintenance system; wherein, the preset parameter extraction strategy records the corresponding relation between the acquisition information and the acquisition parameter type; then, the acquisition parameters included in the acquisition parameter types corresponding to the target acquisition information in the preset parameter extraction strategy are determined as the target acquisition parameters corresponding to the target analysis object.
For example, as an implementation manner, the target acquisition information includes behavior information, and the preset parameter extraction policy includes an acquisition parameter type corresponding to a behavior type; based on this, when the acquisition parameter included in the acquisition parameter type corresponding to the target acquisition information in the preset parameter extraction policy is determined as the target acquisition parameter corresponding to the target analysis object, the behavior type corresponding to the behavior information may be obtained first, and the target acquisition parameter type associated with the behavior type corresponding to the behavior information may be obtained according to the preset parameter extraction policy; and then, extracting target acquisition parameters corresponding to the target analysis object from the target acquisition information according to the target acquisition parameter types.
Or, as another embodiment, the target acquisition information includes behavior evaluation information, and the target acquisition parameters include general acquisition parameters and special acquisition parameters; when the acquisition parameters included in the acquisition parameter types matched with the target acquisition information in the preset parameter extraction strategy are determined as the target acquisition parameters corresponding to the target analysis object, a target evaluation value corresponding to the behavior evaluation information and a target evaluation interval corresponding to the target analysis object can be obtained; if the target evaluation value is located in the target evaluation interval, acquiring a general acquisition parameter corresponding to the behavior evaluation information in the preset parameter extraction strategy; in addition, if the target evaluation value is not located in the target evaluation interval, acquiring a special acquisition parameter corresponding to the behavior evaluation information in the preset parameter extraction strategy. It is to be understood that the general acquisition parameters and the special acquisition parameters are only illustrative and illustrate two different acquisition parameters, the general acquisition parameters may refer to general acquisition parameters, and the special acquisition parameters may refer to specially configured acquisition parameters.
Optionally, as an implementation manner, when the step of performing the packing processing on the target acquisition information and the target acquisition parameter to obtain the evaluation data packet is performed, the target acquisition information and the target acquisition parameter may be packed to obtain an intermediate data packet, and the intermediate data packet is sent to the evaluation data node; then, the evaluation data node is used for carrying out evaluation processing on the intermediate data packet, evaluation data corresponding to the intermediate data packet is generated, and the intermediate data packet and the evaluation data are packaged to generate the evaluation data packet. It will be appreciated that the evaluation data may be used to indicate the security of the intermediate data packet.
In addition, as an embodiment, when performing the step of performing key information acquisition on the key information extraction node in response to a feature extraction request for the target analysis object in the data maintenance system, and acquiring target key information corresponding to the target analysis object in the key information extraction node: the method may include responding to a feature extraction request for the target analysis object in the data maintenance system, acquiring a request ID corresponding to the feature extraction request, and acquiring key information of the key information extraction node; then, if it is determined in the key information extraction node that the request ID is a legitimate request ID of the target analysis object, target key information corresponding to the target analysis object is acquired in the key information extraction node. Of course, it is understood that if the request ID is not a legal request ID of the target analysis object, the feature extraction request may not be responded to, and thus the operation of performing feature extraction may be stopped.
Optionally, as an implementation manner, when the step of determining the target feature data corresponding to the target analysis object according to the target key information is executed: target acquisition parameters contained in the target key information can be counted to obtain a target acquisition parameter set corresponding to the target analysis object; if the quantity of the parameter values contained in the target acquisition parameter set is smaller than a first set threshold, determining that the target characteristic data of the target analysis object is abnormal characteristic data; on the other hand, if the number of the parameter values contained in the target acquisition parameter set is greater than a second set threshold, determining that the target characteristic data of the target analysis object is standard characteristic data; wherein the first set threshold is less than the second set threshold; on the other hand, if the number of the parameter values included in the target acquisition parameter set is between the first set threshold and the second set threshold, determining that the target feature data of the target analysis object is normal feature data.
It is to be understood that the above-mentioned manners provided in this application are merely examples, and a manner of determining target feature data corresponding to a target analysis object is provided, and in some other embodiments of this application, some other strategies may also be adopted to extract the target feature data, for example, extraction is performed through a preconfigured neural network model, which is not limited in this application.
In addition, based on the implementation manner provided by the present application, the user behavior data security detection method may further include the following scheme: firstly, responding to an information input request in the data maintenance system, acquiring an information input parameter indicated by the information input request, and uploading the information input parameter to a user information verification cluster; then, when the information input parameter passes verification in the user information verification cluster, when target acquisition information for a target analysis object is acquired from the original acquisition information, key information acquisition may be performed on the data verification network first, and the information input parameter corresponding to the target analysis object is acquired from the data verification network; then, the acquisition information corresponding to the information input parameter in the original acquisition information is determined as the target acquisition information corresponding to the target analysis object.
In addition, in this embodiment, when S320 is executed to obtain the feature quantity ratio of the security class tags in all the feature tags of the target feature data, feature screening may be performed on all the feature tags first to obtain feature tag distribution information of all the feature tags; then, screening the characteristic label distribution information to obtain screened characteristic label distribution information; next, acquiring a security level label and a minimum reference threshold value criticality index of each security category label from the user behavior data; then, generating a priority order corresponding to each security category label according to the security level label and the minimum reference threshold value key degree index; then, based on the priority order, selecting a target feature tag from the screened feature tag distribution information; then, acquiring the corresponding quantity proportion of each target characteristic label in all the characteristic labels; and then, determining the characteristic quantity proportion of the security class label according to the quantity proportion.
Optionally, in this embodiment, when step S330 is executed to obtain a reference quantity ratio of security class tags in the target analysis object, security tag metadata may be extracted from the user behavior data, where the security tag metadata at least includes: a reference number, a lowest reference threshold and a highest reference threshold; then, calculating an expected reference proportion corresponding to each security class label in the target analysis object according to the reference times, the lowest reference threshold and the highest reference threshold; next, a reference quantity ratio of the security class labels is generated according to the desired reference ratio.
Optionally, in this embodiment, when step S340 is executed to compare the characteristic quantity ratio with the reference quantity ratio to determine whether the target analysis object is in an abnormal state, a ratio difference between the characteristic quantity ratio and the reference quantity ratio may be calculated first; then, judging whether the proportion difference value is smaller than a set proportion difference threshold value; if so, judging that the target analysis object is in a normal state; if not, judging that the target analysis object is in an abnormal state.
In addition, referring to fig. 3, fig. 3 is a structural diagram of a user behavior data security detection apparatus 900 provided in the present application, where the user behavior data security detection apparatus 900 includes a processing module 910 and a detection module 920.
The processing module 910 is configured to perform feature extraction based on user behavior data of a target analysis object to obtain target feature data;
the processing module 910 is further configured to obtain a feature quantity ratio of security class tags in all feature tags of the target feature data;
the processing module 910 is further configured to obtain a reference quantity ratio of security class tags in the target analysis object;
a detecting module 920, configured to compare the characteristic quantity ratio with the reference quantity ratio to determine whether the target analysis object is in an abnormal state.
Optionally, when the processing module 910 obtains the feature quantity ratio of the security class tag in all feature tags of the target feature data, it may be configured to:
performing feature screening on all the feature tags to obtain feature tag distribution information of all the feature tags;
screening the characteristic label distribution information to obtain screened characteristic label distribution information;
acquiring a security level label and a minimum reference threshold value key degree index of each security category label from the user behavior data;
generating a priority order corresponding to each security category label according to the security level label and the minimum reference threshold value key degree index;
selecting a target feature tag from the screened feature tag distribution information based on the priority order;
acquiring the corresponding quantity proportion of each target characteristic label in all the characteristic labels;
and determining the characteristic quantity proportion of the security class label according to the quantity proportion.
Optionally, the processing module 910, when obtaining the reference number ratio of the security class tags in the target analysis object, may be configured to:
extracting security tag metadata from the user behavior data, wherein the security tag metadata includes at least: a reference number, a lowest reference threshold and a highest reference threshold;
calculating an expected reference proportion corresponding to each security class label in the target analysis object according to the reference times, the lowest reference threshold and the highest reference threshold;
generating a reference quantity ratio of the security class label according to the expected reference ratio.
Optionally, the detecting module 920 may be configured to, when comparing the characteristic quantity ratio with the reference quantity ratio to determine whether the target analysis object is in an abnormal state,:
calculating a ratio difference between the characteristic quantity ratio and the reference quantity ratio;
judging whether the proportion difference value is smaller than a set proportion difference threshold value or not;
if so, judging that the target analysis object is in a normal state;
if not, judging that the target analysis object is in an abnormal state.
Optionally, when the processing module 910 performs feature extraction based on the user behavior data of the target analysis object to obtain target feature data, the processing module may be configured to:
acquiring original acquisition information acquired by at least one data acquisition node in a data maintenance system, acquiring target acquisition information aiming at a target analysis object in the original acquisition information, and converting the target acquisition information into target acquisition parameters corresponding to the target analysis object;
packaging the target acquisition information and the target acquisition parameters to obtain an evaluation data packet, and if the evaluation data packet passes verification in a data verification network cluster, adding the evaluation data packet to a key information extraction node;
responding to a feature extraction request aiming at the target analysis object in the data maintenance system, acquiring key information of the key information extraction node, and acquiring target key information corresponding to the target analysis object in the key information extraction node; the target key information comprises the target acquisition information and the target acquisition parameters;
determining target characteristic data corresponding to the target analysis object according to the target key information; wherein the target feature data is used to instruct the at least one data collection node to collect the extracted features for the parameters of the target analysis object.
Optionally, when the processing module 910 obtains raw acquisition information acquired by at least one data acquisition node in the data maintenance system, the processing module may be configured to:
acquiring to-be-verified acquisition information acquired by at least one data acquisition node in the data maintenance system, and acquiring information verification strategies corresponding to the at least one data acquisition node respectively so as to acquire node verification results corresponding to the at least one data acquisition node respectively according to the information verification strategies;
acquiring node configuration information corresponding to a data acquisition node which passes node verification, acquiring a first node secret key corresponding to the data acquisition node which passes the node verification from the node configuration information, and performing key decryption on an encrypted field in a node verification result by using the first node secret key; wherein the node configuration information corresponds to the at least one data acquisition node;
if the encryption field in the node verification result succeeds in key decryption, determining the node verification result as a common verification result, and obtaining a second node key corresponding to the data verification node from the common verification result;
and decrypting the encryption field in the information verification strategy by using the second node key, if the decryption of the encryption field in the information verification strategy is successful, determining the information verification strategy as a common verification strategy, and determining the acquired information to be verified as the original acquired information according to the common verification result and the common verification strategy.
Optionally, the processing module 910 is further configured to respond to an information input request in the data maintenance system, acquire an information input parameter indicated by the information input request, and upload the information input parameter to the user information verification cluster;
when the information input parameter is verified in the user information verification cluster, the processing module 910 may be configured to, when obtaining target acquisition information for a target analysis object from the original acquisition information,:
obtaining key information of the data verification network, and obtaining the information input parameters corresponding to the target analysis object in the data verification network;
and determining the acquisition information corresponding to the information input parameter in the original acquisition information as the target acquisition information corresponding to the target analysis object.
Optionally, when the processing module 910 converts the target acquisition information into target acquisition parameters corresponding to the target analysis object, the processing module may be configured to:
acquiring a preset parameter extraction strategy in the data maintenance system; wherein, the preset parameter extraction strategy records the corresponding relation between the acquisition information and the acquisition parameter type;
and determining the acquisition parameters included in the acquisition parameter types corresponding to the target acquisition information in the preset parameter extraction strategy as the target acquisition parameters corresponding to the target analysis object.
Optionally, the target acquisition information includes behavior information, and the preset parameter extraction policy includes an acquisition parameter type corresponding to a behavior type;
when determining the acquisition parameter included in the acquisition parameter type corresponding to the target acquisition information in the preset parameter extraction policy as the target acquisition parameter corresponding to the target analysis object, the processing module 910 may be configured to:
acquiring a behavior type corresponding to the behavior information, and acquiring a target acquisition parameter type associated with the behavior type corresponding to the behavior information according to the preset parameter extraction strategy;
and extracting target acquisition parameters corresponding to the target analysis object from the target acquisition information according to the target acquisition parameter types.
Optionally, the target acquisition information includes behavior evaluation information, and the target acquisition parameters include general acquisition parameters and special acquisition parameters;
when the acquisition parameter included in the acquisition parameter type matched with the target acquisition information in the preset parameter extraction policy is determined as the target acquisition parameter corresponding to the target analysis object, the processing module 910 may be configured to:
acquiring a target evaluation value corresponding to the behavior evaluation information and acquiring a target evaluation interval corresponding to the target analysis object;
if the target evaluation value is located in the target evaluation interval, acquiring a general acquisition parameter corresponding to the behavior evaluation information in the preset parameter extraction strategy;
and if the target evaluation value is not located in the target evaluation interval, acquiring a special acquisition parameter corresponding to the behavior evaluation information in the preset parameter extraction strategy.
Optionally, when the processing module 910 performs a packing process on the target acquisition information and the target acquisition parameter to obtain an evaluation data packet, the processing module may be configured to:
packing the target acquisition information and the target acquisition parameters to obtain an intermediate data packet, and sending the intermediate data packet to an evaluation data node;
and utilizing the evaluation data node to evaluate the intermediate data packet, generating evaluation data corresponding to the intermediate data packet, and packaging the intermediate data packet and the evaluation data to generate the evaluation data packet.
Optionally, the processing module 910, in response to a feature extraction request for the target analysis object in the data maintenance system, performs key information acquisition on the key information extraction node, and when target key information corresponding to the target analysis object is acquired in the key information extraction node, may be configured to:
responding to a feature extraction request aiming at the target analysis object in the data maintenance system, acquiring a request ID corresponding to the feature extraction request, and acquiring key information of the key information extraction node;
and if the request ID is judged to be the legal request ID of the target analysis object in the key information extraction node, acquiring target key information corresponding to the target analysis object in the key information extraction node.
Optionally, when determining the target feature data corresponding to the target analysis object according to the target key information, the processing module 910 may be configured to:
counting target acquisition parameters contained in the target key information to obtain a target acquisition parameter set corresponding to the target analysis object;
if the quantity of the parameter values contained in the target acquisition parameter set is smaller than a first set threshold, determining that the target characteristic data of the target analysis object is abnormal characteristic data;
if the quantity of the parameter values contained in the target acquisition parameter set is larger than a second set threshold, determining that the target characteristic data of the target analysis object is standard characteristic data; wherein the first set threshold is less than the second set threshold;
and if the quantity of the parameter values contained in the target acquisition parameter set is between the first set threshold and the second set threshold, determining that the target characteristic data of the target analysis object is normal characteristic data.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to some embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in some embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to some embodiments of the present application. And the aforementioned storage medium includes: u disk, removable hard disk, read only memory, random access memory, magnetic or optical disk, etc. for storing program codes.
The above description is only a few examples of the present application and is not intended to limit the present application, and those skilled in the art will appreciate that various modifications and variations can be made in the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (9)
1. A user behavior data security detection method is characterized by comprising the following steps:
performing feature extraction based on user behavior data of a target analysis object to obtain target feature data;
acquiring the characteristic quantity proportion of security class labels in all characteristic labels of the target characteristic data;
obtaining a reference quantity proportion of security class labels in the target analysis object;
and comparing the characteristic quantity proportion with the reference quantity proportion to determine whether the target analysis object is in an abnormal state.
2. The method according to claim 1, wherein the obtaining of the feature quantity ratio of the security class tag in all the feature tags of the target feature data comprises:
performing feature screening on all the feature tags to obtain feature tag distribution information of all the feature tags;
screening the characteristic label distribution information to obtain screened characteristic label distribution information;
acquiring a security level label and a minimum reference threshold value key degree index of each security category label from the user behavior data;
generating a priority order corresponding to each security category label according to the security level label and the minimum reference threshold value key degree index;
selecting a target feature tag from the screened feature tag distribution information based on the priority order;
acquiring the corresponding quantity proportion of each target characteristic label in all the characteristic labels;
and determining the characteristic quantity proportion of the security class label according to the quantity proportion.
3. The method of claim 1, wherein obtaining the reference quantity ratio of security class labels in the target analysis object comprises:
extracting security tag metadata from the user behavior data, wherein the security tag metadata includes at least: a reference number, a lowest reference threshold and a highest reference threshold;
calculating an expected reference proportion corresponding to each security class label in the target analysis object according to the reference times, the lowest reference threshold and the highest reference threshold;
generating a reference quantity ratio of the security class label according to the expected reference ratio.
4. The method according to any one of claims 1 to 3, wherein the comparing the characteristic quantity ratio with the reference quantity ratio to determine whether the target analysis object is in an abnormal state comprises:
calculating a ratio difference between the characteristic quantity ratio and the reference quantity ratio;
judging whether the proportion difference value is smaller than a set proportion difference threshold value or not;
if so, judging that the target analysis object is in a normal state;
if not, judging that the target analysis object is in an abnormal state.
5. The method of claim 1, wherein the performing feature extraction based on the user behavior data of the target analysis object to obtain target feature data comprises:
acquiring original acquisition information acquired by at least one data acquisition node in a data maintenance system, acquiring target acquisition information aiming at a target analysis object in the original acquisition information, and converting the target acquisition information into target acquisition parameters corresponding to the target analysis object;
packaging the target acquisition information and the target acquisition parameters to obtain an evaluation data packet, and if the evaluation data packet passes verification in a data verification network cluster, adding the evaluation data packet to a key information extraction node;
responding to a feature extraction request aiming at the target analysis object in the data maintenance system, acquiring key information of the key information extraction node, and acquiring target key information corresponding to the target analysis object in the key information extraction node; the target key information comprises the target acquisition information and the target acquisition parameters;
determining target characteristic data corresponding to the target analysis object according to the target key information; wherein the target feature data is used to instruct the at least one data collection node to collect the extracted features for the parameters of the target analysis object.
6. The method of claim 5, wherein obtaining raw acquisition information acquired by at least one data acquisition node in a data maintenance system comprises:
acquiring to-be-verified acquisition information acquired by at least one data acquisition node in the data maintenance system, and acquiring information verification strategies corresponding to the at least one data acquisition node respectively so as to acquire node verification results corresponding to the at least one data acquisition node respectively according to the information verification strategies;
acquiring node configuration information corresponding to a data acquisition node which passes node verification, acquiring a first node secret key corresponding to the data acquisition node which passes the node verification from the node configuration information, and performing key decryption on an encrypted field in a node verification result by using the first node secret key; wherein the node configuration information corresponds to the at least one data acquisition node;
if the encryption field in the node verification result succeeds in key decryption, determining the node verification result as a common verification result, and obtaining a second node key corresponding to the data verification node from the common verification result;
and decrypting the encryption field in the information verification strategy by using the second node key, if the decryption of the encryption field in the information verification strategy is successful, determining the information verification strategy as a common verification strategy, and determining the acquired information to be verified as the original acquired information according to the common verification result and the common verification strategy.
7. The method of claim 5, further comprising:
responding to an information input request in the data maintenance system, acquiring an information input parameter indicated by the information input request, and uploading the information input parameter to a user information verification cluster;
when the information input parameter is verified in the user information verification cluster, acquiring target acquisition information for a target analysis object from the original acquisition information, including:
obtaining key information of the data verification network, and obtaining the information input parameters corresponding to the target analysis object in the data verification network;
and determining the acquisition information corresponding to the information input parameter in the original acquisition information as the target acquisition information corresponding to the target analysis object.
8. The method of claim 5, wherein the converting the target acquisition information into target acquisition parameters corresponding to the target analysis object comprises:
acquiring a preset parameter extraction strategy in the data maintenance system; wherein, the preset parameter extraction strategy records the corresponding relation between the acquisition information and the acquisition parameter type;
and determining the acquisition parameters included in the acquisition parameter types corresponding to the target acquisition information in the preset parameter extraction strategy as the target acquisition parameters corresponding to the target analysis object.
9. The method according to claim 8, wherein the target acquisition information includes behavior information, and the preset parameter extraction strategy includes an acquisition parameter type corresponding to a behavior type;
the determining, as the target acquisition parameter corresponding to the target analysis object, the acquisition parameter included in the acquisition parameter type corresponding to the target acquisition information in the preset parameter extraction policy includes:
acquiring a behavior type corresponding to the behavior information, and acquiring a target acquisition parameter type associated with the behavior type corresponding to the behavior information according to the preset parameter extraction strategy;
and extracting target acquisition parameters corresponding to the target analysis object from the target acquisition information according to the target acquisition parameter types.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110590131.XA CN113204476A (en) | 2021-05-28 | 2021-05-28 | User behavior data security detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110590131.XA CN113204476A (en) | 2021-05-28 | 2021-05-28 | User behavior data security detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113204476A true CN113204476A (en) | 2021-08-03 |
Family
ID=77023468
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110590131.XA Withdrawn CN113204476A (en) | 2021-05-28 | 2021-05-28 | User behavior data security detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113204476A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697322A (en) * | 2022-02-17 | 2022-07-01 | 许强 | Data screening method based on cloud service processing |
-
2021
- 2021-05-28 CN CN202110590131.XA patent/CN113204476A/en not_active Withdrawn
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697322A (en) * | 2022-02-17 | 2022-07-01 | 许强 | Data screening method based on cloud service processing |
| CN114697322B (en) * | 2022-02-17 | 2024-03-22 | 上海生慧樘科技有限公司 | Data screening method based on cloud service processing |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110177108B (en) | Abnormal behavior detection method, device and verification system | |
| CN108200054B (en) | Malicious domain name detection method and device based on DNS (Domain name Server) resolution | |
| EP2691848B1 (en) | Determining machine behavior | |
| CN112231271A (en) | Data migration integrity verification method, device and equipment and computer readable medium | |
| CN112669138A (en) | Data processing method and related equipment | |
| CN110059981B (en) | Trust degree evaluation method and device and terminal equipment | |
| CN114020578A (en) | User portrait-based abnormal account detection method, device, equipment and medium | |
| CN109684878B (en) | Privacy information tamper-proofing method and system based on block chain technology | |
| CN111932380B (en) | Big data-based information processing method and device and information processing sharing platform | |
| CN108809928B (en) | Network asset risk portrait method and device | |
| CN113313478A (en) | Big data security processing method and server applied to online payment | |
| CN113992431B (en) | Linkage blocking method and device, electronic equipment and storage medium | |
| CN113329034B (en) | Big data service optimization method based on artificial intelligence, server and storage medium | |
| CN113204476A (en) | User behavior data security detection method | |
| CN116776390A (en) | Method, device, storage medium and equipment for monitoring data leakage behavior | |
| CN113609111A (en) | Big data testing method and system | |
| CN115801240A (en) | Terminal equipment fingerprint generation method and device | |
| CN113312671A (en) | Digital business operation safety processing method and system applied to big data mining | |
| CN113205156A (en) | Online service data detection method | |
| CN113205157A (en) | Big data feature extraction method | |
| CN113328988A (en) | Network security verification method and system based on big data and cloud computing | |
| CN113205066A (en) | Linkage monitoring safety detection method | |
| CN107305610B (en) | Access path processing method and device, and automaton identification method, device and system | |
| CN113206890A (en) | Internet of things verification image identification method | |
| CN112711480B (en) | Data link analysis method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210803 |