CN113298345B - Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium - Google Patents

Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium Download PDF

Info

Publication number
CN113298345B
CN113298345B CN202110376399.3A CN202110376399A CN113298345B CN 113298345 B CN113298345 B CN 113298345B CN 202110376399 A CN202110376399 A CN 202110376399A CN 113298345 B CN113298345 B CN 113298345B
Authority
CN
China
Prior art keywords
behavior
abnormal
value
adjacent
tested
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110376399.3A
Other languages
Chinese (zh)
Other versions
CN113298345A (en
Inventor
白彧
李克勤
麻志毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced Institute of Information Technology AIIT of Peking University
Hangzhou Weiming Information Technology Co Ltd
Original Assignee
Advanced Institute of Information Technology AIIT of Peking University
Hangzhou Weiming Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Advanced Institute of Information Technology AIIT of Peking University, Hangzhou Weiming Information Technology Co Ltd filed Critical Advanced Institute of Information Technology AIIT of Peking University
Priority to CN202110376399.3A priority Critical patent/CN113298345B/en
Publication of CN113298345A publication Critical patent/CN113298345A/en
Application granted granted Critical
Publication of CN113298345B publication Critical patent/CN113298345B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/40Business processes related to the transportation industry

Landscapes

  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Engineering & Computer Science (AREA)
  • Economics (AREA)
  • Strategic Management (AREA)
  • Tourism & Hospitality (AREA)
  • Theoretical Computer Science (AREA)
  • Entrepreneurship & Innovation (AREA)
  • General Physics & Mathematics (AREA)
  • Marketing (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Educational Administration (AREA)
  • Quality & Reliability (AREA)
  • Operations Research (AREA)
  • Game Theory and Decision Science (AREA)
  • Development Economics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Primary Health Care (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a method and a device for detecting abnormal behaviors, electronic equipment and a medium. In the application, a behavior diagram can be constructed by utilizing a first behavior sample element in a training sample set; generating a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram; acquiring behavior data to be tested of a target user, and calculating an abnormal value to be tested corresponding to the behavior data to be tested according to a behavior diagram; and determining whether the target user has abnormal behavior according to the magnitude relation between the abnormal value to be tested and the preset threshold value. By applying the technical scheme of the application, the behavior prediction model containing the behavior diagram can be generated by using the historical behavior data of a plurality of users as the training set and the testing set, so that whether the users have abnormal behaviors or not is judged according to the model, and the defect that the noise data is mistaken for normal behaviors and is learned in the training process in the prior art is overcome.

Description

Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium
Technical Field
The present application relates to data processing technologies, and in particular, to a method and an apparatus for detecting an abnormal behavior, an electronic device, and a medium.
Background
Under the large background of continuous development of the internet, the internet of things and communication technologies, information interaction, analysis and collaboration become more and more common.
Further, when people enjoy the convenience brought by the network, the abnormal behavior in the network affects the normal development of the society, such as the propagation of fraud information, telecom and credit card fraud, network scanning and network intrusion. How to detect these abnormal behaviors as early and accurately as possible becomes important to avoid causing more harm.
Disclosure of Invention
The embodiment of the present application provides a method, an apparatus, an electronic device, and a medium for detecting an abnormal behavior, wherein according to an aspect of the embodiment of the present application, a method for detecting an abnormal behavior is provided, which includes:
constructing a behavior diagram by utilizing a first behavior sample element in a training sample set;
generating a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram;
acquiring behavior data to be tested of a target user, and calculating an abnormal value to be tested corresponding to the behavior data to be tested according to the behavior diagram;
and determining whether the target user has abnormal behavior according to the magnitude relation between the abnormal value to be tested and the preset threshold value.
Optionally, in another embodiment of the method according to the present application, the constructing an activity diagram by using a first activity sample element in a training sample set includes:
taking each first behavior sample element as a vertex, and taking a connecting line of two adjacent first behavior sample elements as a corresponding directed edge;
acquiring the number of the directional edges, and respectively calculating the weight value corresponding to each directional edge according to the number of the directional edges;
and constructing the behavior diagram according to the vertexes and each directed edge containing the weight value.
Optionally, in another embodiment based on the foregoing method of the present application, the generating a preset threshold value by using a second behavior sample element in the test sample set includes:
acquiring the shortest directed edge of two adjacent second behavior sample elements in the behavior diagram;
taking the weighted value and the value corresponding to the shortest directed edge as adjacent abnormal values of the two adjacent second behavior sample elements;
and obtaining the preset threshold value according to all the adjacent abnormal values.
Optionally, in another embodiment based on the foregoing method of the present application, after the obtaining the shortest directional edge of two adjacent second behavior sample elements in the behavior graph, the method further includes:
setting adjacent abnormal values corresponding to the second behavior data which is not in the behavior diagram to be infinite.
Optionally, in another embodiment of the foregoing method based on the present application, the obtaining the preset threshold value according to all adjacent abnormal values includes:
collecting all the adjacent abnormal values to obtain an adjacent abnormal value sequence;
calculating an average abnormal value corresponding to the adjacent abnormal value sequence by using a preset sliding window; calculating an infinite value proportion corresponding to the adjacent abnormal value sequence, wherein the infinite value proportion is obtained according to the infinite adjacent abnormal values;
taking the quantile of the average abnormal value as a first threshold value; and taking the quantiles of the infinite value proportion as a second threshold value;
and taking the first threshold value and the second threshold value as the preset threshold value.
Optionally, in another embodiment of the method based on the foregoing application, the calculating a to-be-tested abnormal value corresponding to the to-be-tested behavior data according to the behavior diagram includes:
acquiring the shortest directed edge of two adjacent second to-be-tested behavior data in the behavior graph;
taking the weight value and the value corresponding to the shortest directed edge as adjacent abnormal values of the two adjacent behavior data to be tested;
collecting all adjacent abnormal values to obtain an adjacent abnormal value sequence corresponding to the behavior data to be tested;
and calculating to obtain the abnormal values to be tested according to the adjacent abnormal value sequence, wherein the abnormal values to be tested comprise average abnormal values and infinite value proportions corresponding to the behavior data to be tested.
Optionally, in another embodiment based on the above method of the present application, after the calculating obtains the abnormal value to be tested, the method further includes:
and if the average abnormal value corresponding to the behavior data to be tested is detected to be larger than the first threshold value and the infinite value ratio corresponding to the behavior data to be tested is detected to be larger than the second threshold value, determining that the target user has abnormal behavior.
According to another aspect of the embodiments of the present application, there is provided an abnormal behavior detection apparatus, including:
a construction module configured to construct a behavior diagram using a first behavior sample element in a training sample set;
the generating module is configured to generate a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram;
the acquisition module is configured to acquire behavior data to be tested of a target user and calculate an abnormal value to be tested corresponding to the behavior data to be tested according to the behavior diagram;
and the determining module is configured to determine whether the target user has abnormal behaviors according to the magnitude relation between the abnormal value to be tested and the preset threshold value.
According to another aspect of the embodiments of the present application, there is provided an electronic device including:
a memory for storing executable instructions; and
and the display is used for displaying with the memory to execute the executable instruction so as to complete the operation of any one of the abnormal behavior detection methods.
According to a further aspect of the embodiments of the present application, there is provided a computer-readable storage medium for storing computer-readable instructions, which, when executed, perform the operations of any one of the above-mentioned abnormal behavior detection methods.
In the application, a behavior diagram can be constructed by utilizing a first behavior sample element in a training sample set; generating a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram; acquiring behavior data to be tested of a target user, and calculating an abnormal value to be tested corresponding to the behavior data to be tested according to a behavior diagram; and determining whether the target user has abnormal behavior according to the magnitude relation between the abnormal value to be tested and the preset threshold value. By applying the technical scheme of the application, the behavior prediction model containing the behavior diagram can be generated by taking historical behavior data of a plurality of users as a training set and a testing set, so that whether abnormal behaviors exist in the users is judged according to the model, and the defect that noise data are mistaken for normal behaviors for learning in the training process in the prior art is overcome.
The technical solution of the present application is further described in detail by the accompanying drawings and examples.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description, serve to explain the principles of the application.
The present application may be more clearly understood from the following detailed description with reference to the accompanying drawings, in which:
FIG. 1 is a schematic diagram of the detection of abnormal behavior proposed in the present application;
FIG. 2 is a schematic diagram of a behavioral graph proposed in the present application;
FIG. 3 is a schematic representation of yet another behavioral graph proposed by the present application;
FIG. 4 is a schematic diagram of another behavior diagram proposed in the present application;
fig. 5 is a schematic structural diagram of an electronic device for detecting abnormal behavior according to the present application;
fig. 6 is a schematic structural diagram of an electronic device of the massage apparatus according to the present application.
Detailed Description
Various exemplary embodiments of the present application will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present application unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the application, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
In addition, technical solutions between the various embodiments of the present application may be combined with each other, but it must be based on the realization of the technical solutions by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination of technical solutions should be considered to be absent and not within the protection scope of the present application.
It should be noted that all directional indicators (such as up, down, left, right, front, back, 8230) \8230;) in the embodiments of the present application are only used to explain the relative positional relationship between the components in a specific posture (as shown in the attached drawings), the motion situation, etc., and if the specific posture is changed, the directional indicators are correspondingly changed.
A method for performing detection of abnormal behavior according to an exemplary embodiment of the present application is described below with reference to fig. 1 to 4. It should be noted that the following application scenarios are merely illustrated for the convenience of understanding the spirit and principles of the present application, and the embodiments of the present application are not limited in this respect. Rather, embodiments of the present application may be applied to any scenario where applicable.
The application also provides a method and a device for detecting the abnormal behavior, a target terminal and a medium.
Fig. 1 schematically shows a flow chart of a method for detecting abnormal behavior according to an embodiment of the present application. As shown in fig. 1, the method includes:
s101, constructing a behavior diagram by utilizing a first behavior sample element in a training sample set.
The action graph in the application can be a graph formed by a plurality of given vertexes and directed edges connecting the two vertexes, the graph is generally used for describing a certain specific relation between certain objects, the vertexes represent the objects, and the directed edges represent the relation between the corresponding two objects.
For example, as shown in FIG. 2, v 1 ,v 2 ,v 3 Representing the vertex, (v) 1 ,v 2 ),(v 2 ,v 3 ),(v 1 ,v 3 ) Denotes a directed edge, V = { V = 1 ,v 2 ,v 3 Denotes a set of vertices, E = { (v) 1 ,v 2 ),(v 2 ,v 3 ),(v 3 ,v 1 ) Denotes a set of directed edges, G = (V, E) denotes a graph. Depending on whether the edges have weights, the graph can also be divided into a weighted graph and an unweighted graph: a weighted graph means that each edge has a certain weight, usually a number; an unweighted graph means that each directed edge has no weight. It can be divided into an undirected graph and a directed graph according to whether the edges in the graph have directionality. Where the edges in the directed graph are directional compared to the undirected graph. In a directed graph by<s,d>A directed edge is represented, where s represents the starting vertex of the directed edge and d represents the ending vertex of the directed edge. A path refers to a sequence of vertices formed by a series of vertices, and any two adjacent vertices in the sequence can find a corresponding directed edge in the graph. For example, the set of vertex sequences { v } in FIG. 3 1 ,v 2 ,v 3 The directional edge formed by }<v 1 ,v 2 >,<v 2 ,v 3 >Are found in the graph and thus the vertex sequence is a path. If the starting vertex and the ending vertex of the path are the same vertex, the path is called a ring. For example, path [ v ] in FIG. 3 1 ,v 2 ,v 3 ,v 1 ]Forming a ring, and more particularly the edge<v 3 ,v 3 >Its starting vertex and ending vertex are the same vertex, called self-loop.
Further, if the directed edges in the directed graph have weights, the directed graph is called a weighted directed graph. In the weighted directed graph, the sum of the weights of all paths existing between two vertexes, wherein a certain path contains all directed edges, is the minimum, and the path is the shortest path between the two vertexes. Common algorithms for solving the shortest path include Dijkstra, bellman-Ford and Floyd-Warshall.
Furthermore, historical behavior data of a plurality of users can be collected as sample data, and one or more elements in the sample data are used as behavior sample elements. For example, the element may be a user behavior occurrence time point in the historical behavior data, an action that the user has occurred, and the like.
In addition, the method can divide the normal historical behavior data into a sample training set and a sample testing set, generate a behavior diagram by using sample elements in the sample training set, calculate a preset threshold value by using the testing set, calculate an abnormal value of the behavior data to be detected by using the behavior diagram, and finally compare the abnormal value with the preset threshold value to realize the abnormal detection of the user.
In the present application, the number of sample data in the training sample set is not limited, and the number of first action sample elements is also not limited.
And S102, generating a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram.
It should also be noted that, the present application also does not limit the number of sample data in the test sample set, and also does not limit the number of second behavior sample elements. Further, after the behavior diagram is obtained, a final preset threshold value can be generated according to the behavior diagram and other behavior sample elements. So that whether the user's behavior is abnormal or not can be determined according to the threshold value subsequently.
S103, acquiring behavior data to be tested of the target user, and calculating an abnormal value to be tested corresponding to the behavior data to be tested according to the behavior diagram.
And S104, determining whether the target user has abnormal behavior according to the magnitude relation between the abnormal value to be tested and the preset threshold value.
Further, after the to-be-tested behavior data of the to-be-tested user is obtained, a to-be-tested abnormal value corresponding to the to-be-tested behavior data can be calculated according to the behavior diagram, and the to-be-tested abnormal value is compared with a preset threshold value.
Furthermore, the method and the device can compare a plurality of abnormal indexes of the behavior to be detected with a preset threshold value. In one mode, a larger difference between the two indicates a higher degree of abnormality for the user. And an alarm may be raised.
In the application, a behavior diagram can be constructed by utilizing a first behavior sample element in a training sample set; generating a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram; acquiring to-be-tested behavior data of a target user, and calculating to-be-tested abnormal values corresponding to the to-be-tested behavior data according to a behavior diagram; and determining whether the target user has abnormal behavior according to the magnitude relation between the abnormal value to be tested and the preset threshold value. By applying the technical scheme of the application, the behavior prediction model containing the behavior diagram can be generated by using the historical behavior data of a plurality of users as the training set and the testing set, so that whether the users have abnormal behaviors or not is judged according to the model, and the defect that the noise data is mistaken for normal behaviors and is learned in the training process in the prior art is overcome.
Optionally, in a possible embodiment of the present application, constructing a behavior diagram by using a first behavior sample element in a training sample set includes:
taking each first behavior sample element as a vertex, and taking a connecting line of two adjacent first behavior sample elements as a corresponding directed edge;
acquiring the number of the directional edges, and respectively calculating the weight value corresponding to each directional edge according to the number of the directional edges;
and constructing a behavior graph according to the vertexes and each directed edge containing the weight value.
Further, the present application may generate an action graph by using a first action sample element (e.g., including 4 elements, respectively V1, V2, V3, and V4) in the training set. Specifically, canTaking each element in the training sample set as a vertex and 2 adjacent elements as directed edges, a behavior diagram G = (V, E) can be obtained. Wherein V = { V = 1 ,v 2 ,v 3 ,v 4 },E={<v 1 ,v 1 >,<v 1 ,v 2 >,<v 2 ,v 3 >,<v 3 ,v 1 >,<v 2 ,v 4 >}. Further statistics on the number of directed edges can be found except for<v 1 ,v 2 >Beyond 2 occurrences, all other directed edges have only occurred once.
The weight of a directed edge is calculated by the following formula:
Figure BDA0003008244490000081
wherein w is the weighted value of the directed edge.
From the above formulas, except that<v 1 ,v 2 >Except for 0.5, the other directed edges are all 1. The final behavior diagram G is shown in fig. 4.
Optionally, in a possible implementation manner of the present application, generating the preset threshold value by using a second behavior sample element in the test sample set includes:
acquiring the shortest directed edge of two adjacent second behavior sample elements in the behavior diagram;
taking the weight value and the value corresponding to the shortest directed edge as adjacent abnormal values of two adjacent second behavior sample elements;
and obtaining a preset threshold value according to all adjacent abnormal values.
Optionally, in a possible embodiment of the present application, after obtaining a shortest directional edge of two adjacent second behavior sample elements in the behavior graph, the method further includes:
and setting the adjacent abnormal value corresponding to the second behavior data in the nonexistent behavior diagram as infinity.
Optionally, in a possible implementation manner of the present application, obtaining the preset threshold value according to all adjacent abnormal values includes:
collecting all adjacent abnormal values to obtain an adjacent abnormal value sequence;
calculating average abnormal values corresponding to adjacent abnormal value sequences; calculating the infinite value proportion corresponding to the adjacent abnormal value sequence, wherein the infinite value proportion is obtained according to infinite adjacent abnormal values;
taking the quantile of the average abnormal value as a first threshold value; and taking the quantile of the infinite value proportion as a second threshold value;
and taking the first threshold value and the second threshold value as preset threshold values.
Further, after the behavior map is obtained, the preset threshold value may be generated by using a second behavior sample element (for example, including 5 elements, which are V1, V2, V3, V4, and V5, respectively) in the test sample set. Firstly, the abnormal value calculation needs to be carried out on the sample elements in the test sample set, the calculation method is that the shortest path of two adjacent second behavior sample elements in the behavior diagram G is obtained through a shortest path solving algorithm, the sum of the weights of all directed edges on each shortest path is an adjacent abnormal value, the larger the abnormal value is, the higher the abnormal degree is, and therefore the adjacent abnormal value sequence of the test sample set is obtained. The specific calculation process in the examples of the present application is shown here by table 1:
table 1: shortest path computation
Adjacent element pair Shortest path Adjacent outlier
v 5 ,v 2 Is free of inf
v 2 ,v 2 [v 2 ,v 3 ,v 1 ,v 2 ] 2.5
v 2 ,v 1 [v 2 ,v 3 ,v 1 ] 2
v 1 ,v 1 [v 1 ,v 1 ] 1
Note that, in the first row, since the vertex V5 does not exist in the behavior diagram, the shortest path does not exist. In one approach, its outlier may be determined to be inf infinity. The third column of outliers forms a sequence of adjacent outliers.
Further, after the adjacent abnormal value sequence is obtained, the preset threshold value can be obtained through calculation by using a sliding window. The sliding window calculation refers to intercepting a continuous section of the original sequence, so as to obtain a subsequence of the original sequence. It should be noted that if directional sliding is performed, a plurality of sub-sequences are generated continuously. In order to reduce the influence of the behaviors which do not conform to the normal habit on the detection result, the abnormal index calculation can be performed on the adjacent abnormal value sequence by using the sliding window. And the average outlier is obtained by the following formula,
anomally _ avg = mean value of elements within a sliding window that are not inf values.
Wherein anomally _ avg is an average outlier.
Further, the infinite value ratio inf _ ratio can also be obtained by the following formula.
Figure BDA0003008244490000101
For example, if the length of the sliding window is 2 and the sliding window is 1 unit length each time, the calculation is as shown in the table:
table 2: anomaly indicator calculation under sliding window
Figure BDA0003008244490000102
The first column of sliding window offsets in table 2 represents the offset distance of the sliding window from its initial position, and the calculation of the anomaly indicator. Since the sliding window intercepts only 1 outlier inf, its outlier has an average value of 0 and an infinite value ratio of 1.
Still further, the threshold value can be calculated. Namely, the quantile of the average abnormal value can be used as a first threshold value; and taking the quantile of the infinite value proportion as a second threshold value. And combining the first threshold value and the second threshold value as a preset threshold value.
Optionally, in a possible implementation manner of the present application, calculating a to-be-tested abnormal value corresponding to the to-be-tested behavior data according to the behavior diagram includes:
acquiring the shortest directed edge of two adjacent second to-be-tested behavior data in the behavior graph;
taking the weighted value and the value corresponding to the shortest directed edge as adjacent abnormal values of two adjacent behavior data to be tested;
collecting all adjacent abnormal values to obtain an adjacent abnormal value sequence corresponding to the behavior data to be tested;
and calculating to obtain an abnormal value to be tested according to the adjacent abnormal value sequence, wherein the abnormal value to be tested comprises an average abnormal value corresponding to the behavior data to be tested and an infinite value proportion.
Optionally, in a possible embodiment of the present application, after the abnormal value to be tested is calculated, the method further includes:
and if the average abnormal value corresponding to the behavior data to be tested is detected to be larger than the first threshold value and the infinite value ratio corresponding to the behavior data to be tested is detected to be larger than the second threshold value, determining that the target user has abnormal behavior.
Further, after the to-be-tested behavior data of the target user is obtained, an abnormal value can be calculated for the to-be-tested behavior data. For example, the shortest directed edge of two adjacent second behavior data to be tested in the behavior graph may be obtained first, and the weight value and the value corresponding to the shortest directed edge may be used as the adjacent abnormal values of the two adjacent behavior data to be tested. And finally, calculating to obtain the abnormal value to be tested according to the adjacent abnormal value sequence.
Further, after the abnormal value to be tested corresponding to the behavior data to be tested is obtained, the two abnormal indexes of the behavior to be tested can be compared with the first threshold value and the second threshold value respectively. In one mode, if the abnormal average value in the abnormal values to be tested is larger than the first threshold value, the behavior in the sliding window and the time sequence relation between the behaviors are mostly historical, but the occurrence probability is low. And if the infinite value proportion in the abnormal values to be tested is larger than the second threshold value, the behaviors in the sliding window and the time sequence relation between the behaviors are mostly not occurred historically. The larger the index is, the higher the abnormality degree is.
Optionally, in another embodiment of the present application, as shown in fig. 5, the present application further provides a device for detecting an abnormal behavior. The method comprises a construction module 201, a generation module 202, an acquisition module 203 and a determination module 204, wherein:
a constructing module 201 configured to construct a behavior diagram by using a first behavior sample element in a training sample set;
a generating module 202, configured to generate a preset threshold value by using a second behavior sample element in the test sample set and the behavior map;
the acquisition module 203 is configured to acquire to-be-tested behavior data of a target user and calculate to-be-tested abnormal values corresponding to the to-be-tested behavior data according to the behavior diagram;
the determining module 204 is configured to determine whether the target user has an abnormal behavior according to a magnitude relation between the abnormal value to be tested and the preset threshold value.
In the application, a behavior diagram can be constructed by utilizing a first behavior sample element in a training sample set; generating a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram; acquiring to-be-tested behavior data of a target user, and calculating to-be-tested abnormal values corresponding to the to-be-tested behavior data according to a behavior diagram; and determining whether the target user has abnormal behavior according to the magnitude relation between the abnormal value to be tested and the preset threshold value. By applying the technical scheme of the application, the behavior prediction model containing the behavior diagram can be generated by using the historical behavior data of a plurality of users as the training set and the testing set, so that whether the users have abnormal behaviors or not is judged according to the model, and the defect that the noise data is mistaken for normal behaviors and is learned in the training process in the prior art is overcome.
In another embodiment of the present application, the determining module 204 further includes:
a determining module 204 configured to take each of the first behavior sample elements as a vertex, and take a connecting line of two adjacent first behavior sample elements as a corresponding directed edge;
the determining module 204 is configured to obtain the number of occurrences of each directed edge, and respectively calculate a weight value corresponding to each directed edge according to the number of occurrences of each directed edge;
a determining module 204 configured to construct the behavior graph according to the vertices and each directed edge containing a weight value.
In another embodiment of the present application, the determining module 204 further includes:
a determining module 204 configured to obtain a shortest directional edge of two adjacent second behavior sample elements in the behavior graph;
a determining module 204 configured to use the weight value and the value corresponding to the shortest directional edge as adjacent abnormal values of the two adjacent second behavior sample elements;
the determining module 204 is configured to obtain the preset threshold value according to all adjacent abnormal values.
In another embodiment of the present application, the determining module 204 further includes:
a determining module 204 configured to set adjacent outliers corresponding to the absence of the second behavior data in the behavior map to infinity.
In another embodiment of the present application, the determining module 204 further includes:
a determining module 204 configured to aggregate all the adjacent outliers to obtain an adjacent outlier sequence;
a determining module 204 configured to calculate an average abnormal value corresponding to the adjacent abnormal value sequence by using a preset sliding window; calculating an infinite value proportion corresponding to the adjacent abnormal value sequence, wherein the infinite value proportion is obtained according to the infinite adjacent abnormal values;
a determination module 204 configured to take the quantile of the average outlier as a first threshold; and taking the quantile of the infinite value proportion as a second threshold value;
a determining module 204 configured to use the first threshold value and the second threshold value as the preset threshold value.
In another embodiment of the present application, the determining module 204 further includes:
the determining module 204 is configured to obtain the shortest directed edge of two adjacent second to-be-tested behavior data in the behavior graph;
a determining module 204 configured to use the weight value and the value corresponding to the shortest directed edge as adjacent abnormal values of the two adjacent behavior data to be tested;
the determining module 204 is configured to collect all adjacent abnormal values to obtain an adjacent abnormal value sequence corresponding to the behavior data to be tested;
the determining module 204 is configured to calculate the abnormal values to be tested according to the adjacent abnormal value sequence, where the abnormal values to be tested include an average abnormal value and an infinite value ratio corresponding to the behavioral data to be tested.
In another embodiment of the present application, the determining module 204 further includes:
the determining module 204 is configured to determine that the target user has an abnormal behavior if it is detected that the average abnormal value corresponding to the behavior data to be tested is greater than the first threshold value and it is detected that the infinite value ratio corresponding to the behavior data to be tested is greater than the second threshold value.
FIG. 6 is a block diagram illustrating a logical structure of an electronic device in accordance with an exemplary embodiment. For example, the electronic device 300 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, an exercise device, a personal digital assistant, and the like.
In an exemplary embodiment, there is also provided a non-transitory computer readable storage medium, such as a memory, including instructions executable by a processor of an electronic device to perform a method of detecting abnormal behavior as described above, the method including: constructing a behavior diagram by utilizing a first behavior sample element in a training sample set; generating a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram; acquiring to-be-tested behavior data of a target user, and calculating to-be-tested abnormal values corresponding to the to-be-tested behavior data according to the behavior diagram; and determining whether the target user has abnormal behaviors or not according to the size relation between the abnormal value to be tested and the preset threshold value. Optionally, the instructions may also be executable by a processor of an electronic device to perform other steps involved in the exemplary embodiments described above. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an exemplary embodiment, there is also provided an application/computer program product including one or more instructions executable by a processor of an electronic device to perform the above-described method of detecting anomalous behavior, the method comprising: constructing a behavior diagram by utilizing a first behavior sample element in a training sample set; generating a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram; acquiring behavior data to be tested of a target user, and calculating an abnormal value to be tested corresponding to the behavior data to be tested according to the behavior diagram; and determining whether the target user has abnormal behavior according to the magnitude relation between the abnormal value to be tested and the preset threshold value. Optionally, the instructions may also be executable by a processor of the electronic device to perform other steps involved in the exemplary embodiments described above.
Fig. 6 is an exemplary diagram of the computer device 30. Those skilled in the art will appreciate that the schematic diagram 6 is merely an example of the computer device 30 and does not constitute a limitation of the computer device 30 and may include more or less components than those shown, or some components may be combined, or different components, e.g., the computer device 30 may also include input output devices, network access devices, buses, etc.
The Processor 302 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor 302 may be any conventional processor or the like, the processor 302 being the control center for the computer device 30 and connecting the various parts of the overall computer device 30 using various interfaces and lines.
Memory 301 may be used to store computer readable instructions 303 and processor 302 may implement various functions of computer device 30 by executing or executing computer readable instructions or modules stored within memory 301 and by invoking data stored within memory 301. The memory 301 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to use of the computer device 30, and the like. In addition, the Memory 301 may include a hard disk, a Memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Memory Card (Flash Card), at least one magnetic disk storage device, a Flash Memory device, a Read-Only Memory (ROM), a Random Access Memory (RAM), or other non-volatile/volatile storage devices.
The modules integrated by the computer device 30 may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, all or part of the flow in the method according to the embodiments of the present invention can also be implemented by using computer readable instructions to instruct related hardware, and the computer readable instructions can be stored in a computer readable storage medium, and when the computer readable instructions are executed by a processor, the steps of the above-described embodiments of the method can be implemented.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (7)

1. A method for detecting abnormal behavior, comprising:
constructing a behavior diagram by utilizing a first behavior sample element in a training sample set;
generating a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram;
acquiring behavior data to be tested of a target user, and calculating an abnormal value to be tested corresponding to the behavior data to be tested according to the behavior diagram;
determining whether the target user has abnormal behavior according to the size relation between the abnormal value to be tested and the preset threshold value;
generating a preset threshold value by using a second behavior sample element in the test sample set, wherein the generating comprises:
acquiring the shortest directed edge of two adjacent second behavior sample elements in the behavior diagram;
taking the weighted value and the value corresponding to the shortest directed edge as adjacent abnormal values of the two adjacent second behavior sample elements;
obtaining the preset threshold value according to all adjacent abnormal values;
after the obtaining of the shortest directional edge of two adjacent second behavior sample elements in the behavior graph, the method further includes:
setting adjacent abnormal values corresponding to the second behavior data in the behavior diagram to be infinite;
wherein, the obtaining the preset threshold value according to all the adjacent abnormal values comprises:
collecting all the adjacent abnormal values to obtain an adjacent abnormal value sequence;
calculating an average abnormal value corresponding to the adjacent abnormal value sequence by using a preset sliding window; calculating an infinite value proportion corresponding to the adjacent abnormal value sequence, wherein the infinite value proportion is obtained according to the infinite adjacent abnormal values;
taking the quantile of the average abnormal value as a first threshold value; and taking the quantiles of the infinite value proportion as a second threshold value;
and taking the first threshold value and the second threshold value as the preset threshold value.
2. The method of claim 1, wherein constructing a behavior graph using a first behavior sample element in a training sample set comprises:
taking each first behavior sample element as a vertex, and taking a connecting line of two adjacent first behavior sample elements as a corresponding directed edge;
acquiring the number of each directed edge, and respectively calculating the weight value corresponding to each directed edge according to the number of each directed edge;
and constructing the behavior diagram according to the vertexes and each directed edge containing the weight value.
3. The method of claim 1, wherein calculating the abnormal values to be tested corresponding to the behavioral data to be tested according to the behavioral graph comprises:
acquiring the shortest directed edge of two adjacent second to-be-tested behavior data in the behavior graph;
taking the weight value and the value corresponding to the shortest directed edge as adjacent abnormal values of the two adjacent behavior data to be tested;
collecting all adjacent abnormal values to obtain an adjacent abnormal value sequence corresponding to the behavior data to be tested;
and calculating to obtain the abnormal values to be tested according to the adjacent abnormal value sequence, wherein the abnormal values to be tested comprise average abnormal values corresponding to the behavior data to be tested and infinite value proportion.
4. The method of claim 3, wherein after said calculating the outlier to be tested, further comprising:
and if the average abnormal value corresponding to the behavior data to be tested is detected to be larger than the first threshold value and the infinite value ratio corresponding to the behavior data to be tested is detected to be larger than the second threshold value, determining that the target user has abnormal behavior.
5. An abnormal behavior detection device, comprising:
a construction module configured to construct a behavior diagram using a first behavior sample element in a training sample set;
the generating module is configured to generate a preset threshold value by using a second behavior sample element in the test sample set and the behavior diagram;
the acquisition module is configured to acquire to-be-tested behavior data of a target user and calculate to-be-tested abnormal values corresponding to the to-be-tested behavior data according to the behavior diagram;
the determining module is configured to determine whether the target user has abnormal behaviors according to the magnitude relation between the abnormal value to be tested and the preset threshold value;
the generating a preset threshold value by using a second behavior sample element in the test sample set includes:
acquiring the shortest directed edge of two adjacent second behavior sample elements in the behavior graph;
taking the weighted value and the value corresponding to the shortest directed edge as adjacent abnormal values of the two adjacent second behavior sample elements;
obtaining the preset threshold value according to all adjacent abnormal values;
after the obtaining of the shortest directional edge of two adjacent second behavior sample elements in the behavior graph, the method further includes:
setting adjacent abnormal values corresponding to the second behavior data in the behavior diagram to be infinite;
wherein, the obtaining the preset threshold value according to all the adjacent abnormal values comprises:
collecting all the adjacent abnormal values to obtain an adjacent abnormal value sequence;
calculating an average abnormal value corresponding to the adjacent abnormal value sequence by using a preset sliding window; calculating an infinite value proportion corresponding to the adjacent abnormal value sequence, wherein the infinite value proportion is obtained according to the infinite adjacent abnormal values;
taking the quantile of the average abnormal value as a first threshold value; and taking the quantile of the infinite value proportion as a second threshold value;
and taking the first threshold value and the second threshold value as the preset threshold value.
6. An electronic device, comprising:
a memory for storing executable instructions; and the number of the first and second groups,
a processor for display with the memory to execute the executable instructions to perform the operations of the method of detecting abnormal behavior of any of claims 1-4.
7. A computer-readable storage medium storing computer-readable instructions that, when executed, perform the operations of the method for detecting abnormal behavior of any of claims 1-4.
CN202110376399.3A 2021-04-06 2021-04-06 Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium Active CN113298345B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110376399.3A CN113298345B (en) 2021-04-06 2021-04-06 Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110376399.3A CN113298345B (en) 2021-04-06 2021-04-06 Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium

Publications (2)

Publication Number Publication Date
CN113298345A CN113298345A (en) 2021-08-24
CN113298345B true CN113298345B (en) 2022-11-18

Family

ID=77319345

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110376399.3A Active CN113298345B (en) 2021-04-06 2021-04-06 Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium

Country Status (1)

Country Link
CN (1) CN113298345B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363947B (en) * 2021-12-31 2023-09-22 紫光展锐(重庆)科技有限公司 Log analysis method and related device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2459855B1 (en) * 2010-05-17 2013-10-23 Toyota Jidosha Kabushiki Kaisha Abnormality detection apparatus for particulate filter
CN103888304A (en) * 2012-12-19 2014-06-25 华为技术有限公司 Abnormity detection method of multi-node application and related apparatus
CN105808923A (en) * 2016-02-29 2016-07-27 北京航空航天大学 Anomaly detection method and device of data sequence
CN109040130A (en) * 2018-09-21 2018-12-18 成都力鸣信息技术有限公司 Mainframe network behavior pattern measure based on attributed relational graph
CN111291229A (en) * 2020-01-21 2020-06-16 中国科学院计算技术研究所 Method and system for detecting dense multi-part graphs

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2459855B1 (en) * 2010-05-17 2013-10-23 Toyota Jidosha Kabushiki Kaisha Abnormality detection apparatus for particulate filter
CN103888304A (en) * 2012-12-19 2014-06-25 华为技术有限公司 Abnormity detection method of multi-node application and related apparatus
CN105808923A (en) * 2016-02-29 2016-07-27 北京航空航天大学 Anomaly detection method and device of data sequence
CN109040130A (en) * 2018-09-21 2018-12-18 成都力鸣信息技术有限公司 Mainframe network behavior pattern measure based on attributed relational graph
CN111291229A (en) * 2020-01-21 2020-06-16 中国科学院计算技术研究所 Method and system for detecting dense multi-part graphs

Also Published As

Publication number Publication date
CN113298345A (en) 2021-08-24

Similar Documents

Publication Publication Date Title
US11562830B2 (en) Merchant evaluation method and system
US10832032B2 (en) Facial recognition method, facial recognition system, and non-transitory recording medium
CN109918291A (en) Software interface detection method, device, computer equipment and storage medium
CN110009364A (en) A kind of industry identification model determines method and apparatus
CN106709318A (en) Recognition method, device and calculation equipment for user equipment uniqueness
CN112085056B (en) Target detection model generation method, device, equipment and storage medium
US20150309962A1 (en) Method and apparatus for modeling a population to predict individual behavior using location data from social network messages
CN113298345B (en) Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium
CN110070533A (en) A kind of evaluating method of object detection results, device, equipment and storage medium
CN112766045B (en) Scene change detection method, system, electronic device and storage medium
CN106485585A (en) Method and system for ranking
CN109615360A (en) A kind of encoding of graphs methods of exhibiting and device
CN110348215A (en) Exception object recognition methods, device, electronic equipment and medium
JP2018521396A (en) Data generation method and apparatus, terminal, server and storage medium
CN112017776B (en) Disease prediction method based on dynamic graph and medical knowledge map and related equipment
CN111161789B (en) Analysis method and device for key areas of model prediction
CN109615204B (en) Quality evaluation method, device and equipment of medical data and readable storage medium
CN115147705A (en) Face copying detection method and device, electronic equipment and storage medium
CN112200711B (en) Training method and system of watermark classification model
Clémençon et al. Building confidence regions for the ROC surface
CN113506052A (en) Capability evaluation method and related device
JP2011198300A (en) Process improvement measure evaluation device and method
CN112801287A (en) Neural network performance evaluation method and device, electronic equipment and storage medium
KR102294255B1 (en) A device for determining the burden of dementia care, a method for determining the burden of care for dementia, a program for determining the burden of care for dementia, a device for determining the effect of dementia treatment, a method for determining the effect of a treatment for dementia, and a program for determining the effect of a treatment for dementia
CN111885700A (en) Mobile terminal positioning method and device combined with support vector machine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Bai Yu

Inventor after: Li Keqin

Inventor before: Bai Yu

Inventor before: Li Keqin

Inventor before: Ma Zhiyi

CB03 Change of inventor or designer information