CN113360899B - Machine behavior recognition method and system - Google Patents
Machine behavior recognition method and system Download PDFInfo
- Publication number
- CN113360899B CN113360899B CN202110762856.2A CN202110762856A CN113360899B CN 113360899 B CN113360899 B CN 113360899B CN 202110762856 A CN202110762856 A CN 202110762856A CN 113360899 B CN113360899 B CN 113360899B
- Authority
- CN
- China
- Prior art keywords
- time intervals
- coefficient
- variation
- target log
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000006399 behavior Effects 0.000 claims abstract description 89
- 238000004364 calculation method Methods 0.000 claims abstract description 18
- 238000012163 sequencing technique Methods 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000007621 cluster analysis Methods 0.000 description 2
- 238000009792 diffusion process Methods 0.000 description 2
- 238000002372 labelling Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a machine behavior identification method, which comprises the following steps: acquiring a target log and time intervals of two adjacent operations in the target log, wherein the target log corresponds to the same user and is ordered according to the operation time of the user; respectively calculating variation coefficients of different numbers of continuous time intervals; when the obtained variation coefficient is smaller than a preset fluctuation coefficient, the maximum number of continuous time intervals is obtained; and when the maximum number is larger than a preset number, confirming the operation behavior corresponding to the maximum number as the machine behavior. The application calculates and judges whether the operation behavior is the machine behavior or not through the interval time of the operation behavior, and the calculation process is simple and effective and is easy to realize. The required log data is simple and can be applied to any scene. The output result has strong interpretation and is easy to find relevant records with machine behaviors.
Description
Technical Field
The application relates to computer data security, in particular to a machine behavior identification method and system.
Background
Malicious machine behavior, such as brute force cracking, library collisions, etc., can create significant losses to application systems, user assets. The popularity of security devices such as WAF reduces the high frequency class of machine behavior attacks. The hacker will also upgrade the logic of the machine behavior and both the human and machine operate at the same time, bypassing the security device in this way.
The methods commonly used in the prior art for placing machine behaviors are:
1. by login control. Such as captcha techniques, sliding window techniques, and the like. These techniques require modification of the system, are not very user friendly, and the machine operation behavior after login is not recognized.
2. A supervised algorithm is employed in performing machine learning. With the supervised method, a large number of manual labels are needed, and the manual labeling work is difficult because the proportion of positive and negative samples is very different.
The method comprises the steps of obtaining a plurality of webpage operation behavior samples, wherein the webpage operation behavior samples comprise a plurality of machine behavior samples with machine behavior labels, a plurality of human behavior samples with human behavior labels and a plurality of unknown behavior samples without labels: extracting behavior characteristics from a plurality of webpage operation behavior samples respectively: taking each webpage operation behavior sample as a sample point, and calculating the distance between each sample point based on the extracted behavior characteristics: based on the calculated distance between each sample point, constructing a fused k-nearest neighbor graph fusing the k-nearest neighbor graph and the mutual k-nearest neighbor graph: based on the constructed fusion k-nearest neighbor graph, performing cluster analysis on each sample point: based on the result of the cluster analysis, tag diffusion is performed from sample points that already have tags to sample points that do not have tags: and determining whether the unknown behavior sampler is machine behavior according to the label diffusion result. This method has the above-described problem of difficulty in labeling.
3. Probabilities are used to identify whether there is machine behavior. The method generally sets a threshold with small time interval, and judges that the interval of 2 operations is lower than the threshold, and identifies the machine behavior. This approach is not applicable to low frequency machine operation behavior.
The method and the device for identifying the machine behavior disclosed by the publication number CN108965207B comprise the following steps: acquiring at least one piece of request data in a first time period and storing the request data in a first data area: calculating the occurrence probability of a field value of at least one field of the request data in the first data area in a second time period, wherein the second time period is longer than the first time period: and comparing the occurrence probability with a preset value, and judging whether the request data corresponds to the machine behavior according to the comparison result. The machine behavior recognition method provided by the application can improve the recognition accuracy of the machine behavior of the malicious robbery of the black product in the electronic commerce. This approach is not recognizable for low frequency machine behavior.
4. Based on an unsupervised algorithm, the machine behavior is identified, and the accuracy of the algorithm is improved through the supervised algorithm. The accuracy of the algorithm can be improved by using the algorithm. But requires a large amount of log data to analyze, such as data requiring mouse operation behavior, keyboard operation behavior, etc. Most existing systems do not retain such data and the results identified are not sufficiently interpreted.
Disclosure of Invention
The technical problem to be solved by the application is how to provide a continuous machine behavior identification method which is simple and easy to operate and has strong result interpretation.
The application solves the technical problems by the following technical means:
a method of identifying machine behavior, comprising the steps of:
acquiring a target log and time intervals of two adjacent operations in the target log, wherein the target log corresponds to the same user and is ordered according to the operation time of the user;
respectively calculating variation coefficients of different numbers of continuous time intervals;
when the obtained variation coefficient is smaller than a preset fluctuation coefficient, the maximum number of continuous time intervals is obtained;
and when the maximum number is larger than a preset number, confirming the operation behavior corresponding to the maximum number as the machine behavior.
The application calculates and judges whether the operation behavior is the machine behavior or not through the interval time of the operation behavior, and the calculation process is simple and effective and is easy to realize. The required log data is simple and can be applied to any scene. The output result has strong interpretation and is easy to find relevant records with machine behaviors.
Further, the step of obtaining the target log includes:
acquiring an operation log, wherein the operation log at least comprises a plurality of users and a plurality of operation times;
grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to form the target logs respectively.
Further, the step of calculating the variation coefficients of different numbers of consecutive time intervals respectively includes:
taking the operation time arranged at the first position in the target log as a starting position, and calculating variation coefficients of m continuous time intervals from the starting position;
step b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing the step c, calculating variation coefficients of m+n continuous time intervals from the initial position, and then executing the step b until all time intervals in the target log are traversed, wherein n is more than or equal to 1;
and d, if the variation coefficient is greater than or equal to the preset fluctuation coefficient, executing the step d, calculating variation coefficients of m continuous time intervals from adjacent positions after the initial position, and then executing the step b until all the time intervals in the target log are traversed.
Further, the coefficient of variation=standard deviation/average value, the standard deviation is the standard deviation of the continuous time interval, and the average value is the average value of the continuous time interval.
Further, the standard deviation calculation formula is:wherein x is i For the ith time interval, +.>Is the average of n time intervals.
Corresponding to the method, the application also discloses a system for identifying the machine behavior, which comprises the following steps:
the target log acquisition module is used for acquiring a target log and time intervals of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user;
the variation coefficient calculation module is used for calculating variation coefficients of different numbers of continuous time intervals respectively;
the maximum number of continuous time intervals acquisition module is used for acquiring the maximum number of continuous time intervals when the variation coefficient is smaller than a preset fluctuation coefficient;
and the identification module is used for identifying the operation behaviors corresponding to the maximum number as machine behaviors when the maximum number is larger than a preset number.
Further, when executing the target log obtaining module, the step of obtaining the target log includes:
acquiring an operation log, wherein the operation log at least comprises a plurality of users and a plurality of operation times;
grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to form the target logs respectively.
Further, the step of calculating the variation coefficients of different numbers of consecutive time intervals in the different coefficient calculation module includes:
taking the operation time arranged at the first position in the target log as a starting position, and calculating variation coefficients of m continuous time intervals from the starting position;
step b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing the step c, calculating variation coefficients of m+n continuous time intervals from the initial position, and then executing the step b until all time intervals in the target log are traversed, wherein n is more than or equal to 1;
and d, if the variation coefficient is greater than or equal to the preset fluctuation coefficient, executing the step d, calculating variation coefficients of m continuous time intervals from adjacent positions after the initial position, and then executing the step b until all the time intervals in the target log are traversed.
Further, the coefficient of variation=standard deviation/average value, the standard deviation is the standard deviation of the continuous time interval, and the average value is the average value of the continuous time interval.
Further, the standard deviation calculation formula is:wherein x is i For the ith time interval, +.>Is the average of n time intervals.
The application has the advantages that:
the application calculates and judges whether the operation behavior is the machine behavior or not through the interval time of the operation behavior, and the calculation process is simple and effective and is easy to realize. The required log data is simple and can be applied to any scene. The output result has strong interpretation and is easy to find relevant records with machine behaviors.
Drawings
Fig. 1 is a flow chart of a method for identifying machine behavior in an embodiment of the application.
Fig. 2 is a block diagram of a machine behavior recognition system according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions in the embodiments of the present application will be clearly and completely described in the following in conjunction with the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The embodiment discloses a machine behavior recognition method, which is used for recognizing abnormal users with machine behaviors, as shown in fig. 1, and specifically comprises the following steps:
step 1, acquiring a target log and time intervals of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user;
firstly, an operation log of a user is obtained, wherein the operation log at least comprises a plurality of users and a plurality of operation times. As exemplified in table 1.
TABLE 1 user operation log
And then grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to form the target logs respectively. Table 1 is grouped and ordered according to users to obtain the table 2.
Table 2 target log
Step 2, calculating variation coefficients of different numbers of continuous time intervals respectively; the method comprises the following specific steps:
since coefficient of variation = standard deviation/average, standard deviation is standard deviation for consecutive time intervals, the calculation formula is:wherein x is i For the ith time interval, +.>Is the average of n time intervals. The average value is an average value of consecutive time intervals, time interval=current operation time-last operation time. The interval time of the adjacent operations is calculated on the basis of table 2 first as shown in table 3.
TABLE 3 time interval Table for continuous operation
User' s | Time of operation | Time interval |
Zhang San | 2021-10-01 08:55:00 | NaN |
Zhang San | 2021-10-21 10:13:03 | 1732683.0 |
Zhang San | 2021-10-21 10:23:07 | 604.0 |
Zhang San | 2021-10-21 10:33:15 | 608.0 |
Zhang San | 2021-10-21 10:43:01 | 586.0 |
Zhang San | 2021-10-21 10:53:03 | 602.0 |
Zhang San | 2021-10-21 11:03:14 | 611.0 |
Zhang San | 2021-10-21 11:13:24 | 610.0 |
Zhang San | 2021-10-21 14:00:00 | 9996.0 |
Li Si | 2021-10-01 05:55:00 | NaN |
Li Si | 2021-10-21 11:23:07 | 1747687.0 |
Li Si | 2021-10-21 13:33:15 | 7808.0 |
Li Si | 2021-10-21 14:43:01 | 4186.0 |
Li Si | 2021-10-21 15:53:03 | 4202.0 |
Li Si | 2021-10-21 18:03:34 | 7831.0 |
Li Si | 2021-10-21 19:00:00 | 3386.0 |
Then, the step of calculating the coefficients of variation for different numbers of consecutive time intervals, respectively, includes:
taking the operation time arranged at the first position in the target log as a starting position, and calculating variation coefficients of m continuous time intervals from the starting position;
step b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing the step c, calculating variation coefficients of m+n continuous time intervals from the initial position, and then executing the step b until all time intervals in the target log are traversed, wherein n is more than or equal to 1;
if the variation coefficient is greater than or equal to the preset fluctuation coefficient, executing the step d. Calculating variation coefficients of m continuous time intervals from adjacent positions after the initial position, and then executing the step b until all time intervals in the target log are traversed.
In this embodiment, the preset fluctuation coefficient y may be set first, and the smaller the fluctuation coefficient, the more stable the description. If the ripple factor is 0, it is stated that the ripple is absolutely equal. In actual operation, because of network or other reasons, there are some errors, and in order to tolerate these errors, the preset ripple factor y is set to 0.05 in this embodiment. Then, the minimum number of continuous operations (i.e., the preset number) can be set, and the variation coefficient of the time interval between the continuous 5 operations is generally considered to be smaller than the preset fluctuation coefficient, so that the continuous machine behavior can be considered to be continuous, so the minimum number of continuous operations in this embodiment is 5. Of course, other settings may be made for the preset fluctuation coefficient and the minimum continuous operation number m according to the actual service requirement and service scenario, which is not limited by the present application.
Specifically, in this embodiment, the operation time arranged first in the target log may be first taken as the starting position, the variance coefficient of 5 continuous time intervals is calculated from the starting position, if the variance coefficient of 5 continuous time intervals is smaller than the preset fluctuation coefficient y (0.05), the variance coefficient of 6 continuous time intervals is calculated from the starting position, if the variance coefficient of 6 continuous time intervals is still smaller than the preset fluctuation coefficient y (0.05), the variance coefficient … … of 7 continuous time intervals is calculated from the starting position until all time intervals are traversed. And when the variation coefficient is smaller than the preset fluctuation coefficient according to the calculation process, connecting the maximum value of the time interval. Of course, if the calculated variation coefficient of the 5 continuous time intervals is greater than or equal to the preset fluctuation coefficient, calculating from the operation time arranged at the second position in the target log, the variation coefficient of the following 5 connection time intervals, and judging the relation … … between the variation coefficient of the 5 continuous time intervals and the preset fluctuation coefficient until all the time intervals are traversed.
Based on table 3, the coefficient of variation for each user for a different number of consecutive time intervals calculated according to the method described above is shown in table 4.
TABLE 4 coefficient of variation for different numbers of consecutive time intervals
And step 3, obtaining the maximum number of continuous time intervals when the variation coefficient is smaller than a preset fluctuation system. From table 4, it can be seen that the maximum number of consecutive time intervals of Zhang three smaller than the fluctuation coefficient is 7 times, and the Li four variation coefficient is larger than the preset fluctuation system.
And 4, when the maximum number is larger than the preset number, confirming the operation behavior corresponding to the maximum number as the machine behavior. From table 4, it can be seen that the coefficient of variation for the 7 consecutive operations of Zhang three is smaller than the coefficient of fluctuation, so that the 7 operations of Zhang three are regarded as machine behavior, whereas the coefficient of variation for the consecutive operations of Lifour is not smaller than 0.05, so that Lifour has no machine behavior.
According to the method and the device, the interval time of the operation behaviors is calculated, whether the operation behaviors are machine behaviors or not is judged and identified, and the calculation process is simple and effective and easy to achieve. The required log data is simple and can be applied to any scene. The output result has strong interpretation and is easy to find relevant records with machine behaviors.
Corresponding to the above method, the present embodiment further provides a system for identifying machine behavior, as shown in fig. 2, including:
the target log acquisition module is used for acquiring a target log and time intervals of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user;
firstly, an operation log of a user is obtained, wherein the operation log at least comprises a plurality of users and a plurality of operation times. As exemplified in table 1.
TABLE 1 user operation log
And then grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to form the target logs respectively. Table 1 is grouped and ordered according to users to obtain the table 2.
Table 2 target log
The variation coefficient calculation module is used for calculating variation coefficients of different numbers of continuous time intervals respectively; the method comprises the following specific steps:
first, since the coefficient of variation=standard deviation/average value, the standard deviation is the standard deviation of the continuous time interval, and the calculation formula is:wherein x is i For the ith time interval, +.>Is the average of n time intervals. The average value is an average value of consecutive time intervals, time interval=current operation time-last operation time. The interval time of the adjacent operations is calculated on the basis of table 2 first as shown in table 3.
TABLE 3 time interval Table for continuous operation
Then, the step of calculating the coefficients of variation for different numbers of consecutive time intervals, respectively, includes:
taking the operation time arranged at the first position in the target log as a starting position, and calculating variation coefficients of m continuous time intervals from the starting position;
step b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing the step c, calculating variation coefficients of m+n continuous time intervals from the initial position, and then executing the step b until all time intervals in the target log are traversed, wherein n is more than or equal to 1;
if the variation coefficient is greater than or equal to the preset fluctuation coefficient, executing the step d. Calculating variation coefficients of m continuous time intervals from adjacent positions after the initial position, and then executing the step b until all time intervals in the target log are traversed.
In this embodiment, the preset fluctuation coefficient y may be set first, and the smaller the fluctuation coefficient, the more stable the description. If the ripple factor is 0, it is stated that the ripple is absolutely equal. In actual operation, because of network or other reasons, there are some errors, and in order to tolerate these errors, the preset ripple factor y is set to 0.05 in this embodiment. Then, the minimum number of continuous operations (i.e., the preset number) can be set, and the variation coefficient of the time interval between the continuous 5 operations is generally considered to be smaller than the preset fluctuation coefficient, so that the continuous machine behavior can be considered to be continuous, so the minimum number of continuous operations in this embodiment is 5. Of course, other settings may be made for the preset fluctuation coefficient and the minimum continuous operation number m according to the actual service requirement and service scenario, which is not limited by the present application.
Specifically, in this embodiment, the operation time arranged first in the target log may be first taken as the starting position, the variance coefficient of 5 continuous time intervals is calculated from the starting position, if the variance coefficient of 5 continuous time intervals is smaller than the preset fluctuation coefficient y (0.05), the variance coefficient of 6 continuous time intervals is calculated from the starting position, if the variance coefficient of 6 continuous time intervals is still smaller than the preset fluctuation coefficient y (0.05), the variance coefficient … … of 7 continuous time intervals is calculated from the starting position until all time intervals are traversed. And when the variation coefficient is smaller than the preset fluctuation coefficient according to the calculation process, connecting the maximum value of the time interval. Of course, if the calculated variation coefficient of the 5 continuous time intervals is greater than or equal to the preset fluctuation coefficient, calculating from the operation time arranged at the second position in the target log, the variation coefficient of the following 5 connection time intervals, and judging the relation … … between the variation coefficient of the 5 continuous time intervals and the preset fluctuation coefficient until all the time intervals are traversed.
Based on table 3, the coefficient of variation for each user for a different number of consecutive time intervals calculated according to the method described above is shown in table 4.
TABLE 4 coefficient of variation for different numbers of consecutive time intervals
/>
And the maximum number of continuous time intervals acquisition module is used for acquiring the maximum number of continuous time intervals when the variation coefficient is smaller than a preset fluctuation system. As can be seen from table 4, the maximum number of consecutive time intervals with the Zhang-three coefficient of variation smaller than the preset fluctuation coefficient is 7 times, and the li-four coefficient of variation is larger than the preset fluctuation system.
And the identifying module of the machine behaviors is used for identifying the operation behaviors corresponding to the maximum number as the machine behaviors when the maximum number is larger than the preset number.
From table 4, it can be seen that the coefficient of variation for the 7 consecutive operations of the third sheet is less than the predetermined fluctuation coefficient, so that the 7 operations are considered to be machine behavior, and that the minimum 5 times coefficient of variation is less than 0.05 for the fourth sheet, so that the fourth sheet has no machine behavior.
According to the method and the device, the interval time of the operation behaviors is calculated, whether the operation behaviors are machine behaviors or not is judged and identified, and the calculation process is simple and effective and easy to achieve. The required log data is simple and can be applied to any scene. The output result has strong interpretation and is easy to find relevant records with machine behaviors.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (8)
1. A method of identifying machine behavior, comprising the steps of:
acquiring a target log and time intervals of two adjacent operations in the target log, wherein the target log corresponds to the same user and is ordered according to the operation time of the user;
respectively calculating variation coefficients of different numbers of continuous time intervals;
the step of calculating the coefficients of variation for different numbers of consecutive time intervals, respectively, comprises:
taking the operation time arranged at the first position in the target log as a starting position, and calculating variation coefficients of m continuous time intervals from the starting position;
step b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing the step c, calculating variation coefficients of m+n continuous time intervals from the initial position, and then executing the step b until all time intervals in the target log are traversed, wherein n is more than or equal to 1;
if the variation coefficient is greater than or equal to the preset fluctuation coefficient, executing the step d. Calculating variation coefficients of m continuous time intervals from adjacent positions after the initial position, and then executing the step b until all time intervals in the target log are traversed;
when the obtained variation coefficient is smaller than a preset fluctuation coefficient, the maximum number of continuous time intervals is obtained;
and when the maximum number is larger than a preset number, confirming the operation behavior corresponding to the maximum number as the machine behavior.
2. The method of identifying machine behavior according to claim 1, wherein the step of obtaining a target log comprises:
acquiring an operation log, wherein the operation log at least comprises a plurality of users and a plurality of operation times;
grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to form the target logs respectively.
3. The method of claim 1, wherein the coefficient of variation = standard deviation/average, the standard deviation being the standard deviation of consecutive time intervals, the average being the average of consecutive time intervals.
4. A method of identifying machine behaviour according to claim 3, wherein said standard deviation calculation formula is:wherein x is i For the ith time interval, +.>Is the average of n time intervals.
5. A system for identifying machine behavior, comprising:
the target log acquisition module is used for acquiring a target log and time intervals of two adjacent operations in the target log, wherein the target log corresponds to the same user and is sequenced according to the operation time of the user;
the variation coefficient calculation module is used for calculating variation coefficients of different numbers of continuous time intervals respectively;
the step of calculating the variation coefficients of different numbers of continuous time intervals in the different coefficient calculation module respectively comprises the following steps:
taking the operation time arranged at the first position in the target log as a starting position, and calculating variation coefficients of m continuous time intervals from the starting position;
step b, judging whether the variation coefficient is smaller than a preset fluctuation coefficient or not;
if the variation coefficient is smaller than the preset fluctuation coefficient, executing the step c, calculating variation coefficients of m+n continuous time intervals from the initial position, and then executing the step b until all time intervals in the target log are traversed, wherein n is more than or equal to 1;
if the variation coefficient is greater than or equal to the preset fluctuation coefficient, executing the step d. Calculating variation coefficients of m continuous time intervals from adjacent positions after the initial position, and then executing the step b until all time intervals in the target log are traversed;
the maximum number of continuous time intervals acquisition module is used for acquiring the maximum number of continuous time intervals when the variation coefficient is smaller than a preset fluctuation coefficient;
and the identification module is used for identifying the operation behaviors corresponding to the maximum number as machine behaviors when the maximum number is larger than a preset number.
6. The machine behavior identification system of claim 5, wherein the step of acquiring the target log when executing the target log acquisition module comprises:
acquiring an operation log, wherein the operation log at least comprises a plurality of users and a plurality of operation times;
grouping the operation logs according to the user, and sequencing the operations in each group according to the operation time to form the target logs respectively.
7. The system for identifying machine behavior according to claim 5, wherein the coefficient of variation = standard deviation/average, the standard deviation being the standard deviation of consecutive time intervals, the average being the average of consecutive time intervals.
8. The machine behavior identification system of claim 7, wherein the machine behavior identification systemThe standard deviation calculation formula is as follows:wherein x is i For the ith time interval, +.>Is the average of n time intervals.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110762856.2A CN113360899B (en) | 2021-07-06 | 2021-07-06 | Machine behavior recognition method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110762856.2A CN113360899B (en) | 2021-07-06 | 2021-07-06 | Machine behavior recognition method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113360899A CN113360899A (en) | 2021-09-07 |
CN113360899B true CN113360899B (en) | 2023-11-21 |
Family
ID=77538480
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110762856.2A Active CN113360899B (en) | 2021-07-06 | 2021-07-06 | Machine behavior recognition method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113360899B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116488948B (en) * | 2023-06-25 | 2023-09-01 | 上海观安信息技术股份有限公司 | Machine behavior abnormality detection method, device, equipment and medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107332931A (en) * | 2017-08-07 | 2017-11-07 | 合肥工业大学 | The recognition methods of waterborne troops of machine type forum and device |
CN109522692A (en) * | 2018-11-19 | 2019-03-26 | 第四范式(北京)技术有限公司 | Webpage machine behavioral value method and system |
CN110933115A (en) * | 2019-12-31 | 2020-03-27 | 上海观安信息技术股份有限公司 | Analysis object behavior abnormity detection method and device based on dynamic session |
CN110990242A (en) * | 2019-11-29 | 2020-04-10 | 上海观安信息技术股份有限公司 | Method and device for determining fluctuation abnormity of user operation times |
CN111177656A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Behavior detection method, computer equipment and computer-readable storage medium |
CN111310139A (en) * | 2020-01-21 | 2020-06-19 | 腾讯科技(深圳)有限公司 | Behavior data identification method and device and storage medium |
WO2020125929A1 (en) * | 2018-12-17 | 2020-06-25 | Huawei Technologies Co., Ltd. | Apparatus and method for detecting an anomaly among successive events and computer program product therefor |
CN111818011A (en) * | 2020-05-29 | 2020-10-23 | 中国平安财产保险股份有限公司 | Abnormal access behavior recognition method and device, computer equipment and storage medium |
-
2021
- 2021-07-06 CN CN202110762856.2A patent/CN113360899B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107332931A (en) * | 2017-08-07 | 2017-11-07 | 合肥工业大学 | The recognition methods of waterborne troops of machine type forum and device |
CN109522692A (en) * | 2018-11-19 | 2019-03-26 | 第四范式(北京)技术有限公司 | Webpage machine behavioral value method and system |
WO2020125929A1 (en) * | 2018-12-17 | 2020-06-25 | Huawei Technologies Co., Ltd. | Apparatus and method for detecting an anomaly among successive events and computer program product therefor |
CN110990242A (en) * | 2019-11-29 | 2020-04-10 | 上海观安信息技术股份有限公司 | Method and device for determining fluctuation abnormity of user operation times |
CN110933115A (en) * | 2019-12-31 | 2020-03-27 | 上海观安信息技术股份有限公司 | Analysis object behavior abnormity detection method and device based on dynamic session |
CN111177656A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Behavior detection method, computer equipment and computer-readable storage medium |
CN111310139A (en) * | 2020-01-21 | 2020-06-19 | 腾讯科技(深圳)有限公司 | Behavior data identification method and device and storage medium |
CN111818011A (en) * | 2020-05-29 | 2020-10-23 | 中国平安财产保险股份有限公司 | Abnormal access behavior recognition method and device, computer equipment and storage medium |
Non-Patent Citations (1)
Title |
---|
电信运营商电子渠道风控研究;殷钱安等;《通信技术》;20180930;第51卷(第9期);第2222-2227页 * |
Also Published As
Publication number | Publication date |
---|---|
CN113360899A (en) | 2021-09-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106982196B (en) | Abnormal access detection method and equipment | |
CN110324316B (en) | Industrial control abnormal behavior detection method based on multiple machine learning algorithms | |
US11496495B2 (en) | System and a method for detecting anomalous patterns in a network | |
CN111475804A (en) | Alarm prediction method and system | |
CN111709028B (en) | Network security state evaluation and attack prediction method | |
CN106415507A (en) | Log analysis device, attack detection device, attack detection method and program | |
CN109784668B (en) | Sample feature dimension reduction processing method for detecting abnormal behaviors of power monitoring system | |
CN110716868A (en) | Abnormal program behavior detection method and device | |
CN114915478B (en) | Network attack scene identification method, system and storage medium of intelligent park industrial control system based on multi-agent distributed correlation analysis | |
CN113706100B (en) | Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network | |
CN113360899B (en) | Machine behavior recognition method and system | |
CN113992340A (en) | User abnormal behavior recognition method, device, equipment, storage medium and program | |
CN113343228B (en) | Event credibility analysis method and device, electronic equipment and readable storage medium | |
CN114218998A (en) | Power system abnormal behavior analysis method based on hidden Markov model | |
CN116366303A (en) | Network anomaly detection method, device, equipment and medium based on deep learning | |
CN110851828A (en) | Malicious URL monitoring method and device based on multi-dimensional features and electronic equipment | |
CN111258788B (en) | Disk failure prediction method, device and computer readable storage medium | |
CN115964478A (en) | Network attack detection method, model training method and device, equipment and medium | |
CN110135155B (en) | Fuzzy K neighbor-based Windows malicious software identification method | |
Liu et al. | A lightweight anomaly mining algorithm in the Internet of Things | |
Jeyanna et al. | A network intrusion detection system using clustering and outlier detection | |
CN115714687B (en) | Intrusion flow detection method, device, equipment and storage medium | |
CN113347021B (en) | Model generation method, collision library detection method, device, electronic equipment and computer readable storage medium | |
CN110766165A (en) | Online active machine learning method for malicious URL detection | |
CN116956282B (en) | Abnormality detection system based on network asset memory time sequence multi-feature data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |