CN113570453A - Abnormal behavior identification method and device - Google Patents
Abnormal behavior identification method and device Download PDFInfo
- Publication number
- CN113570453A CN113570453A CN202111118308.2A CN202111118308A CN113570453A CN 113570453 A CN113570453 A CN 113570453A CN 202111118308 A CN202111118308 A CN 202111118308A CN 113570453 A CN113570453 A CN 113570453A
- Authority
- CN
- China
- Prior art keywords
- abnormal behavior
- model
- base
- models
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/03—Credit; Loans; Processing thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- Data Mining & Analysis (AREA)
- Strategic Management (AREA)
- Marketing (AREA)
- Economics (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Technology Law (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Development Economics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Image Analysis (AREA)
Abstract
The invention provides an abnormal behavior identification method and device, wherein the method comprises the following steps: selecting a plurality of base models, and setting different abnormal behavior labels for the base models of different layers and different base models; performing abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model; the method comprises the steps of carrying out abnormal behavior identification on data to be detected according to the target abnormal behavior model, solving the problems that abnormal behavior modeling is inaccurate due to few abnormal samples and difficult selection in abnormal behavior modeling of the related technology, and the identification accuracy of the abnormal behavior of the data is low.
Description
Technical Field
The invention relates to the field of data processing, in particular to an abnormal behavior identification method and device.
Background
In recent years, the network credit fraud event is rising year by year, the internal division of labor in the fraud group is more and more precise, the anti-investigation capability is more and more professional, and the trend of intellectualization, technicalization, non-contact and occupational is rapidly developing.
In the process of cheating attack and defense, a machine learning artificial intelligence method is adopted, more clue characteristics are found and searched, abnormal events such as behavior characteristics of a user and user association characteristics are mined, potential cheating risks are analyzed by combining dimensions such as IP, mobile phone and position, and the efficiency and the capacity of anti-cheating can be greatly improved.
The network credit anti-fraud recognition based on the big data technology generally adopts a machine learning model to judge the fraud probability of an incoming sample so as to reject the crowd with high fraud risk. In the application scene of bank network credit, bad samples in anti-fraud samples have low proportion, and modeling has paradoxical choices: if the definition of the fraud label is relaxed, more fraud samples can be captured, but the false rejection rate of the model is increased; if a strict fraud tag definition is used, on one hand, bad samples are too few to be easily over-fitted, and on the other hand, the model has poor capability of capturing the bad samples. Meanwhile, the characteristics of different dimensions cannot be fully utilized by using a single model, the performance is often poor, and the advantages of different models are difficult to comprehensively embody.
Aiming at the problems that in the related technology, abnormal behavior modeling is inaccurate due to few abnormal samples and difficult selection, and the identification accuracy of the abnormal behavior of the data is low, no solution is provided.
Disclosure of Invention
The embodiment of the invention provides an abnormal behavior identification method and device, which are used for at least solving the problems of low accuracy of data abnormal behavior identification caused by inaccurate abnormal behavior modeling due to few abnormal samples and difficulty in selection in the abnormal behavior modeling of the related technology.
According to an embodiment of the present invention, there is provided an abnormal behavior recognition method including:
selecting a plurality of base models, and setting different abnormal behavior labels for the base models of different layers and different base models;
performing abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model;
and performing abnormal behavior recognition on the data to be detected according to the target abnormal behavior model.
Optionally, the performing abnormal behavior model training according to the multi-layer base model and the multiple base models to obtain a trained target abnormal behavior model includes:
respectively generating result characteristics of the multiple base models in the multiple base models of the first layer in a cross validation mode;
and inputting the result characteristics of the multiple base models into a base model of a second layer for training to obtain the trained target abnormal behavior model.
Optionally, in the multiple base models of the first layer, generating the result features of the multiple base models in a cross-validation manner respectively includes:
dividing the training set data of the multiple base models into k sub-training sets according to the proportion of the normal samples to the abnormal samples;
for each base model in the multiple base models, performing the following steps to obtain k prediction features of each base model, where the result features include the k prediction features, and the executing base model is referred to as a current base model:
initializing i =1, and training each sub-training set i through k-1 sub-training sets except the sub-training set i to obtain the trained current base model;
inputting the trained current base model according to the sub-training set i to obtain a prediction result output by the current base model;
i = i +1, and i is less than or equal to k.
Optionally, inputting the result features of the multiple base models into a base model of a second layer for training, and obtaining the trained target abnormal behavior model includes:
and inputting the result characteristics of the multiple base models into an LR model, and training the LR model to obtain the target abnormal behavior model, wherein the base model of the second layer is the LR model.
Optionally, the performing, according to the target abnormal behavior model, abnormal behavior recognition on the data to be tested includes:
inputting the data to be tested into the multiple base models of the first layer of the target abnormal behavior model to obtain the result characteristics of the multiple base models;
inputting the result characteristics of the multiple base models into a base model of a second layer of the target abnormal behavior model to obtain the probability of abnormal behavior of the data to be detected output by the target abnormal behavior model;
and determining the abnormal behavior recognition result of the data to be tested according to the probability.
Optionally, inputting the result features of the multiple base models into the base model of the second layer of the target abnormal behavior model, and obtaining the probability that the data to be tested output by the target abnormal behavior model has an abnormal behavior includes:
determining an average of the resulting features of the plurality of base models;
and inputting the average value into an LR model of the target abnormal behavior model to obtain the probability of abnormal behavior of the data to be tested output by the target abnormal behavior model, wherein the base model of the second layer is the LR model.
Optionally, determining the abnormal behavior recognition result of the data to be tested according to the probability includes:
judging whether the probability is greater than a preset probability threshold value or not;
if the judgment result is yes, determining that the abnormal behavior identification result of the data to be detected has abnormal behavior;
and under the condition that the judgment result is negative, determining that the abnormal behavior identification result of the data to be detected does not have abnormal behavior.
According to another embodiment of the present invention, there is also provided an abnormal behavior recognition apparatus including:
the setting module is used for selecting a plurality of base models and setting different abnormal behavior labels for the base models of different layers and different base models;
the training module is used for carrying out abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model;
and the abnormal behavior identification module is used for identifying abnormal behaviors of the data to be detected according to the target abnormal behavior model.
Optionally, the training module comprises:
the generation submodule is used for generating the result characteristics of the multiple base models in the first layer in a cross validation mode;
and the training submodule is used for inputting the result characteristics of the multiple base models into a base model of a second layer for training to obtain the trained target abnormal behavior model.
Optionally, the generation submodule is further used for
Dividing the training set data of the multiple base models into k sub-training sets according to the proportion of the normal samples to the abnormal samples;
for each base model in the multiple base models, performing the following steps to obtain k prediction features of each base model, where the result features include the k prediction features, and the executing base model is referred to as a current base model:
initializing i =1, and training each sub-training set i through k-1 sub-training sets except the sub-training set i to obtain the trained current base model;
inputting the trained current base model according to the sub-training set i to obtain a prediction result output by the current base model;
i = i +1, and i is less than or equal to k.
Optionally, the training submodule is also used for
And inputting the result characteristics of the multiple base models into an LR model, and training the LR model to obtain the target abnormal behavior model, wherein the base model of the second layer is the LR model.
Optionally, the abnormal behavior recognition module includes:
the first input submodule is used for inputting the data to be tested into the multiple base models of the first layer of the target abnormal behavior model to obtain the result characteristics of the multiple base models;
the second input submodule is used for inputting the result characteristics of the multiple base models into a base model of a second layer of the target abnormal behavior model to obtain the probability of abnormal behavior of the data to be detected output by the target abnormal behavior model;
and the determining submodule is used for determining the abnormal behavior recognition result of the data to be tested according to the probability.
Optionally, the second input submodule is also used for
Determining an average of the resulting features of the plurality of base models;
and inputting the average value into an LR model of the target abnormal behavior model to obtain the probability of abnormal behavior of the data to be tested output by the target abnormal behavior model, wherein the base model of the second layer is the LR model.
Optionally, the determination submodule is further used for
Judging whether the probability is greater than a preset probability threshold value or not;
if the judgment result is yes, determining that the abnormal behavior identification result of the data to be detected has abnormal behavior;
and under the condition that the judgment result is negative, determining that the abnormal behavior identification result of the data to be detected does not have abnormal behavior.
According to a further embodiment of the present invention, a computer-readable storage medium is also provided, in which a computer program is stored, wherein the computer program is configured to perform the steps of any of the above-described method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
According to the invention, multiple base models are selected, and different abnormal behavior labels are set for the base models of different layers and different base models; performing abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model; the method comprises the steps of carrying out abnormal behavior identification on data to be detected according to the target abnormal behavior model, solving the problems that abnormal behavior modeling is inaccurate due to few abnormal samples and difficult selection in abnormal behavior modeling of the related technology, and the identification accuracy of the abnormal behavior of the data is low.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of a hardware configuration of a mobile terminal of an abnormal behavior recognition method according to an embodiment of the present invention;
FIG. 2 is a flow chart of an abnormal behavior identification method according to an embodiment of the present invention;
FIG. 3 is a flow diagram of abnormal behavior identification based on Stacking model fusion according to an embodiment of the present invention;
fig. 4 is a block diagram of the abnormal behavior recognition apparatus according to the present embodiment.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Example 1
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking a mobile terminal as an example, fig. 1 is a hardware structure block diagram of a mobile terminal of the abnormal behavior identification method according to the embodiment of the present invention, as shown in fig. 1, the mobile terminal may include one or more processors 102 (only one is shown in fig. 1) (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), and a memory 104 for storing data, and optionally, the mobile terminal may further include a transmission device 106 for a communication function and an input/output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and does not limit the structure of the mobile terminal. For example, the mobile terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program and a module of application software, such as a computer program corresponding to the abnormal behavior recognition method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the mobile terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In this embodiment, a method for identifying an abnormal behavior operating in the mobile terminal or the network architecture is provided, and fig. 2 is a flowchart of the method for identifying an abnormal behavior according to the embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, selecting a plurality of base models, and setting different abnormal behavior labels for the base models of different layers and different base models;
step S204, performing abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model;
and S206, performing abnormal behavior identification on the data to be detected according to the target abnormal behavior model.
Through the steps S202 to S206, the problem that the abnormal behavior modeling is inaccurate due to few abnormal samples and difficult selection in the abnormal behavior modeling of the related technology, and the identification accuracy of the abnormal behavior of the data is low can be solved.
In an embodiment of the present invention, the step S204 may specifically include:
s2041, generating result characteristics of the multiple base models in the multiple base models of the first layer in a cross validation mode, and further dividing training set data of the multiple base models into k sub-training sets according to the proportion of normal samples to abnormal samples; for each base model in the multiple base models, performing the following steps to obtain k prediction features of each base model, where the result features include the k prediction features, and the executing base model is referred to as a current base model: initializing i =1, and training each sub-training set i through k-1 sub-training sets except the sub-training set i to obtain the trained current base model; inputting the trained current base model according to the sub-training set i to obtain a prediction result output by the current base model; i = i +1, and i is less than or equal to k;
s2042, inputting the result features of the multiple base models into a base model of a second layer for training, so as to obtain the trained target abnormal behavior model, and further inputting the result features of the multiple base models into an LR model for training the LR model, so as to obtain the target abnormal behavior model, where the base model of the second layer is the LR model.
In an embodiment of the present invention, the step S206 may specifically include:
s2061, inputting the data to be tested into the multiple base models of the first layer of the target abnormal behavior model to obtain the result characteristics of the multiple base models;
s2062, inputting the result features of the multiple base models into the base model of the second layer of the target abnormal behavior model to obtain a probability that the data to be tested output by the target abnormal behavior model has an abnormal behavior, and further, the step S2062 may specifically include: determining an average of the resulting features of the plurality of base models; and inputting the average value into an LR model of the target abnormal behavior model to obtain the probability of abnormal behavior of the data to be tested output by the target abnormal behavior model, wherein the base model of the second layer is the LR model.
S2063, determining the abnormal behavior recognition result of the data to be tested according to the probability.
Further, the step S2063 may specifically include: judging whether the probability is greater than a preset probability threshold value or not; if the judgment result is yes, determining that the abnormal behavior identification result of the data to be detected has abnormal behavior; and under the condition that the judgment result is negative, determining that the abnormal behavior identification result of the data to be detected does not have abnormal behavior.
The embodiment of the invention is based on the Stacking idea, combines and uses various abnormal behavior label definitions, characteristic dimensions and algorithm models to form different base models, and then uses the Stacking layered fusion idea to fuse different base models by strict abnormal behavior label definitions. Meanwhile, the problem of model fusion of a multi-person modeling task can be solved, fig. 3 is a flowchart of abnormal behavior identification based on Stacking model fusion according to an embodiment of the present invention, and as shown in fig. 3, the method specifically includes:
step S301, determining a data range, a time window and an abnormal behavior tag of a training sample, wherein the abnormal behavior can be specifically a fraud behavior, and the abnormal behavior tag can be specifically a fraud tag;
step S302, a base model is established, m base models (LR, random forest, Xgboost and the like can be selected and trained, model training characteristics are required and optimal characteristic ranges of the respective models are obtained, characteristic processing can be different, and the model training characteristics are used as different characteristic sets x _1 and transmitted to a subsequent fusion process. The abnormal behavior labels of different base models can be selected according to the needs and are not completely consistent. The definition of the abnormal behavior label can be properly relaxed, such as adding rejection inference, relaxing the limitation of the number of overdue days, and the like;
step S303, model training, including:
a first layer: and respectively inputting required characteristic data and abnormal behavior labels to different base models. In order to prevent the training data from being over-fitted, each base model adopts k-fold cross validation to generate base model result characteristics, and the base model result characteristics are used as second-layer training data.
1) Dividing training set data into k sub-training sets according to the proportion of good and bad samples;
2) for each data i, training a base model by using the rest k-1 data, and then predicting the data by using the model;
for each base model j:
for each sub-training set i (i = 1-k):
training data for training of base model
;
Base moldType j result characteristics
Wherein, in the step (A),
predict the result for the base model j.
A second layer: an LR model is selected and trained based on first-layer data, wherein a training set y _2 is a more strictly defined abnormal behavior label, and the algorithm is as follows:
Step S304, performing abnormal behavior recognition based on the trained model, including:
a first layer: using the result of the training in step S303, for each base model j, the sub-training set model is used in turn for the input prediction set xj1, taking the prediction mean value of k sub-training set models as the second layer x of the basic model jjAnd (4) inputting the key 2.
For each base model j:
for each sub-training set i (i = 1-k):
base model j result features
Wherein, in the step (A),
is the prediction result of the base model j;
a second layer: an LR model is selected, prediction is carried out based on first-layer data, and the result is as follows:
wherein theta is a parameter obtained by the training of the step 3,
is the probability of the final predicted abnormal behavior.
According to the embodiment of the invention, the final abnormal behavior identification result is that a probability threshold value is selected according to the verification result, and whether the predicted value is abnormal behavior is judged. The result is the result of fusing various basic models through stacking, the characteristics and the abnormal behavior labels of the basic models can be different, the basic models have diversity, and the fused effect is good. And the method of k-fold cross validation is adopted, so that the stability of the model is good, and overfitting is prevented. Verification shows that the abnormal behavior identification based on the Stacking model fusion can obviously improve the accuracy of the abnormal behavior identification of the original single model.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combinations, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred and that the acts and modules referred to are not necessarily required by the invention.
Example 2
According to another embodiment of the present invention, there is also provided an abnormal behavior recognition apparatus, and fig. 4 is a block diagram of the abnormal behavior recognition apparatus according to the present embodiment, as shown in fig. 4, including:
the setting module 42 is configured to select multiple base models, and set different abnormal behavior labels for the base models of different layers and different base models;
the training module 44 is used for performing abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model;
and the abnormal behavior identification module 46 is configured to identify an abnormal behavior of the data to be detected according to the target abnormal behavior model.
Optionally, the training module 44 comprises:
the generation submodule is used for generating the result characteristics of the multiple base models in the first layer in a cross validation mode;
and the training submodule is used for inputting the result characteristics of the multiple base models into a base model of a second layer for training to obtain the trained target abnormal behavior model.
Optionally, the generation submodule is further used for
Dividing the training set data of the multiple base models into k sub-training sets according to the proportion of the normal samples to the abnormal samples;
for each base model in the multiple base models, performing the following steps to obtain k prediction features of each base model, where the result features include the k prediction features, and the executing base model is referred to as a current base model:
initializing i =1, and training each sub-training set i through k-1 sub-training sets except the sub-training set i to obtain the trained current base model;
inputting the trained current base model according to the sub-training set i to obtain a prediction result output by the current base model;
i = i +1, and i is less than or equal to k.
Optionally, the training submodule is also used for
And inputting the result characteristics of the multiple base models into an LR model, and training the LR model to obtain the target abnormal behavior model, wherein the base model of the second layer is the LR model.
Optionally, the abnormal behavior recognition module 46 includes:
the first input submodule is used for inputting the data to be tested into the multiple base models of the first layer of the target abnormal behavior model to obtain the result characteristics of the multiple base models;
the second input submodule is used for inputting the result characteristics of the multiple base models into a base model of a second layer of the target abnormal behavior model to obtain the probability of abnormal behavior of the data to be detected output by the target abnormal behavior model;
and the determining submodule is used for determining the abnormal behavior recognition result of the data to be tested according to the probability.
Optionally, the second input submodule is also used for
Determining an average of the resulting features of the plurality of base models;
and inputting the average value into an LR model of the target abnormal behavior model to obtain the probability of abnormal behavior of the data to be tested output by the target abnormal behavior model, wherein the base model of the second layer is the LR model.
Optionally, the determination submodule is further used for
Judging whether the probability is greater than a preset probability threshold value or not;
if the judgment result is yes, determining that the abnormal behavior identification result of the data to be detected has abnormal behavior;
and under the condition that the judgment result is negative, determining that the abnormal behavior identification result of the data to be detected does not have abnormal behavior.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
Embodiments of the present invention also provide a computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, selecting multiple base models, and setting different abnormal behavior labels for the base models of different layers and different base models;
s2, performing abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model;
and S3, performing abnormal behavior recognition on the data to be detected according to the target abnormal behavior model.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Example 4
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, selecting multiple base models, and setting different abnormal behavior labels for the base models of different layers and different base models;
s2, performing abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model;
and S3, performing abnormal behavior recognition on the data to be detected according to the target abnormal behavior model.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An abnormal behavior recognition method, comprising:
selecting a plurality of base models, and setting different abnormal behavior labels for the base models of different layers and different base models;
performing abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model;
and performing abnormal behavior recognition on the data to be detected according to the target abnormal behavior model.
2. The method of claim 1, wherein performing abnormal behavior model training according to the multi-layer basis model and the multiple basis models to obtain a trained target abnormal behavior model comprises:
respectively generating result characteristics of the multiple base models in the multiple base models of the first layer in a cross validation mode;
and inputting the result characteristics of the multiple base models into a base model of a second layer for training to obtain the trained target abnormal behavior model.
3. The method of claim 2, wherein generating the resulting features of the plurality of base models in the plurality of base models of the first layer using cross-validation respectively comprises:
dividing the training set data of the multiple base models into k sub-training sets according to the proportion of the normal samples to the abnormal samples;
for each base model in the multiple base models, performing the following steps to obtain k prediction features of each base model, where the result features include the k prediction features, and the executing base model is referred to as a current base model:
initializing i =1, and training each sub-training set i through k-1 sub-training sets except the sub-training set i to obtain the trained current base model;
inputting the trained current base model according to the sub-training set i to obtain a prediction result output by the current base model;
i = i +1, and i is less than or equal to k.
4. The method of claim 2, wherein inputting the result features of the plurality of base models into a base model of a second layer for training, and obtaining the trained target abnormal behavior model comprises:
and inputting the result characteristics of the multiple base models into an LR model, and training the LR model to obtain the target abnormal behavior model, wherein the base model of the second layer is the LR model.
5. The method according to any one of claims 2 to 4, wherein performing abnormal behavior recognition on the data to be tested according to the target abnormal behavior model comprises:
inputting the data to be tested into the multiple base models of the first layer of the target abnormal behavior model to obtain the result characteristics of the multiple base models;
inputting the result characteristics of the multiple base models into a base model of a second layer of the target abnormal behavior model to obtain the probability of abnormal behavior of the data to be detected output by the target abnormal behavior model;
and determining the abnormal behavior recognition result of the data to be tested according to the probability.
6. The method according to claim 5, wherein inputting the result features of the plurality of base models into the base model of the second layer of the target abnormal behavior model, and obtaining the probability that the data to be tested output by the target abnormal behavior model has abnormal behavior comprises:
determining an average of the resulting features of the plurality of base models;
and inputting the average value into an LR model of the target abnormal behavior model to obtain the probability of abnormal behavior of the data to be tested output by the target abnormal behavior model, wherein the base model of the second layer is the LR model.
7. The method of claim 5, wherein determining the abnormal behavior recognition result of the data under test according to the probability comprises:
judging whether the probability is greater than a preset probability threshold value or not;
if the judgment result is yes, determining that the abnormal behavior identification result of the data to be detected has abnormal behavior;
and under the condition that the judgment result is negative, determining that the abnormal behavior identification result of the data to be detected does not have abnormal behavior.
8. An abnormal behavior recognition apparatus, comprising:
the setting module is used for selecting a plurality of base models and setting different abnormal behavior labels for the base models of different layers and different base models;
the training module is used for carrying out abnormal behavior model training according to the multilayer base model and the multiple base models to obtain a trained target abnormal behavior model;
and the abnormal behavior identification module is used for identifying abnormal behaviors of the data to be detected according to the target abnormal behavior model.
9. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to carry out the method of any one of claims 1 to 7 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111118308.2A CN113570453A (en) | 2021-09-24 | 2021-09-24 | Abnormal behavior identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111118308.2A CN113570453A (en) | 2021-09-24 | 2021-09-24 | Abnormal behavior identification method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113570453A true CN113570453A (en) | 2021-10-29 |
Family
ID=78174171
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111118308.2A Pending CN113570453A (en) | 2021-09-24 | 2021-09-24 | Abnormal behavior identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113570453A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107943861A (en) * | 2017-11-09 | 2018-04-20 | 北京众荟信息技术股份有限公司 | A kind of missing data compensation process and system based on time series |
| CN111353600A (en) * | 2020-02-20 | 2020-06-30 | 第四范式(北京)技术有限公司 | Abnormal behavior detection method and device |
| CN111931868A (en) * | 2020-09-24 | 2020-11-13 | 常州微亿智造科技有限公司 | Time series data abnormity detection method and device |
| CN113222053A (en) * | 2021-05-28 | 2021-08-06 | 广州大学 | Malicious software family classification method, system and medium based on RGB image and Stacking multi-model fusion |
| CN113228062A (en) * | 2021-02-25 | 2021-08-06 | 东莞理工学院 | Deep integration model training method based on feature diversity learning |
-
2021
- 2021-09-24 CN CN202111118308.2A patent/CN113570453A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107943861A (en) * | 2017-11-09 | 2018-04-20 | 北京众荟信息技术股份有限公司 | A kind of missing data compensation process and system based on time series |
| CN111353600A (en) * | 2020-02-20 | 2020-06-30 | 第四范式(北京)技术有限公司 | Abnormal behavior detection method and device |
| CN111931868A (en) * | 2020-09-24 | 2020-11-13 | 常州微亿智造科技有限公司 | Time series data abnormity detection method and device |
| CN113228062A (en) * | 2021-02-25 | 2021-08-06 | 东莞理工学院 | Deep integration model training method based on feature diversity learning |
| CN113222053A (en) * | 2021-05-28 | 2021-08-06 | 广州大学 | Malicious software family classification method, system and medium based on RGB image and Stacking multi-model fusion |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107577945B (en) | URL attack detection method and device and electronic equipment | |
| Gomes et al. | Random forest classifier in SDN framework for user-based indoor localization | |
| CN106982230B (en) | Flow detection method and system | |
| Wang et al. | App-net: A hybrid neural network for encrypted mobile traffic classification | |
| CN110276369B (en) | Feature selection method, device and equipment based on machine learning and storage medium | |
| CN110166344B (en) | Identity identification method, device and related equipment | |
| CN113992349B (en) | Malicious traffic identification method, device, equipment and storage medium | |
| CN107403311B (en) | Account use identification method and device | |
| US20210326700A1 (en) | Neural network optimization | |
| CN111815169A (en) | Business approval parameter configuration method and device | |
| CN113869521A (en) | Method, device, computing equipment and storage medium for constructing prediction model | |
| CN111797320A (en) | Data processing method, device, equipment and storage medium | |
| CN112685787A (en) | Big data information security protection method applied to artificial intelligence and cloud server | |
| CN114301850A (en) | Military communication encrypted flow identification method based on generation countermeasure network and model compression | |
| CN110162957A (en) | Method for authenticating and device, storage medium, the electronic device of smart machine | |
| CN113065748A (en) | Business risk assessment method, device, equipment and storage medium | |
| CN113570453A (en) | Abnormal behavior identification method and device | |
| CN110457387A (en) | A kind of method and relevant apparatus determining applied to user tag in network | |
| CN115935358A (en) | Malicious software identification method and device, electronic equipment and storage medium | |
| CN115017362A (en) | Data processing method, electronic device and storage medium | |
| CN116467153A (en) | Data processing method, device, computer equipment and storage medium | |
| CN113935832A (en) | Abnormal behavior detection processing method and device | |
| CN116451050A (en) | Abnormal behavior recognition model training and abnormal behavior recognition method and device | |
| CN116266273A (en) | Neural network generation method, neural network generation device, neural network image processing device and storage medium | |
| CN113065641A (en) | Neural network model training method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |