CN113722707A - Database abnormal access detection method, system and equipment based on distance measurement - Google Patents

Database abnormal access detection method, system and equipment based on distance measurement Download PDF

Info

Publication number
CN113722707A
CN113722707A CN202111289946.0A CN202111289946A CN113722707A CN 113722707 A CN113722707 A CN 113722707A CN 202111289946 A CN202111289946 A CN 202111289946A CN 113722707 A CN113722707 A CN 113722707A
Authority
CN
China
Prior art keywords
access
database
abnormal
model
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111289946.0A
Other languages
Chinese (zh)
Inventor
宋美艳
陈锋
沈正华
郑卫东
李晓燕
周波
贾泽冰
刘畅
李亚都
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Thermal Power Research Institute Co Ltd
Huaneng Zhejiang Energy Development Co Ltd Yuhuan Branch
Original Assignee
Xian Thermal Power Research Institute Co Ltd
Huaneng Zhejiang Energy Development Co Ltd Yuhuan Branch
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Thermal Power Research Institute Co Ltd, Huaneng Zhejiang Energy Development Co Ltd Yuhuan Branch filed Critical Xian Thermal Power Research Institute Co Ltd
Priority to CN202111289946.0A priority Critical patent/CN113722707A/en
Publication of CN113722707A publication Critical patent/CN113722707A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2413Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
    • G06F18/24147Distances to closest patterns, e.g. nearest neighbour classification

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a distance measurement-based database abnormal access detection method, a distance measurement-based database abnormal access detection system and distance measurement-based database abnormal access detection equipment, wherein a distance-based KNN algorithm is used for training a low-dimensional user access vector to obtain an abnormal detection model, and an abnormal access responder is constructed; the abnormal access responder prepares response strategies to abnormal operations of the database in advance, thereby realizing the response to the abnormal operations of the user predicted by the abnormal detection model and recording the related information of the abnormal operations of the user, thereby realizing the active defense effect to the abnormal operations. Based on the characteristics, the method realizes the effects of real-time monitoring and active defense on the abnormal operation database of the user.

Description

Database abnormal access detection method, system and equipment based on distance measurement
Technical Field
The invention belongs to the processing of DCS transmission data, mainly relates to the field of database abnormal access detection, and particularly relates to a method, a system and equipment for detecting database abnormal access based on distance measurement.
Background
In the upper computer part of a Distributed Control System (DCS), each upper computer subsystem often performs operations such as access, search and the like on a database. In addition, database management personnel also frequently modify and maintain the database. Malicious access and operation to the database are generally divided into external malicious access and internal malicious access. And a better defense strategy is usually provided for external malicious access of the database, and malicious access or misoperation of internal personnel with authority is usually difficult to prevent. In the electrical digital data processing, malicious access or misoperation of internal personnel is generally realized by adopting a database auditing tool in the prior art, and the database auditing tool records all database access and operation records including operation IP, users, operation statements, time, operation results and the like in the background; the system security officer then detects the operation behavior of the internal user by analyzing the database access and operation records. Because the database auditing tool is a post-investigation means and has no way to prevent the abnormal operation of the ongoing database in real time, the method cannot play the roles of active defense and real-time defense.
Disclosure of Invention
The invention provides a distance measurement-based database abnormal access detection method, system and device, aiming at the problem that a database auditing tool in the prior art has no way to prevent abnormal database operation of an internal user in real time, the invention constructs a low-dimensional user access vector through an LDA algorithm, inputs the user access vector into a distance-based KNN model for training to obtain an abnormal detection model, and the abnormal detection model is used for detecting whether all operations of the user on the database are normal or not and simultaneously constructs an abnormal access response strategy, thereby performing real-time monitoring and active defense effect on the abnormal access of the internal user.
The invention is realized by the following technical scheme:
a database abnormal access detection method based on distance measurement comprises the following steps:
extracting database access information;
the extracted database access information enters a model training stage to obtain a low-dimensional user access vector in a data dimension reduction mode;
training a low-dimensional user access vector by using a distance-based algorithm to obtain an anomaly detection model;
and the training result obtained in the model training stage is used as an anomaly detection model in the model testing stage, the low-dimensional user access vector is obtained in the model testing stage in a data dimension reduction mode, and the user access vector subjected to dimension reduction is input into the anomaly detection model to obtain a detection result, so that the real-time monitoring and active defense for the database anomaly access are realized.
Preferably, the data dimensionality reduction is realized by adopting an LDA algorithm in the model training stage and the model testing stage, a low-dimensional user access vector is constructed, and the detection of the abnormal access of the database is realized by adopting a KNN model as an abnormal detection model.
Further, the distance measurement of the KNN model adopts an euclidean distance, and a specific expression is as follows:
Figure 735664DEST_PATH_IMAGE001
where x represents a sample point and y represents the classification of the sample point correspondence.
Further, the KNN model can be used for adjusting the K value through the calculation result to divide normal access and abnormal access to different degrees.
Further, the specific steps of the model training phase include the following:
performing data preprocessing operation on the extracted database history log to obtain text data;
extracting user operation characteristics from the text data, and constructing an initial database user access characteristic portrait based on the user attribute characteristics and the user operation characteristics, wherein the initial database user access characteristic portrait is a high-dimensional matrix;
performing dimensionality reduction operation on a high-dimensional matrix of an initial database user access characteristic image through an LDA algorithm to obtain a low-dimensional user access vector;
and taking the low-dimensional user access vector as the input of the KNN model, calculating the parameters to be trained in the KNN model, and continuously adjusting the given K value to obtain the optimal classification result, namely the model training result.
Furthermore, the data preprocessing operation is to remove the system log to obtain the text data.
Further, the specific steps of the model testing stage comprise the following steps:
carrying out data preprocessing on user data in a model training stage, and extracting effective access data statements;
constructing a database user access characteristic portrait on the basis of the user attribute characteristics and the user operation characteristics for the effective access data sentences to obtain a high-dimensional database user access characteristic portrait;
performing dimensionality reduction operation on the high-dimensional database user access characteristic image through an LDA algorithm to obtain a low-dimensional user access vector;
taking a low-dimensional user access vector as the input of a KNN model, calculating the KNN model to obtain a parameter to be trained in the model, continuously adjusting a given K value to obtain an optimal detection result, and distinguishing a normal access detection result from an abnormal access detection result;
and inputting the abnormal access detection result into an abnormal access responder, outputting different abnormal access levels, and executing different operations on the access.
Furthermore, the data preprocessing is to delete the invalid statements of the database access and extract the valid access statements of the core.
A distance measurement based database abnormal access detection system comprises
The acquisition module is used for extracting database access information;
the first processing module is used for obtaining a low-dimensional user access vector in a data dimension reduction mode when the extracted database access information enters a model training stage;
the second processing module is used for training the low-dimensional user access vector by using a distance-based algorithm to obtain an anomaly detection model;
and the third processing module is used for taking a training result obtained in the model training stage as an abnormal detection model in the model testing stage, obtaining a low-dimensional user access vector in a data dimension reduction mode in the model testing stage, inputting the user access vector subjected to dimension reduction into the abnormal detection model to obtain a detection result, and realizing real-time monitoring and active defense on abnormal access of the database.
A distance-metric-based database abnormal access detection apparatus comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the distance-metric-based database abnormal access detection method as described above when executing the computer program.
Compared with the prior art, the invention has the following beneficial technical effects:
the invention provides a database abnormal access detection method based on distance measurement, which is characterized in that a distance-based KNN algorithm is used for training a low-dimensional user access vector to obtain an abnormal detection model and constructing an abnormal access responder, the method constructs the abnormal detection model through the distance-based KNN algorithm, can detect whether the database operation behavior of a user is normal in real time, and effectively solves the problem that whether the ongoing database operation is normal or not can not be detected in real time by using a database auditing tool; the abnormal access responder prepares response strategies to abnormal operations of the database in advance, thereby realizing the response to the abnormal operations of the user predicted by the abnormal detection model and recording the related information of the abnormal operations of the user, thereby realizing the active defense effect to the abnormal operations. Based on the characteristics, the method realizes the effects of real-time monitoring and active defense on the abnormal operation database of the user.
Drawings
FIG. 1 is a flow chart illustrating the steps of a method for detecting abnormal database access based on distance measurement according to the present invention;
FIG. 2 is a schematic diagram of a distance metric-based database abnormal access detection system according to the present invention.
Detailed Description
The present invention will now be described in further detail with reference to specific examples, which are intended to be illustrative, but not limiting, of the invention.
The invention provides a database abnormal access detection method based on distance measurement, which comprises the following steps as shown in figure 1:
extracting database access information;
the extracted database access information enters a model training stage to obtain a low-dimensional user access vector in a data dimension reduction mode;
training a low-dimensional user access vector by using a distance-based algorithm to obtain an anomaly detection model;
and the training result obtained in the model training stage is used as an anomaly detection model in the model testing stage, the low-dimensional user access vector is obtained in the model testing stage in a data dimension reduction mode, and the user access vector subjected to dimension reduction is input into the anomaly detection model to obtain a detection result, so that the real-time monitoring and active defense for the database anomaly access are realized.
In the model training stage and the model testing stage, data dimensionality reduction is realized by adopting an LDA algorithm, a low-dimensional user access vector is constructed, and detection of abnormal access of the database is realized by adopting a KNN model as an abnormal detection model. In the model training stage and the model testing stage, the database user access characteristic images obtained based on the user attribute characteristics and the user operation characteristics are high-dimensional matrixes.
And the user access vectors obtained by the LDA algorithm in the model training stage and the model testing stage are low-dimensional vectors.
Referring to fig. 1, the specific steps of the model training phase in the present invention include the following:
performing data preprocessing operation on the extracted database history log to obtain text data;
extracting user operation characteristics from the text data, and constructing an initial database user access characteristic portrait based on the user attribute characteristics and the user operation characteristics, wherein the initial database user access characteristic portrait is a high-dimensional matrix;
performing dimensionality reduction operation on a high-dimensional matrix of an initial database user access characteristic image through an LDA algorithm to obtain a low-dimensional user access vector;
and taking the low-dimensional user access vector as the input of the KNN model, calculating the parameters to be trained in the KNN model, and continuously adjusting the given K value to obtain the optimal classification result of the model.
The data preprocessing operation is to remove the system log to obtain text data.
Referring to fig. 1, the specific steps of the model testing phase of the present invention include the following:
carrying out data preprocessing on user data in a model training stage, and extracting effective access data statements;
constructing a database user access characteristic portrait on the basis of the user attribute characteristics and the user operation characteristics for the effective access data sentences to obtain a high-dimensional database user access characteristic portrait;
performing dimensionality reduction operation on the high-dimensional database user access characteristic image through an LDA algorithm to obtain a low-dimensional user access vector;
taking a low-dimensional user access vector as the input of a KNN model, calculating the KNN model to obtain a parameter to be trained in the model, continuously adjusting a given K value to obtain an optimal detection result, and distinguishing a normal access detection result from an abnormal access detection result;
and inputting the abnormal access detection result into an abnormal access responder, outputting different abnormal access levels, and executing different operations on the access.
The data preprocessing is to delete the invalid statements accessed by the database and extract the valid access statements of the core.
In the distance measurement-based database abnormal access detection method, the LDA algorithm is adopted to realize data dimension reduction in both the model training stage and the model testing stage, and the specific mode of the LDA algorithm is as follows:
set data set D = { (x)1,y1),(x2,y2),...,(xm,ym) In which arbitrary samples xiAre all n-dimensional vectors; y isiAs a class of sample, yi∈{0,1};
Definition of Nj(j =0, 1) represents the number of j-th class samples, Xj(j =0, 1) is the set of class j samples, and μj(j =0, 1) is the mean vector of the j-th class samples, defining Σj(j =0, 1) is the covariance matrix of the jth class sample.
Therefore, ujThe expression of (a) is:
Figure 312139DEST_PATH_IMAGE002
Σjthe expression of (a) is:
Figure 707348DEST_PATH_IMAGE003
the LDA algorithm is to project the same kind of data onto a straight line because the projection points of the same kind of data are as close as possible, and the distances between the class centers of the different kinds of data are as large as possible.
If the projection straight line is set as the vector w, then for any oneA sample xiIts projection on the straight line w is wTxi,wTRepresenting the transposition of the vector w, setting the distribution of the central points of the two classes as mu0,μ1(ii) a The projection on the straight line w is wTμ0And wTμ1
Since the LDA algorithm needs to make the distance between the class centers of the different classes of data as large as possible, i.e. to maximize
Figure 256141DEST_PATH_IMAGE004
(ii) a Meanwhile, the projection points of the same type of data are as close as possible, that is, the covariance w of the projection points of the same type of sample is requiredTΣ0w and wTΣ1w is as small as possible, i.e. w is minimizedTΣ0w+wTΣ1w。
In summary, the optimization goals are:
Figure 875341DEST_PATH_IMAGE005
j (W) represents an objective function; when J (W) obtains the maximum value, the obtained result is the user access characteristic matrix after LDA dimension reduction.
The KNN model is a distance-based machine learning method, and the principle of the KNN model can be understood as a majority decision method, namely K samples which are closest to the characteristics of the prediction samples in the training set are the category with the largest category number in the data set, the K sample data which are closest to the prediction samples in the KNN model are normal access data, and the K samples which are far away from the characteristics of the prediction samples are abnormal database access.
The distance measurement of the KNN model adopts the Euclidean distance, and the specific expression is as follows:
Figure 142375DEST_PATH_IMAGE006
where x represents a sample point and y represents the classification of the sample point correspondence.
After defining the distance and the K value, any new sample is classified as the class with the highest class among the K samples closest to the sample.
Taking two-dimensional point matrix classification problems as an example; when the sample is S = (x)1,y1),(x2,y2),...,(xN,yN) (ii) a Wherein xi is a point on the two-dimensional plane, and yi is a classification corresponding to the point on the two-dimensional plane of the sample xi. For a new sample x, the formula for the class y corresponding to the sample point is as follows:
Figure 75696DEST_PATH_IMAGE007
wherein, cjRepresenting a category of the sample; n is a radical ofk(x) Represents the set of k samples nearest to sample x, f being an indicator function for yi; the mathematical expression of the indicator function is as follows:
Figure 541312DEST_PATH_IMAGE008
examples
When a user performs an operation of deleting the whole data table from the database, "delete from table _ name"; the low-dimensional user access vector is input into the trained anomaly detection model, which outputs a predicted result — assuming "abnormal operation". And inputting the prediction result into an abnormal access responder, and outputting a deletion rejection instruction by the abnormal access responder, and simultaneously rejecting the deletion operation of the user on the data table.
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention.
As shown in fig. 2, an embodiment of the present invention provides a distance-metric-based database abnormal access detection system, which is used to implement the distance-metric-based database abnormal access detection method described above, where the database abnormal access detection system includes:
the acquisition module is used for extracting database access information;
the first processing module is used for obtaining a low-dimensional user access vector in a data dimension reduction mode when the extracted database access information enters a model training stage;
the second processing module is used for training the low-dimensional user access vector by using a distance-based algorithm to obtain an anomaly detection model;
and the third processing module is used for taking a training result obtained in the model training stage as an abnormal detection model in the model testing stage, obtaining a low-dimensional user access vector in a data dimension reduction mode in the model testing stage, inputting the user access vector subjected to dimension reduction into the abnormal detection model to obtain a detection result, and realizing real-time monitoring and active defense on abnormal access of the database.
The first processing module, the second processing module and the third processing module respectively comprise an abnormality detection module and a human-computer interaction module;
the anomaly detection module is used for carrying out data access detection on the database information;
and the human-computer interaction module is used for displaying the abnormal access detection data.
In still another embodiment of the present invention, a distance-metric-based database abnormal access detection apparatus is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the distance-metric-based database abnormal access detection apparatus implements the distance-metric-based database abnormal access detection method described above.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (10)

1. A database abnormal access detection method based on distance measurement is characterized in that: the method comprises the following steps:
extracting database access information;
the extracted database access information enters a model training stage to obtain a low-dimensional user access vector in a data dimension reduction mode;
training a low-dimensional user access vector by using a distance-based algorithm to obtain an anomaly detection model;
and the training result obtained in the model training stage is used as an anomaly detection model in the model testing stage, the low-dimensional user access vector is obtained in the model testing stage in a data dimension reduction mode, and the user access vector subjected to dimension reduction is input into the anomaly detection model to obtain a detection result, so that the real-time monitoring and active defense for the database anomaly access are realized.
2. The method for detecting abnormal database access based on distance measurement as claimed in claim 1, wherein: in the model training stage and the model testing stage, data dimensionality reduction is realized by adopting an LDA algorithm, a low-dimensional user access vector is constructed, and detection of abnormal access of the database is realized by adopting a KNN model as an abnormal detection model.
3. The method for detecting abnormal database access based on distance measurement as claimed in claim 2, wherein: the distance measurement of the KNN model adopts Euclidean distance, and the specific expression is as follows:
Figure 575192DEST_PATH_IMAGE001
where x represents a sample point and y represents the classification of the sample point correspondence.
4. The method for detecting abnormal database access based on distance measurement as claimed in claim 2, wherein: and the KNN model can be used for adjusting the K value through the calculation result to divide normal access and abnormal access to different degrees.
5. The method for detecting abnormal database access based on distance measurement as claimed in claim 2, wherein: the specific steps of the model training phase include the following:
performing data preprocessing operation on the extracted database history log to obtain text data;
extracting user operation characteristics from the text data, and constructing an initial database user access characteristic portrait based on the user attribute characteristics and the user operation characteristics, wherein the initial database user access characteristic portrait is a high-dimensional matrix;
performing dimensionality reduction operation on a high-dimensional matrix of an initial database user access characteristic image through an LDA algorithm to obtain a low-dimensional user access vector;
and taking the low-dimensional user access vector as the input of the KNN model, calculating the parameters to be trained in the KNN model, and continuously adjusting the given K value to obtain the optimal classification result, namely the model training result.
6. The method for detecting abnormal database access based on distance measurement as claimed in claim 5, wherein: the data preprocessing operation is to remove the system log to obtain text data.
7. The method for detecting abnormal database access based on distance measurement as claimed in claim 2, wherein: the specific steps of the model testing stage comprise the following steps:
carrying out data preprocessing on user data in a model training stage, and extracting effective access data statements;
constructing a database user access characteristic portrait on the basis of the user attribute characteristics and the user operation characteristics for the effective access data sentences to obtain a high-dimensional database user access characteristic portrait;
performing dimensionality reduction operation on the high-dimensional database user access characteristic image through an LDA algorithm to obtain a low-dimensional user access vector;
taking a low-dimensional user access vector as the input of a KNN model, calculating the KNN model to obtain a parameter to be trained in the model, continuously adjusting a given K value to obtain an optimal detection result, and distinguishing a normal access detection result from an abnormal access detection result;
and inputting the abnormal access detection result into an abnormal access responder, outputting different abnormal access levels, and executing different operations on the access.
8. The method according to claim 7, wherein the distance metric-based database abnormal access detection method comprises: the data preprocessing is to delete the invalid statements accessed by the database and extract the valid access statements of the core.
9. A distance metric based database abnormal access detection system, comprising:
the acquisition module is used for extracting database access information;
the first processing module is used for obtaining a low-dimensional user access vector in a data dimension reduction mode when the extracted database access information enters a model training stage;
the second processing module is used for training the low-dimensional user access vector by using a distance-based algorithm to obtain an anomaly detection model;
and the third processing module is used for taking a training result obtained in the model training stage as an abnormal detection model in the model testing stage, obtaining a low-dimensional user access vector in a data dimension reduction mode in the model testing stage, inputting the user access vector subjected to dimension reduction into the abnormal detection model to obtain a detection result, and realizing real-time monitoring and active defense on abnormal access of the database.
10. A distance-metric-based database abnormal access detection apparatus comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the steps of the distance-metric-based database abnormal access detection method according to any one of claims 1 to 8.
CN202111289946.0A 2021-11-02 2021-11-02 Database abnormal access detection method, system and equipment based on distance measurement Pending CN113722707A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111289946.0A CN113722707A (en) 2021-11-02 2021-11-02 Database abnormal access detection method, system and equipment based on distance measurement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111289946.0A CN113722707A (en) 2021-11-02 2021-11-02 Database abnormal access detection method, system and equipment based on distance measurement

Publications (1)

Publication Number Publication Date
CN113722707A true CN113722707A (en) 2021-11-30

Family

ID=78686485

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111289946.0A Pending CN113722707A (en) 2021-11-02 2021-11-02 Database abnormal access detection method, system and equipment based on distance measurement

Country Status (1)

Country Link
CN (1) CN113722707A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170061322A1 (en) * 2015-08-31 2017-03-02 International Business Machines Corporation Automatic generation of training data for anomaly detection using other user's data samples
CN106778259A (en) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 A kind of abnormal behaviour based on big data machine learning finds method and system
CN108632279A (en) * 2018-05-08 2018-10-09 北京理工大学 A kind of multilayer method for detecting abnormality based on network flow
CN108667828A (en) * 2018-04-25 2018-10-16 咪咕文化科技有限公司 Risk control method and device and storage medium
CN110457896A (en) * 2019-07-02 2019-11-15 北京人人云图信息技术有限公司 The detection method and detection device of online access
CN110929799A (en) * 2019-11-29 2020-03-27 上海盛付通电子支付服务有限公司 Method, electronic device, and computer-readable medium for detecting abnormal user
CN111680856A (en) * 2020-01-14 2020-09-18 国家电网有限公司 User behavior safety early warning method and system for power monitoring system
CN111833175A (en) * 2020-06-03 2020-10-27 百维金科(上海)信息科技有限公司 Internet financial platform application fraud behavior detection method based on KNN algorithm
CN113537337A (en) * 2021-07-13 2021-10-22 中国工商银行股份有限公司 Training method, abnormality detection method, apparatus, device, and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170061322A1 (en) * 2015-08-31 2017-03-02 International Business Machines Corporation Automatic generation of training data for anomaly detection using other user's data samples
CN106778259A (en) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 A kind of abnormal behaviour based on big data machine learning finds method and system
CN108667828A (en) * 2018-04-25 2018-10-16 咪咕文化科技有限公司 Risk control method and device and storage medium
CN108632279A (en) * 2018-05-08 2018-10-09 北京理工大学 A kind of multilayer method for detecting abnormality based on network flow
CN110457896A (en) * 2019-07-02 2019-11-15 北京人人云图信息技术有限公司 The detection method and detection device of online access
CN110929799A (en) * 2019-11-29 2020-03-27 上海盛付通电子支付服务有限公司 Method, electronic device, and computer-readable medium for detecting abnormal user
CN111680856A (en) * 2020-01-14 2020-09-18 国家电网有限公司 User behavior safety early warning method and system for power monitoring system
CN111833175A (en) * 2020-06-03 2020-10-27 百维金科(上海)信息科技有限公司 Internet financial platform application fraud behavior detection method based on KNN algorithm
CN113537337A (en) * 2021-07-13 2021-10-22 中国工商银行股份有限公司 Training method, abnormality detection method, apparatus, device, and storage medium

Similar Documents

Publication Publication Date Title
Weller-Fahy et al. A survey of distance and similarity measures used within network intrusion anomaly detection
Liu et al. Plant leaf classification based on deep learning
Liu et al. A novel kernel SVM algorithm with game theory for network intrusion detection
Wang et al. Surrogate-assisted particle swarm optimization for evolving variable-length transferable blocks for image classification
CN111339297A (en) Network asset anomaly detection method, system, medium, and device
Tayal et al. Rankrc: Large-scale nonlinear rare class ranking
CN110602120B (en) Network-oriented intrusion data detection method
CN111444724A (en) Medical question-answer quality testing method and device, computer equipment and storage medium
Sugianela et al. Pearson correlation attribute evaluation-based feature selection for intrusion detection system
WO2019200739A1 (en) Data fraud identification method, apparatus, computer device, and storage medium
CN114155397B (en) Small sample image classification method and system
Xiao et al. Latent imitator: Generating natural individual discriminatory instances for black-box fairness testing
Wu et al. Construction of an intelligent processing platform for equestrian event information based on data fusion and data mining
CN112583847B (en) Method for network security event complex analysis for medium and small enterprises
Saravanan et al. Prediction of insufficient accuracy for human activity recognition using convolutional neural network in compared with support vector machine
Mishra et al. LLM-Guided Counterfactual Data Generation for Fairer AI
CN110740111B (en) Data leakage prevention method and device and computer readable storage medium
CN113722707A (en) Database abnormal access detection method, system and equipment based on distance measurement
Elezaj et al. Data-driven machine learning approach for predicting missing values in large data sets: A comparison study
Lv et al. Determination of the number of principal directions in a biologically plausible PCA model
Tong Research on multiple classification detection for network traffic anomaly based on deep learning
Shakir et al. Enhancing The Performance of Intrusion Detection Using CNN And Reduction Techniques
CN112308099B (en) Sample feature importance determining method, classification model training method and device
CN114090869A (en) Target object processing method and device, electronic equipment and storage medium
Wang et al. A hybird image retrieval system with user's relevance feedback using neurocomputing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20211130