CN113807977A - Method, system, device and medium for detecting Touchi attack based on dynamic knowledge graph - Google Patents
Method, system, device and medium for detecting Touchi attack based on dynamic knowledge graph Download PDFInfo
- Publication number
- CN113807977A CN113807977A CN202111028476.2A CN202111028476A CN113807977A CN 113807977 A CN113807977 A CN 113807977A CN 202111028476 A CN202111028476 A CN 202111028476A CN 113807977 A CN113807977 A CN 113807977A
- Authority
- CN
- China
- Prior art keywords
- user
- relationship
- dynamic
- users
- change
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000008859 change Effects 0.000 claims abstract description 148
- 238000001514 detection method Methods 0.000 claims abstract description 44
- 230000000694 effects Effects 0.000 claims abstract description 10
- 230000006870 function Effects 0.000 claims description 19
- 230000003068 static effect Effects 0.000 claims description 19
- 238000004364 calculation method Methods 0.000 claims description 17
- 238000003860 storage Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 13
- 230000003993 interaction Effects 0.000 claims description 9
- 230000009471 action Effects 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 4
- 239000011159 matrix material Substances 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000010415 tropism Effects 0.000 claims description 3
- 230000006399 behavior Effects 0.000 description 15
- 239000000243 solution Substances 0.000 description 9
- 238000006243 chemical reaction Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000012512 characterization method Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000003892 spreading Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/01—Social networking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/25—Fusion techniques
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Computation (AREA)
- Human Resources & Organizations (AREA)
- Strategic Management (AREA)
- Economics (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Health & Medical Sciences (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Animal Behavior & Ethology (AREA)
- Computational Linguistics (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a dynamic knowledge graph-based trusting attack detection method, which comprises the following steps: collecting user information; calculating personal preference and social style of the user; establishing a user relationship dynamic knowledge graph in combination with the change of the user relationship along with the dynamic change factors; according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the trustee attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user clustering method is utilized to carry out user clustering on the user relationship dynamic knowledge graph so as to detect the trustee attack user. According to the method for detecting the attack support based on the dynamic knowledge graph, the user is simulated as the social sensor, the user relation dynamic knowledge graph is established by combining the change of the user relation along with the dynamic change factors, the dynamic change of the user relation in social activities is accurately described, the user relation changing along with the dynamic change factors at a plurality of moments is collected to analyze and detect the attack support user, and the attack support user can be detected more accurately.
Description
Technical Field
The invention relates to the technical field of trusting attack detection, in particular to a trusting attack detection method, a system, equipment and a computer readable storage medium based on a dynamic knowledge graph.
Background
With the continuous development of internet technology, especially the explosive growth of news, commodity and entertainment resources, people face serious information overload problems when turning to the internet to search for needed items. In order to provide people with information quickly and accurately, recommendation systems are widely used in various fields. Due to the characteristics of the self openness of the recommendation system and the like, the opportunity that the attacking user injects false scores and false social relations into the system is given. The attack user changes the real user social relationship by establishing a large number of false relationships with other users, so that the selection of the real user is influenced, and the influence generated by the false relationships can be diffused by the attacked user through the social network.
The existing trust attack detection methods can be divided into supervised, unsupervised and semi-supervised detection methods. The supervised detection method mainly detects the Touchao attack by training a classifier, for example, a classifier is constructed by extracting features from information such as user registration information, user release content and the like, the supervised detection method needs a large number of samples, and the cost of manually marking the samples is high; the unsupervised detection method mainly utilizes the topological relation of the social network to identify abnormal points in the network, such as a detection method for clustering posts by utilizing the similarity of texts and URLs, and the like, and has high false positive rate and slightly inferior robustness; and the semi-supervised detection method combining the two methods is mostly based on the aspects of similarity between users, user score value and the like, and the dynamic relationship between the users is rarely considered.
Detection methods, whether supervised, unsupervised, or semi-supervised, rarely consider detecting rogue users with dynamic social relationships between users, because the social relationship between real users may change with dynamically changing factors, such as time-lapse or occurrence of an emergency, the real users may actively connect with each other with respect to the occurrence of an emergency, the ability to propagate and propagate may change, the trustee attack user only influences the real user when just injecting, and no matter how the dynamic change factor changes, the trustee attack user can not interact with the real user and can not influence the behavior of the real user any more along with the loss of the transmission capacity of the trustee attack user.
Disclosure of Invention
The invention provides a method, a system, equipment and a computer readable storage medium for detecting a trusting attack based on a dynamic knowledge graph, which simulate a user as a social sensor, establish the dynamic knowledge graph of the user relationship by combining the change of the user relationship with dynamic change factors, more accurately describe the dynamic change of the user relationship in social activities, do not depend on information such as historical scores of the user, detect the trusting attack user based on the relationship of the user at a certain time, collect the user relationship changed along with the dynamic change factors at a plurality of times to analyze and detect the trusting attack user, amplify the false social relationship of the trusting attack user, and can be detected more accurately.
The invention provides a dynamic knowledge graph-based trusting attack detection method, which comprises the following steps:
collecting user information;
according to the user information, a user relationship dynamic knowledge graph is established in combination with the change of the user relationship along with the dynamic change factors;
according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the trustee attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user clustering method is utilized to conduct user clustering on the user relationship dynamic knowledge graph to detect the trustee attack user.
According to the attack detection method based on the dynamic knowledge graph, the user relationship dynamic knowledge graph is established according to the user information and the change of the user relationship along with the dynamic change factors, and the method comprises the following steps:
according to the user information, calculating to obtain the relationship closeness between the users and the social style of the users, and establishing a user relationship static knowledge graph corresponding to a plurality of moments;
and calculating the relationship weight and the user relationship change value among the users at a plurality of moments by combining the change of the user relationship along with the dynamic change factors according to the user information, and fusing the user relationship static knowledge map and the user relationship weight and the user relationship change value among the users at the corresponding moments to obtain the user relationship dynamic knowledge map.
According to the attack detection method based on the dynamic knowledge graph, the user information acquisition comprises the following steps:
a set R of users is collected, wherein,
R={R1,R2,…,Ri,…,Rn},i∈[1,n],
r represents a set of user groups, wherein the set R comprises n user groups and is represented as R1,R2,…,Ri,…,Rn,RiA set of users, set R, representing the ith user group of the n user groupsiComprising m users, denoted as
A set UP of user profiles is collected, wherein,
UP={z1,z2,z3,…zi…zn},i∈[1,n],
Ia=w1×he+w2×we+w3×se+w4×ag+w5×pr,
Sa=w6×ac+w7×fe+w8×in+w9×ad,
UP denotes a set of profiles of a user group, the set UP comprising profiles of n user groups, denoted z1,z2,z3,…zi…zn,ziA profile set, set z, representing users of an ith user group of the n user groupsiIncluding a profile of m users, denoted
Represents a profile of a jth user of the m users,<Ia|Sa>to represent<User Individual Attribute | user social Attribute>In the user individual attribute Ia: he represents a height attribute, we represents a weight attribute, se represents a gender attribute, ag represents an age attribute, pr represents an occupation attribute, and in the user social attribute Sa: ac denotes an activity attribute, fe denotes a feedback attribute, in denotes an influence attribute, and ad denotes an adaptability attribute, wiRepresenting a weight ratio;
the set of user accesses UH is collected, wherein,
UH={u1,u2,u3,…ui,…,un},i∈[1,n],
UH denotes a set of access records for a user population, the set UH comprising access records for n user populations, denoted u1,u2,u3,…ui,…,un,uiSet u representing access records of the ith user group of the n user groupsiAccess record comprising m users, denoted as
An access record indicating a jth User in an ith User group, { Item | number, action, … } indicates an access record of a User to an Item, and { User | number, action … } indicates an access record of a User to a User.
According to the attack-oriented detection method based on the dynamic knowledge graph, the relationship closeness among the users and the social style of the users are calculated according to the user information, and the user relationship static knowledge graph corresponding to a plurality of moments is established, and the attack-oriented detection method comprises the following steps:
extracting direct interaction information of the user through a user access set UH, wherein the direct interaction information comprises the number IC of followers of the user, the number NO of users to follow, the number NI of items accessed by the user, the number SN of items accessed by the user in the same field, the number NC of comments of the user, the time TC of the comments of the user and the rating RO of other users on target users;
according to the user information, calculating the relationship closeness among the users by using an equation 1, wherein the equation 1 is as follows:
wherein FNRepresenting a user
With users of the Nth level
The hierarchy is the number of layers of the related users spreading to the periphery with the target user as the center. Ia denotes individual attribute data of the target user,
individual attribute data representing other users,
is Ia and
a dot product of (a) indicating the degree of correlation between the target user and the other users on the individual attribute data, Sa indicating the social attribute data of the target user,
social attribute data representing other users is stored in the storage device,
is Sa and
the Cl represents the sum of the degree of correlation between the target user and the other users on the individual attribute data and the degree of correlation on the social attribute data;
according to the user information, calculating the social style of the user through a formula 2, wherein the formula 2 is as follows:
ST=exp{ac+pr+Ia+Sa+SN′+TC′+RO′},
DI=exp{fe+Sa+NI′+NC′},
wherein 
Representing the social style of the jth user in the ith user group, in which: CO represents the tropism, ST represents the stability, DI represents the directionality, gamma is the rating parameter, wiExpressing the weight proportion, exp expressing the parameter to be subjected to exponential function calculation, and IC ', NO ', NI ', SN ', NC ', TC ' and RO ' respectively expressing the numerical values of the corresponding direct interaction information after normalization processing;
and establishing a user relationship static knowledge graph corresponding to a plurality of moments according to the relationship closeness among the users and the social style of the users.
According to the attack detection method based on the dynamic knowledge graph, the relation weight and the user relation change value between users at a plurality of moments are calculated according to the user information and the change of the user relation along with the dynamic change factor, and the user relation static knowledge graph, the relation weight and the user relation change value between users at corresponding moments are fused to obtain the user relation dynamic knowledge graph, and the attack detection method comprises the following steps:
according to the social style of the user, a time interval function TI is combinedvCalculating the user relationship weight value at a plurality of moments by the formulas 3-7
wherein ,
time interval function TIvComprises the following steps:
TIv=(Ts+(j-1)×d,Ts+j×d),
Ts+ (j-1) x d represents the starting time of detecting the user relationship weight, Ts+ j × d represents the end time of detecting the user relationship weight, TIvIndicating the time of detecting the user relationship weight, d indicating the interval width, and e indicating the time at TIvThe number of emergency events at a time, Δ n, is denoted at TIvThe number of comments at that moment changes, Δ r being denoted at TIvThe user relationship changes at the moment, and K is a calculation parameter;
formula 3 is:
formula 4 is:
formula 5 is:
formula 6 is:
formula 7 is:
wherein ,
is shown in TIvAt the moment of useThe weight value of the user relationship is set,
is shown in TIvSocial style of user at time, REC, is shown at TIvThe user relevance and CDL at the time point are shown as TIvUser reliability at time, SIM indicates TIvThe similarity of users at the time and IFL are shown in TIvInfluence of the user at that moment;
calculating a user relationship change value at a plurality of moments according to the user relationship weight by using an equation 8, wherein the equation 8 is as follows:
wherein ,
is shown in TIvThe value of the change in the user relationship at the moment,
is shown in TIv-1The user relationship weight at the moment in time,
is shown in TIvThe user relationship weight at the moment in time,
representation of parameters
The calculation of the exponential function is carried out,
representation of parameters
Performing exponential function calculation;
and fusing a plurality of user relationship static knowledge maps, and the relationship weight and the user relationship change value between users at corresponding moments to establish and obtain the user relationship dynamic knowledge map.
According to the attack detection method based on the dynamic knowledge graph, provided by the invention, the method further comprises the following steps: and displaying the user relationship dynamic knowledge graph in real time in a relationship graph network mode.
According to the method for detecting the trusting attack based on the dynamic knowledge graph, the user relationship of a trusting attack user changes along with a dynamic change factor after the propagation capacity disappears, and the user relationship of the user relationship dynamic knowledge graph is clustered by using a graph group clustering method so as to detect the trusting attack user, wherein the method comprises the following steps:
according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user modularity of the user relationship dynamic knowledge graph is calculated by using a formula 9, wherein the formula 9 is as follows:
wherein M represents the user modularity of the user relationship dynamic knowledge graph, L represents the number of edges included in the graph in the user relationship dynamic knowledge graph, i.e., the user relationship, H represents the number of users,
representing a user
The degree of (a) is greater than (b),
representing a user
The degree of (a) is greater than (b),
is a value in the adjacency matrix of the graph in the user relationship dynamic knowledge graph,
representing a user
The cluster of (a) is determined,
representing a user
Delta is the kronecker function, i.e.
If the user is
And the user
All change along with the dynamic change factors, namely belong to the same cluster, then
Is 1, if the user
And the user
One of them does not change with the dynamic change factor, i.e. do not belong to the same cluster, then
Is 0, if the user
And the user
All the factors do not change along with the dynamic change factors, namely belong to the same cluster, then
Is 1;
and performing multiple modular calculation on the user relationship dynamic knowledge graph until all users are clustered to obtain a real user set and a trusting attack user set.
The invention also provides a system for detecting the attack based on the dynamic knowledge graph, which comprises the following components:
the user information acquisition module is used for acquiring user information;
the user relationship dynamic knowledge map establishing module is used for establishing a user relationship dynamic knowledge map according to the user information and in combination with the change of the user relationship along with the dynamic change factors;
and the trusteeship attack detection module is used for carrying out user clustering on the user relation dynamic knowledge graph by using a graph group clustering method so as to detect the trusteeship attack user, wherein the user relation of the trusteeship attack user changes along with the dynamic change factor after the propagation capacity of the user relation of the trusteeship attack user does not change along with the dynamic change factor.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the steps of the dynamic knowledge graph-based trusted attack detection method.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the dynamic knowledge-graph based trusting attack detection method as described in any of the above.
The present invention also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of the method for dynamic knowledge-graph-based detection of a trusted attack as described in any of the above.
The method, the system, the equipment and the computer readable storage medium for detecting the trusting attack based on the dynamic knowledge graph, provided by the invention, consider the influence of dynamic change factors on the social relationship of real users, simulate the users as social sensors, establish the dynamic knowledge graph of the user relationship by combining the change of the user relationship along with the dynamic change factors, more accurately describe the dynamic change of the user relationship in social activities, do not depend on information such as historical scores of the users, detect the trusting attack users only based on the relationship of the users at a certain moment, analyze and detect the trusting attack users by integrating the user relationship changed along with the dynamic change factors at a plurality of moments, amplify the false social relationship of the trusting attack users, and can be detected more accurately.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a method for detecting a Touch attack based on a dynamic knowledge graph according to the present invention;
FIG. 2 is a schematic representation of the dissemination of a social sensor;
fig. 3 is a behavior line graph of the trusting attack user, the real user and the zombie user, wherein a vertical axis I represents user influence, a horizontal axis t represents time, a line a represents behavior representation of the trusting attack user, a line B represents behavior representation of the real user, a line C represents behavior representation of the zombie user, and a line D represents a dynamic variation factor.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The dynamic knowledge-graph-based trust attack detection method of the present invention is described below with reference to fig. 1 to 3.
The invention discloses a dynamic knowledge graph-based trusting attack detection method, which comprises the following steps of:
s1: and collecting user information.
Specifically, S1 includes:
s11: a set R of users is collected, wherein,
R={R1,R2,…,Ri,…,Rn},i∈[1,n],
r represents a set of user groups, wherein the set R comprises n user groups and is represented as R1,R2,…,Ri,…,Rn,RiA set of users, set R, representing the ith user group of the n user groupsiComprising m users, denoted as
S12: a set UP of user profiles is collected, wherein,
UP={z1,z2,z3,…zi…zn},i∈[1,n],
Ia=w1×he+w2×we+w3×se+w4×ag+w5×pr,
Sa=w6×ac+w7×fe+w8×in+w9×ad,
UP denotes a set of profiles of a user group, the set UP comprising profiles of n user groups, denoted z1,z2,z3,…zi…zn,ziA profile set, set z, representing users of an ith user group of the n user groupsiIncluding a profile of m users, denoted
Represents a profile of a jth user of the m users,<Ia|Sa>to represent<User Individual Attribute | user social Attribute>Attributes are the main sources of one-to-many and many-to-one relationships, and in user individual attributes Ia: he represents a height attribute, we represents a weight attribute, se represents a gender attribute, ag represents an age attribute, pr represents an occupation attribute, and in the user social attribute Sa: ac represents an activity attribute, fe represents a feedback attribute, in represents an influence attribute, and ad represents an adaptability attribute, various attribute parameters of the individual attribute and the social attribute of the user are preferably normalized, and the numerical value region after normalization is [0, 5 ]]Is favorable for keeping the uniformity of parameters, wiThe weight ratio is expressed and can be adjusted according to the characteristics of the field to which the actual attack detection is applied or the expert experience.
S13: the set of user accesses UH is collected, wherein,
UH={u1,u2,u3,…ui,…,un},i∈[1,n],
UH denotes a set of access records for a user population, the set UH comprising access records for n user populations, denoted u1,u2,u3,…ui,…,un,uiSet u representing access records of the ith user group of the n user groupsiAccess record comprising m users, denoted as
An access record indicating a jth User in an ith User group, { Item | number, action, … } indicates an access record of a User to an Item, and { User | number, action … } indicates an access record of a User to a User.
The more and more comprehensive user information is collected, which is beneficial to improving the accuracy of subsequent attack detection.
S2: and according to the user information, establishing a user relationship dynamic knowledge graph by combining the change of the user relationship along with the dynamic change factors.
Specifically, the dynamic change factor may be a time factor, an emergency factor, or the like.
S2 includes:
s21: and calculating the relationship closeness between the users and the social style of the users according to the user information, and establishing a user relationship static knowledge graph corresponding to a plurality of moments.
More specifically, S21 includes:
s211: extracting direct interaction information DEI of the user through the user access set UH, wherein the direct interaction information DEI comprises the number IC of followers of the user, the number NO of users to follow, the number NI of items accessed by the user, the number SN of items accessed by the user in the same field, the number NC of comments of the user, the time TC of the comments of the user, and the rating RO of other users on target users.
S212: according to the user information, calculating the relationship closeness among the users by using an equation 1, wherein the equation 1 is as follows:
wherein FNRepresenting target users
With users of the Nth level
The hierarchy represents the number of layers of the related users spread toward the periphery centering on the target user, as shown in fig. 2, F1-F3 are three hierarchies centering on the target user, Ia represents individual attribute data of the target user,
individual attribute data representing other users,
is Ia and
a dot product of (a) indicating the degree of correlation between the target user and the other users on the individual attribute data, Sa indicating the social attribute data of the target user,
social attribute data representing other users is stored in the storage device,
is Sa and
the Cl represents the sum of the degree of correlation between the target user and the other users on the individual attribute data and the degree of correlation on the social attribute data. FNThe larger the value of (A), the higher the closeness of the relationship between the target user and the user of the Nth hierarchy, and the outward expansion along with the hierarchy, FNThe value of (c) will gradually approach zero.
Preferably, if FN∈[0,0.3]And directly establishing a plurality of user relation static knowledge maps corresponding to the moments.
S213: according to the user information, calculating the social style of the user through a formula 2, wherein the formula 2 is as follows:
CO=exp{ad+Ia+NO′},
ST=exp{ac+pr+Ia+Sa+SN′+TC′+RO′},
DI=exp{fe+Sa+NI′+NC′},
wherein 
Representing the social style of the jth user in the ith user group, in which: CO represents the tropism, ST represents the stability, DI represents the directivity, gamma is a rating parameter, the user preference is evaluated in a unified magnitude mode, and the value range is [0, 5 ]],wiAnd expressing the weight proportion, exp expressing the index function calculation of the parameters to better perform comparison calculation, and IC ', NO ', NI ', SN ', NC ', TC ' and RO ' respectively expressing the numerical values of the corresponding direct interaction information after normalization processing.
The tendency is a phenomenon that the user refers to the preference of other users, for example, the user likes to pay attention to some bloggers for purchasing; the stability means that the social relationship of real users cannot be easily changed, and when an emergency occurs, the user relationship can be slightly changed, but two users with high affinity cannot be suddenly broken, so that the relationship network is relatively stable; the directionality is output and feedback between the user and other users, for example, if the user views the website only and does not make feedback, the feedback is unidirectional, and the feedback of making comments is bidirectional.
S214: and establishing a user relationship static knowledge graph corresponding to a plurality of moments according to the relationship closeness among the users and the social style of the users. The user relationship static knowledge graph at a certain moment contains attribute information (including individual attributes and social attributes of the user), social style and description of user relationship of the user at the moment.
S22: and calculating the relationship weight and the user relationship change value among the users at a plurality of moments by combining the change of the user relationship along with the dynamic change factors according to the user information, and fusing the user relationship static knowledge map and the user relationship weight and the user relationship change value among the users at the corresponding moments to obtain the user relationship dynamic knowledge map.
Specifically, S22 includes:
s221: according to the social style of the user, a time interval function TI is combinedvCalculating the user relationship weight MW at a plurality of moments by the formulas 3-7TIv, wherein ,
time interval function TIvPreferably:
TIv=(Ts+(j-1)×d,Ts+j×d),
Ts+ (j-1) x d represents the starting time of detecting the user relationship weight, Ts+ j × d represents the end time of detecting the user relationship weight, d represents the interval width, and e represents the time at TIvBurst at timeNumber of events, Δ n, expressed at TIvThe number of comments at that moment changes, Δ r being denoted at TIvThe user relationship changes at the moment, and K is a calculation parameter;
formula 3 is:
formula 4 is:
formula 5 is:
formula 6 is:
formula 7 is:
wherein ,
is shown in TIvThe proportion of the multi-factor weight at a moment, namely the user relation weight, v is an arbitrary time sequence number,
size and of
Depending on the factors involved, the amount of the additive,
is shown in TIvSocial style of the user at the moment, REC, at TIvThe user relevance and CDL at the time point are shown as TIvConfidence level of user at time, SIM is denoted at TIvThe similarity of users at the time and IFL are shown in TIvThe influence of the user at that moment. Wherein the parameters to be scaled represent parameters of different users, i.e. performing parameter calculations between different users, e.g.
The method comprises the steps of representing the difference value of different users in the stability of the social style, when the difference value of parameters is larger than 1, indicating that the users do not belong to the same magnitude, solving numerical values to realize adjustment, normalizing REC, CDL, SIM and IFL, and setting a value range to be 0, 5]。
The relevancy is the degree of closeness of the relationship between users, such as leaving messages, commenting and paying attention to each other; the credibility is an embodiment form of the influence of the user, the user has extremely high credibility on the follower, and the behavior, the speech and the like of the user can generate great influence capacity on the follower; the similarity is the similarity of behaviors such as preference among users, according to research, the similarity among good friends is higher, the preference is similar, and the reactions made when an emergency happens are similar; influence is influence ability of a user, and when an emergency occurs, the influence greatly changes due to factors such as negative news, so that the relevance degree, the reliability, the similarity and the influence of the user at each moment need to be detected, further, the detection frequency can be adjusted according to the detection need, and the detection precision is improved.
S222: calculating a user relationship change value at a plurality of moments according to the user relationship weight by using an equation 8, wherein the equation 8 is as follows:
wherein ,
is shown in TIvThe value of the change in the user relationship at the moment,
is shown in TIv-1The user relationship weight at the moment in time,
is shown in TIvThe user relationship weight at the moment in time,
representation of parameters
The calculation of the exponential function is carried out,
representation of parameters
The calculation of the exponential function is carried out,
the larger the value of (A) is, the more the value is represented in TIvThe larger the change in user relationship at the moment, the more active the user, the stronger the reaction to the event, and conversely,
the closer to 0 the value of (A) is, the more the value of (B) is represented at TIvThe user relationship at the moment is kept unchanged for a long time, the attack user can not react to any dynamic influence factor any more in a long time after the influence is lost, the URC of the attack user is close to 0 and is kept unchanged, the attack user can not participate in social activities, and the attack user can be classified into a suspicious candidate group.
And preferably, the functions related to the users are continuously and repeatedly calculated, so that the accuracy of the obtained data is ensured.
S223: and fusing a plurality of user relationship static knowledge maps, and the relationship weight and the user relationship change value between users at corresponding moments to establish and obtain the user relationship dynamic knowledge map.
Step S2 simulates users as a social sensor, fig. 2 shows the transmissibility of the social sensor, the innermost user is affected by a dynamic change factor (e.g., an emergency influence), the preference behavior changes, the user relationship changes with the relevant users at the F1 level, and then the users at the F1 level generate information feedback to the corresponding users at the F2 level, but the influence of the users at the F2 level is obviously much weaker than the change of the users at the F1 level, and so on, the change of the users at the F3 level is very little. The influence of the social sensor on the environment of the social sensor and the propagation capacity of the social sensor. Due to the real-time feedback capability of the social sensor, although the influence is weakened, the relation is changed more complexly, and corresponding change is generated immediately when an emergency occurs.
When the attack user injects, a certain influence ability is generated on the real user, and the propagation ability is stronger in a short time. But the attacking user does not have the properties of a social sensor, and the behavior curve is almost returned to a zero state after the propagation force is elapsed. In the real social process, the social relationship of some users is very simple, the reaction to an emergency is weak, the change of a behavior curve is small, and the user can be called a zombie user. Fig. 3 shows behavior line graphs of three types of users, wherein the vertical axis I represents user influence, the horizontal axis t represents time, the line a represents behavior characterization of a user who attacks the user, the line B represents behavior characterization of a real user, the line C represents behavior characterization of a zombie user, and the line D represents a dynamic change factor (such as occurrence of an emergency). When injection of a trust attacking user and an emergency occur, a real user has strong reaction and performs active social activities, the reaction of a zombie user is gentle, although gentle, but also reactive, and the trust attacking user cannot make corresponding reaction to the emergency after the influence disappears, and a behavior curve approaches to zero and is overlapped with a horizontal axis, so that the trust attacking user can be classified as non-reactive.
The relation between the attack user and other users in the social network is established falsely, and the influence is generated on the user establishing the false relation for the sales volume of the target commodity so as to achieve the aim of attack, but the influence is weakened or even disappears in a short time. When an emergency occurs, the false user does not change correspondingly, and the false relation weight value with the real user is always in a set value and does not change. After the real user is affected, the self-judgment ability is recovered at a certain time, so that the resistance is generated. After the influence of the attacker has elapsed, the propagation capability will not be generated again when no new relations are injected, and the attacker will not be influenced by other social sensors.
The invention considers that the user relationship of a real user can be dynamically changed and the reproduction and propagation capacity can be changed when time goes and an emergency happens so as to construct a user relationship dynamic knowledge graph, the user relationship dynamic knowledge graph can also generate a suspicious candidate group through the characteristic that the propagation capacity of a trust attack user is lost due to the false social relationship and the characteristic that the trust attack user cannot participate in social activities, but the suspicious candidate group possibly comprises 'zombie users', and in order to further improve the accuracy of trust attack detection, user clustering needs to be carried out on the user relationship dynamic knowledge graph.
Preferably, the present embodiment presents the user relationship dynamic knowledge graph in real time in the form of a relationship graph network.
S3: according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the trustee attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user clustering method is utilized to conduct user clustering on the user relationship dynamic knowledge graph to detect the trustee attack user.
Specifically, in step S3, performing user clustering on the user relationship dynamic knowledge graph through a graph group detection method, where the step S3 includes:
s31: according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user modularity of the user relationship dynamic knowledge graph is calculated by using a formula 9, wherein the formula 9 is as follows:
wherein M isShowing the user modularity of the user relationship dynamic knowledge graph, L showing the number of edges included in the graph in the user relationship dynamic knowledge graph, i.e. the user relationship, H showing the number of users,
representing a user
The degree of (a) is greater than (b),
representing a user
The degree of (a) is greater than (b),
is a value in the adjacency matrix of the graph in the user relationship dynamic knowledge graph,
representing a user
The cluster of (a) is determined,
representing a user
Delta is the kronecker function, i.e.
If the user is
And the user
All change along with the dynamic change factors, namely belong to the same cluster, then
Is 1, if the user
And the user
One of them does not change with the dynamic change factor, i.e. do not belong to the same cluster, then
Is 0, if the user
And the user
All the factors do not change along with the dynamic change factors, namely belong to the same cluster, then
Is 1.
In particular, the present invention relates to a method for producing,
representing a user
And
degree of (1), then
Indicating when the network is randomly allocated
And
expected edge betweenNumber when
When all are large, connect users
And
the greater the probability that the edge of (b) appears,
representing the difference between the true structure of the network and the expected structure when combined randomly, when
And is
Very small, the higher the value it returns, indicating the user
And
there is a connection between them, and they are classified as a cluster.
Calculating clusters of all users in the user relation dynamic knowledge graph, fusing the users belonging to the same cluster to form a new cluster, calculating a modularity change value caused by the formation of the new cluster, selecting two clusters with the largest modularity change value to fuse again, calculating a modularity change value caused by the formation of the new cluster, and then fusing until all the users are clustered, and finally obtaining an 'island user set', namely a trusting attack user set. Since the attacking user is a false social relationship, there is no association with the real user, and there is no social relationship with the real user, so that the attacking user cannot be clustered with the real user, i.e., is left.
In addition, in order to save events and reduce technical difficulty, only the users in the suspicious candidate group obtained by the user relationship dynamic knowledge graph can be clustered to separate out the attack users.
S32: and performing multiple modular calculation on the user relationship dynamic knowledge graph until all users are clustered to obtain a real user set and a trusting attack user set.
The method for detecting the trusting attack based on the dynamic knowledge graph simulates the user as a social sensor in consideration of the influence of dynamic change factors on the social relationship of a real user, establishes the dynamic knowledge graph of the user relationship by combining the change of the user relationship along with the dynamic change factors, more accurately describes the dynamic change of the user relationship in social activities, not only detects the trusting attack user based on the relationship of the user at a certain moment, but also excessively depends on data labels such as user history evaluation and the like, and analyzes and detects the trusting attack user by integrating the user relationship which changes along with the dynamic change factors at a plurality of moments, so that the false social relationship of the trusting attack user is amplified, and can be detected more accurately and efficiently.
More, the invention fuses the user relationship static knowledge map, the user relationship weight and the user relationship change value at the corresponding moment, so that the established user relationship dynamic knowledge map continuously changes along with the dynamic change factors, thereby having more real-time performance and more comprehensive information utilization.
Furthermore, when the method for detecting the trusteeship attack based on the dynamic knowledge graph is applied to a recommendation system, when a set of trusteeship attack users is detected, the trusteeship attack users can be screened out so as to protect the correct use of the system.
Furthermore, the dynamic knowledge graph of the user relationship utilized in the invention belongs to a white box, so that the interpretability of a system applying the dynamic knowledge graph-based challenge detection method can be increased, the optimization design of the system is facilitated, the system is protected conveniently, and the life of people is more efficient and faster.
The following describes the dynamic knowledge graph-based challenge detection apparatus provided by the present invention, and the dynamic knowledge graph-based challenge detection apparatus described below and the dynamic knowledge graph-based challenge detection method described above may be referred to in correspondence with each other.
The invention also provides a system for detecting the attack based on the dynamic knowledge graph, which comprises the following components:
the user information acquisition module is used for acquiring user information;
the user relationship dynamic knowledge map establishing module is used for establishing a user relationship dynamic knowledge map according to the user information and in combination with the change of the user relationship along with the dynamic change factors;
and the trusteeship attack detection module is used for carrying out user clustering on the user relation dynamic knowledge graph by using a graph group clustering method so as to detect the trusteeship attack user, wherein the user relation of the trusteeship attack user changes along with the dynamic change factor after the propagation capacity of the user relation of the trusteeship attack user does not change along with the dynamic change factor.
The present invention also provides an electronic device, which may include: the system comprises a processor (processor), a communication Interface (communication Interface), a memory (memory) and a communication bus, wherein the processor, the communication Interface and the memory are communicated with each other through the communication bus. The processor may invoke logic instructions in the memory to perform a dynamic knowledge-graph based trusted attack detection method, the method comprising:
collecting user information;
according to the user information, a user relationship dynamic knowledge graph is established in combination with the change of the user relationship along with the dynamic change factors;
according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the trustee attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user clustering method is utilized to conduct user clustering on the user relationship dynamic knowledge graph to detect the trustee attack user.
In addition, the logic instructions in the memory may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention further provides a computer program product, the computer program product including a computer program, the computer program being stored on a non-transitory computer-readable storage medium, wherein when the computer program is executed by a processor, the computer is capable of executing the dynamic knowledge-graph-based trust attack detection method provided by the above methods, the method including:
collecting user information;
according to the user information, a user relationship dynamic knowledge graph is established in combination with the change of the user relationship along with the dynamic change factors;
according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the trustee attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user clustering method is utilized to conduct user clustering on the user relationship dynamic knowledge graph to detect the trustee attack user.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program, when being executed by a processor, implementing a method for dynamic-knowledge-graph-based trusting attack detection provided by the above methods, the method including:
collecting user information;
according to the user information, a user relationship dynamic knowledge graph is established in combination with the change of the user relationship along with the dynamic change factors;
according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the trustee attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user clustering method is utilized to conduct user clustering on the user relationship dynamic knowledge graph to detect the trustee attack user.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for detecting a trusting attack based on a dynamic knowledge graph is characterized by comprising the following steps:
collecting user information;
according to the user information, a user relationship dynamic knowledge graph is established in combination with the change of the user relationship along with the dynamic change factors;
according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the trustee attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user clustering method is utilized to conduct user clustering on the user relationship dynamic knowledge graph to detect the trustee attack user.
2. The method for detecting the attacks based on the dynamic knowledge graph according to the claim 1, wherein the establishing the user relationship dynamic knowledge graph according to the user information and the change of the user relationship along with the dynamic change factors comprises:
according to the user information, calculating to obtain the relationship closeness between the users and the social style of the users, and establishing a user relationship static knowledge graph corresponding to a plurality of moments;
and calculating the relationship weight and the user relationship change value among the users at a plurality of moments by combining the change of the user relationship along with the dynamic change factors according to the user information, and fusing the user relationship static knowledge map and the user relationship weight and the user relationship change value among the users at the corresponding moments to obtain the user relationship dynamic knowledge map.
3. The method according to claim 2, wherein the collecting user information comprises:
a set R of users is collected, wherein,
R=(R1,R2,…,Ri,…,Rn},i∈[1,n],
r represents a set of user groups, wherein the set R comprises n user groups and is represented as R1,R2,…,Ri,…,Rn,RiA set of users, set R, representing the ith user group of the n user groupsiComprising m users, denoted as
A set UP of user profiles is collected, wherein,
UP=(z1,z2,z3,…zi…zn},i∈[1,n],
Ia=w1×he+w2×we+w3×se+w4×ag+w5×pr,
Sa=w6×ac+w7×fe+w8×in+w9×ad,
UP representing a profile of a user populationSet, set UP comprising archives of n user groups, denoted z1,z2,z3,…zi…zn,ziA profile set, set z, representing users of an ith user group of the n user groupsiIncluding a profile of m users, denoted
Represents a profile of a jth user among the m users, < Ia | Sa > represents < user individual attribute | user social attribute >, (Ia:): he represents a height attribute, we represents a weight attribute, se represents a gender attribute, ag represents an age attribute, pr represents an occupation attribute, and in the user social attribute Sa: ac denotes an activity attribute, fe denotes a feedback attribute, in denotes an influence attribute, and ad denotes an adaptability attribute, wiRepresenting a weight ratio;
the set of user accesses UH is collected, wherein,
UH={u1,u2,u3,…ui,…,un},i∈[1,n],
UH denotes a set of access records for a user population, the set UH comprising access records for n user populations, denoted u1,u2,u3,…ui,…,un,uiSet u representing access records of the ith user group of the n user groupsiAccess record comprising m users, denoted as
An access record indicating a jth User in an ith User group, { Item | number, action, … } indicates an access record of a User to an Item, and { User | number, action … } indicates an access record of a User to a User.
4. The method according to claim 3, wherein the calculating, according to the user information, relationship closeness between users and social styles of users, and establishing a static knowledge graph of user relationship corresponding to a plurality of times includes:
extracting direct interaction information of the user through a user access set UH, wherein the direct interaction information comprises the number IC of followers of the user, the number NO of users to follow, the number NI of items accessed by the user, the number SN of items accessed by the user in the same field, the number NC of comments of the user, the time TC of the comments of the user and the rating RO of other users on target users;
according to the user information, calculating the relationship closeness among the users by using an equation 1, wherein the equation 1 is as follows:
wherein FNRepresenting a user
With users of the Nth level
Ia, represents individual attribute data of the target user,
individual attribute data representing other users,
is Ia and
a dot product of (a) indicating the degree of correlation between the target user and the other users on the individual attribute data, Sa indicating the social attribute data of the target user,
social attribute data representing other users is stored in the storage device,
is Sa and
the Cl represents the sum of the degree of correlation between the target user and the other users on the individual attribute data and the degree of correlation on the social attribute data;
according to the user information, calculating the social style of the user through a formula 2, wherein the formula 2 is as follows:
j∈[1,m],i∈[1,n],
CO=exp{ad+Ia+NO′},
ST=exp{ac+pr+Ia+Sa+SN′+TC′+RO′},
DI=exp{fe+Sa+NI′+NC′},
wherein 
Representing the social style of the jth user in the ith user group, in which: CO represents the tropism, ST represents the stability, DI represents the directionality, gamma is the rating parameter, wiExpressing the weight proportion, exp expressing the parameter to be subjected to exponential function calculation, and IC ', NO ', NI ', SN ', NC ', TC ' and RO ' respectively expressing the numerical values of the corresponding direct interaction information after normalization processing;
and establishing a user relationship static knowledge graph corresponding to a plurality of moments according to the relationship closeness among the users and the social style of the users.
5. The method according to claim 4, wherein the calculating a user relationship weight and a user relationship change value at a plurality of times according to the user information and in combination with a change of a user relationship with a dynamic change factor, and fusing a plurality of the user relationship static knowledge maps and the user relationship weight and the user relationship change value at a corresponding time to obtain the user relationship dynamic knowledge map comprises:
according to the social style of the user, a time interval function TI is combinedvCalculating the user relationship weight value at a plurality of moments by the formulas 3-7
wherein ,
time interval function TIvComprises the following steps:
TIv=(Ts+(j-1)×d,Ts+j×d),
Ts+ (j-1) x d represents the starting time of detecting the user relationship weight, Ts+ j × d represents the end time of detecting the user relationship weight, TIvIndicating the time of detecting the user relationship weight, d indicating the intervalThe width of the spaces, e, is indicated at TIvThe number of emergency events at a time, Δ n, is denoted at TIvThe number of comments at that moment changes, Δ r being denoted at TIvThe user relationship changes at the moment, and K is a calculation parameter;
formula 3 is:
formula 4 is:
formula 5 is:
formula 6 is:
formula 7 is:
wherein ,
is shown in TIvThe user relationship weight at the moment in time,
is shown in TIvSocial style of user at time, REC, is shown at TIvThe user relevance and CDL at the time point are shown as TIvUser reliability at time, SIM indicates TIvThe similarity of users at the time and IFL are shown in TIvInfluence of the user at that moment;
calculating a user relationship change value at a plurality of moments according to the user relationship weight by using an equation 8, wherein the equation 8 is as follows:
wherein ,
is shown in TIvThe value of the change in the user relationship at the moment,
is shown in TIv-1The user relationship weight at the moment in time,
is shown in TIvThe user relationship weight at the moment in time,
representation of parameters
The calculation of the exponential function is carried out,
representation of parameters
Performing exponential function calculation;
and fusing a plurality of user relationship static knowledge maps, and the relationship weight and the user relationship change value between users at corresponding moments to establish and obtain the user relationship dynamic knowledge map.
6. The method for dynamic knowledge-graph-based trusting attack detection according to any of claims 1-5, further comprising: and displaying the user relationship dynamic knowledge graph in real time in a relationship graph network mode.
7. The method for detecting the trusteeship attack based on the dynamic knowledge graph as claimed in claim 6, wherein the user relationship of the trusteeship attack user does not change with the dynamic variation factor after the propagation capacity elapses according to the user relationship of the real user changing with the dynamic variation factor, and the user relationship dynamic knowledge graph is clustered by using a graph group clustering method to detect the trusteeship attack user, comprising:
according to the fact that the user relationship of the real user changes along with the dynamic change factors, the user relationship of the attack user does not change along with the dynamic change factors after the propagation capacity is elapsed, and the user modularity of the user relationship dynamic knowledge graph is calculated by using a formula 9, wherein the formula 9 is as follows:
wherein M represents the user modularity of the user relationship dynamic knowledge graph, L represents the number of edges included in the graph in the user relationship dynamic knowledge graph, i.e., the user relationship, H represents the number of users,
representing a user
The degree of (a) is greater than (b),
representing a user
The degree of (a) is greater than (b),
is a value in the adjacency matrix of the graph in the user relationship dynamic knowledge graph,
representing a user
The cluster of (a) is determined,
representing a user
Delta is the kronecker function, i.e.
If the user is
And the user
All change along with the dynamic change factors, namely belong to the same cluster, then
Is 1, if the user
And the user
One of them does not change with the dynamic change factor, i.e. do not belong to the same cluster, then
Is 0, if the user
And the user
All the factors do not change along with the dynamic change factors, namely belong to the same cluster, then
Is 1;
and performing multiple modular calculation on the user relationship dynamic knowledge graph until all users are clustered to obtain a real user set and a trusting attack user set.
8. A system for detecting a trusted attack based on a dynamic knowledge graph, comprising:
the user information acquisition module is used for acquiring user information;
the user relationship dynamic knowledge map establishing module is used for establishing a user relationship dynamic knowledge map according to the user information and in combination with the change of the user relationship along with the dynamic change factors;
and the trusteeship attack detection module is used for carrying out user clustering on the user relation dynamic knowledge graph by using a graph group clustering method so as to detect the trusteeship attack user, wherein the user relation of the trusteeship attack user changes along with the dynamic change factor after the propagation capacity of the user relation of the trusteeship attack user does not change along with the dynamic change factor.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the method for dynamic knowledge-graph-based detection of trusted attacks according to any one of claims 1 to 7.
10. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the steps of the dynamic knowledge-graph based trusted attack detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111028476.2A CN113807977B (en) | 2021-09-02 | 2021-09-02 | Method, system, equipment and medium for detecting support attack based on dynamic knowledge graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111028476.2A CN113807977B (en) | 2021-09-02 | 2021-09-02 | Method, system, equipment and medium for detecting support attack based on dynamic knowledge graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113807977A true CN113807977A (en) | 2021-12-17 |
| CN113807977B CN113807977B (en) | 2023-05-05 |
Family
ID=78894624
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111028476.2A Active CN113807977B (en) | 2021-09-02 | 2021-09-02 | Method, system, equipment and medium for detecting support attack based on dynamic knowledge graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113807977B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105677900A (en) * | 2016-02-04 | 2016-06-15 | 南京理工大学 | Malicious user detection method and device |
| CN107330461A (en) * | 2017-06-27 | 2017-11-07 | 安徽师范大学 | Collaborative filtering recommending method based on emotion with trust |
| CN110390039A (en) * | 2019-07-25 | 2019-10-29 | 广州汇智通信技术有限公司 | Social networks analysis method, device and the equipment of knowledge based map |
| US20190384907A1 (en) * | 2016-03-08 | 2019-12-19 | Palo Alto Networks, Inc. | Cookies watermarking in malware analysis |
| CN111143547A (en) * | 2019-12-30 | 2020-05-12 | 山东大学 | Big data display method based on knowledge graph |
| CN112231570A (en) * | 2020-10-26 | 2021-01-15 | 腾讯科技(深圳)有限公司 | Recommendation system trust attack detection method, device, equipment and storage medium |
| CN112417314A (en) * | 2020-11-26 | 2021-02-26 | 清华大学 | Social network suicidal ideation detection method and system |
| CN113095084A (en) * | 2021-03-16 | 2021-07-09 | 重庆邮电大学 | Semantic service matching method and device in Internet of things and storage medium |
| CN113221003A (en) * | 2021-05-20 | 2021-08-06 | 北京建筑大学 | Mixed filtering recommendation method and system based on dual theory |
-
2021
- 2021-09-02 CN CN202111028476.2A patent/CN113807977B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105677900A (en) * | 2016-02-04 | 2016-06-15 | 南京理工大学 | Malicious user detection method and device |
| US20190384907A1 (en) * | 2016-03-08 | 2019-12-19 | Palo Alto Networks, Inc. | Cookies watermarking in malware analysis |
| CN107330461A (en) * | 2017-06-27 | 2017-11-07 | 安徽师范大学 | Collaborative filtering recommending method based on emotion with trust |
| CN110390039A (en) * | 2019-07-25 | 2019-10-29 | 广州汇智通信技术有限公司 | Social networks analysis method, device and the equipment of knowledge based map |
| CN111143547A (en) * | 2019-12-30 | 2020-05-12 | 山东大学 | Big data display method based on knowledge graph |
| CN112231570A (en) * | 2020-10-26 | 2021-01-15 | 腾讯科技(深圳)有限公司 | Recommendation system trust attack detection method, device, equipment and storage medium |
| CN112417314A (en) * | 2020-11-26 | 2021-02-26 | 清华大学 | Social network suicidal ideation detection method and system |
| CN113095084A (en) * | 2021-03-16 | 2021-07-09 | 重庆邮电大学 | Semantic service matching method and device in Internet of things and storage medium |
| CN113221003A (en) * | 2021-05-20 | 2021-08-06 | 北京建筑大学 | Mixed filtering recommendation method and system based on dual theory |
Non-Patent Citations (5)
| Title |
|---|
| JYOTI SHOKEEN 等: "A study on features of social recommender systems", 《ARTIFICIAL INTELLIGENCE REVIEW》 * |
| WAN SHANSHAN 等: "A security detection approach based on autonomy-oriented user sensor in social recommendation network", 《INTERNATIONAL JOURNAL OF DISTRIBUTED SENSOR NETWORKS》 * |
| WAN SHANSHAN 等: "NetLogo Based Model for VANET Behaviors Dynamic Research", 《2013 THIRD INTERNATIONAL CONFERENCE ON INTELLIGENT SYSTEM DESIGN AND ENGINEERING APPLICATIONS》 * |
| 白杨: "面向社会化推荐系统的托攻击检测方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 陈曦: "面向大规模知识图谱的弹性语义推理方法研究及应用", 《中国博士学位论文全文数据库 信息科技辑》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113807977B (en) | 2023-05-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Adewole et al. | SMSAD: a framework for spam message and spam account detection | |
| CN108491720B (en) | Application identification method, system and related equipment | |
| CN112231570B (en) | Recommendation system support attack detection method, device, equipment and storage medium | |
| CN107835113A (en) | Abnormal user detection method in a kind of social networks based on network mapping | |
| CN103795612A (en) | Method for detecting junk and illegal messages in instant messaging | |
| CN113094707B (en) | Lateral movement attack detection method and system based on heterogeneous graph network | |
| CN108829769B (en) | Suspicious group discovery method and device | |
| CN111835622B (en) | Information interception method, device, computer equipment and storage medium | |
| Ramalingaiah et al. | Twitter bot detection using supervised machine learning | |
| Bhuvaneswari et al. | Information entropy based event detection during disaster in cyber-social networks | |
| CN112435137A (en) | Cheating information detection method and system based on community mining | |
| CN111382278A (en) | Social network construction method and system based on space-time trajectory | |
| CN111191096B (en) | Method for identifying public opinion events and tracking popularity of whole-network patriotic | |
| CN113328994A (en) | Malicious domain name processing method, device, equipment and machine readable storage medium | |
| CN113992340A (en) | User abnormal behavior recognition method, device, equipment, storage medium and program | |
| Zhang et al. | Temporal burstiness and collaborative camouflage aware fraud detection | |
| CN115632874A (en) | Method, device, equipment and storage medium for detecting threat of entity object | |
| CN108076032B (en) | Abnormal behavior user identification method and device | |
| CN111382345B (en) | Topic screening and publishing method, device and server | |
| CN113157993A (en) | Network water army behavior early warning model based on time sequence graph polarization analysis | |
| CN112052399A (en) | Data processing method and device and computer readable storage medium | |
| CN113807977A (en) | Method, system, device and medium for detecting Touchi attack based on dynamic knowledge graph | |
| Fei et al. | Real-time detection of COVID-19 events from Twitter: A spatial-temporally Bursty-Aware method | |
| CN113409096B (en) | Target object identification method and device, computer equipment and storage medium | |
| Qi et al. | A novel shilling attack detection model based on particle filter and gravitation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |