CN114138872A - Big data intrusion analysis method and storage medium applied to digital finance - Google Patents
Big data intrusion analysis method and storage medium applied to digital finance Download PDFInfo
- Publication number
- CN114138872A CN114138872A CN202111516370.7A CN202111516370A CN114138872A CN 114138872 A CN114138872 A CN 114138872A CN 202111516370 A CN202111516370 A CN 202111516370A CN 114138872 A CN114138872 A CN 114138872A
- Authority
- CN
- China
- Prior art keywords
- abnormal activity
- event
- suspected abnormal
- cluster
- activity event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2465—Query processing support for facilitating data mining operations in structured databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/08—Insurance
Abstract
In view of being capable of combining at least two of event positioning evaluation, event adaptation evaluation and difference evaluation to determine whether an intrusion destination relation exists between a first suspected abnormal activity event cluster and a second suspected abnormal activity event cluster to be processed or not, when determining whether the intrusion destination relation exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed or not, the method can consider and analyze from more abundant dimensions, so that the obtained second event correlation mining condition reflecting whether the intrusion destination relation exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed or not is more accurate and reliable, and thus, the accurate and reliable big data intrusion analysis can be carried out on a digital financial service log set through the second event correlation mining condition to ensure the safe operation of the digital financial service, and the damage of the intrusion behavior to the related business data information is avoided.
Description
Technical Field
The embodiment of the application relates to the technical field of artificial intelligence and new media, in particular to a big data intrusion analysis method and a storage medium applied to digital finance.
Background
Digital finance refers to a new generation of financial services combined with the traditional financial service state through the internet and information technology means. Generally, digital finance includes internet payment, mobile payment, online banking, outsourcing of financial services, online loan, online insurance, online fund and other financial services. The continuous development of digital finance obviously improves the intelligent degree and efficiency of financial services and effectively reduces unnecessary resource waste.
However, in the practical application process, with the continuous expansion of the digital financial scale, the personal/enterprise financial data information security is easily invaded and stolen by lawbreakers, which may bring about serious economic loss and even cause a series of associated consequences. For this reason, securing data information for digital finance is an important point of current work.
Disclosure of Invention
In view of this, embodiments of the present application provide a big data intrusion analysis method and a storage medium for digital finance.
The embodiment of the application provides a big data intrusion analysis method applied to digital finance, which is applied to a big data intrusion analysis system, and the method at least comprises the following steps: identifying abnormal activity events aiming at each group of user operation sessions needing intrusion analysis in a digital financial service log set needing intrusion analysis, and determining a first suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters; performing correlation mining according to independent sessions between the first suspected abnormal activity event cluster and the second suspected abnormal activity event clusters to obtain a first event correlation mining condition reflecting that upstream and downstream relations exist between the first suspected abnormal activity event cluster and second suspected abnormal activity event clusters to be processed in the second suspected abnormal activity event clusters; aiming at a target digital financial service log which covers the first suspected abnormal activity event cluster in the digital financial service log set needing intrusion analysis, and combining the first event correlation mining condition, obtaining at least two quantitative indexes in event positioning evaluation of the first suspected abnormal activity event cluster, event adaptation evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed and target difference evaluation; and combining the at least two quantitative indexes to obtain a second event correlation mining condition which reflects whether an intrusion destination connection exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed.
Under some independently implementable design considerations, the method further comprises: and determining a visual event change record of the session activity event pointed by the first suspected abnormal activity event cluster according to the second event correlation mining condition.
Under some design ideas which can be independently implemented, the method includes, in combination with the first event correlation mining condition, obtaining at least two quantitative indexes of event positioning evaluation of the first suspected abnormal activity event cluster, event adaptation evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, and target difference evaluation, in the digital financial transaction log set which needs to be subjected to intrusion analysis and covers the target digital financial transaction log of the first suspected abnormal activity event cluster, and includes: and aiming at the target digital financial service logs covering the first suspected abnormal activity event cluster in the digital financial service log set needing intrusion analysis, combining the first event correlation mining condition to obtain at least one of the event positioning evaluation of the first suspected abnormal activity event cluster and the target difference evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, and the event adaptation evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed.
Under some independently implementable design considerations, the second cluster of suspected abnormal activity events to be processed includes: a number of second suspected anomalous activity event sub-clusters; on the premise that the target difference evaluation is covered in the at least two quantitative indicators, the method further comprises: for a target digital financial transaction log which covers the first suspected abnormal activity event cluster in the digital financial transaction log set needing intrusion analysis, determining each second suspected abnormal activity event sub-cluster in each group of the target digital financial transaction log by combining the correlation mining condition of the first event, and obtaining at least one local difference evaluation corresponding to each second suspected abnormal activity event sub-cluster by using local difference evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event sub-cluster; determining the target differential rating between the first cluster of suspected abnormal activity events and each of the second sub-clusters of suspected abnormal activity events from not less than one of the local differential ratings.
Under some independently implementable design considerations, the second cluster of suspected abnormal activity events to be processed includes: a number of second suspected anomalous activity event sub-clusters; on the premise that the event adaptation evaluation is covered in the at least two quantitative indicators, the method further comprises: determining the number of first digital financial service logs of the first event correlation mining condition existing between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster in the target digital financial service logs; determining a second digital financial transaction log number for the target digital financial transaction log; determining a quantitative processing result between the first digital financial transaction log number and the second digital financial transaction log number as the event adaptation evaluation between the first suspected abnormal activity event cluster and each second suspected abnormal activity event sub-cluster.
In some design considerations that can be implemented independently, on the premise that the event localization evaluation is covered in the at least two quantitative indicators, the method further includes: determining a second digital financial transaction log number for the target digital financial transaction log; determining a session group number statistical result of the user operation sessions which are recorded from a first group of user operation sessions to a last group of user operation sessions and have a time sequence precedence relationship in the target digital financial service log; and determining a quantitative processing result between the second digital financial service log number and the session group number statistical result as the event positioning evaluation of the first suspected abnormal activity event cluster.
Under some independently implementable design considerations, the second cluster of suspected abnormal activity events to be processed includes: a number of second suspected anomalous activity event sub-clusters; and the step of obtaining a second event correlation mining condition which reflects whether an intrusion destination connection exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed by combining the at least two quantitative indexes comprises any one of the following steps: on the premise that the at least two quantitative indexes of one second suspected abnormal activity event sub-cluster meet a first set requirement, determining that a second event correlation mining condition of upstream and downstream connection exists between the first suspected abnormal activity event cluster and the one second suspected abnormal activity event sub-cluster; and on the premise that one of the at least two quantitative indexes of one second suspected abnormal activity event sub-cluster does not meet a first set requirement, determining a second event correlation mining condition that no upstream and downstream relation exists between the first suspected abnormal activity event cluster and the one second suspected abnormal activity event sub-cluster.
Under some design considerations which can be implemented independently, on the premise that the event adaptation evaluation is covered in the at least two quantitative indicators, the first setting requirement includes: the event adaptation evaluation between the first suspected abnormal activity event cluster and the target second suspected abnormal activity event sub-cluster is not less than a set event adaptation evaluation judgment value; the target second suspected abnormal activity event sub-cluster is one of the second suspected abnormal activity event sub-clusters with the highest event adaptation evaluation with the first suspected abnormal activity event cluster.
Under some design considerations which can be implemented independently, on the premise that the event localization evaluation is covered in the at least two quantitative indicators, the first setting requirement includes: and the event positioning evaluation of the first suspected abnormal activity event cluster is not less than a set event positioning evaluation judgment value.
Under some independently implementable design considerations, on the premise that the target difference evaluation is covered in the at least two quantitative indicators, the first setting requirement includes: the target difference evaluation between the first suspected abnormal activity event cluster and the target second suspected abnormal activity event sub-cluster is not less than a set difference evaluation judgment value; the target differential rating is the lowest differential rating of the at least one differential rating between the first cluster of suspected anomalous activity events and the target second sub-cluster of suspected anomalous activity events; the target second suspected abnormal activity event sub-cluster is one of the plurality of second suspected abnormal activity event sub-clusters with the highest event adaptation evaluation with the first suspected abnormal activity event cluster.
Under some design ideas which can be independently implemented, the performing correlation mining on the first suspected abnormal activity event cluster and the second suspected abnormal activity event clusters according to independent sessions to obtain a first event correlation mining condition reflecting that upstream and downstream relations exist between the first suspected abnormal activity event cluster and second suspected abnormal activity event clusters to be processed in the second suspected abnormal activity event clusters comprises: determining a significant event topic of the second plurality of suspected abnormal activity event clusters by means of an AI neural network; and mining the correlation description between the second suspected abnormal activity event clusters and the first suspected abnormal activity event cluster by combining the word vector difference between the significant event subjects of the second suspected abnormal activity event clusters and the core event subject of the first suspected abnormal activity event cluster, and obtaining a first event correlation mining condition which reflects that the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed in the second suspected abnormal activity event clusters are in upstream and downstream relation with each other.
Under some design ideas which can be independently implemented, mining a correlation description between the second suspected abnormal activity event clusters and the first suspected abnormal activity event cluster by combining word vector differences between significant event topics of the second suspected abnormal activity event clusters and core event topics of the first suspected abnormal activity event cluster, and obtaining a first event correlation mining condition reflecting that upstream and downstream relations exist between the first suspected abnormal activity event cluster and second suspected abnormal activity event clusters to be processed in the second suspected abnormal activity event clusters, includes: determining word vector differences between the significant event topic of each second suspected abnormal activity event cluster in the second suspected abnormal activity event clusters and the core event topic of the first suspected abnormal activity event cluster to obtain a plurality of word vector difference values; determining a second suspected abnormal activity event cluster corresponding to the lowest word vector difference value in the plurality of word vector difference values as the second suspected abnormal activity event cluster to be processed; and mining the upstream and downstream relation between the second suspected abnormal activity event cluster to be processed and the first suspected abnormal activity event cluster, and acquiring the mining condition of the correlation of the first event, which reflects the upstream and downstream relation between the second suspected abnormal activity event cluster to be processed and the first suspected abnormal activity event cluster.
Under some design ideas which can be independently implemented, the first suspected abnormal activity event cluster carries a first event semantic, and the second suspected abnormal activity event cluster to be processed carries a second event semantic; after the second event correlation mining condition that reflects whether an intrusion destination connection exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed is obtained by combining the at least two quantitative indexes, the method further includes: and on the premise that the second event correlation mining condition reflects that the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed have upstream and downstream relation, storing and outputting a mapping list between the first event semantics and the second event semantics.
Under some design ideas which can be independently implemented, the first suspected abnormal activity event cluster is a cross-border financial business event set, and the second suspected abnormal activity event cluster is an online financial business event set; or, the first suspected abnormal activity event cluster is an online financial transaction event set, and the second suspected abnormal activity event cluster is a cross-border financial transaction event set.
Under some independently implementable design considerations, the significant event topic is an offsite significant event topic on the premise that the second cluster of suspected abnormal activity events is an online financial transaction event set.
The embodiment of the application also provides a big data intrusion analysis system, which comprises a processor, a network module and a memory; the processor and the memory communicate through the network module, and the processor reads the computer program from the memory and operates to perform the above-described method.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
Compared with the prior art, the method and the device are applied to the embodiment of the application, and can be used for determining whether the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed exist or not by combining the abnormal activity event identification result, determining a first event correlation mining condition in which the first suspected abnormal activity event cluster in each group is in contact with the suspected abnormal activity event cluster to be processed in the second suspected abnormal activity event clusters in each group, determining an event positioning evaluation of the first suspected abnormal activity event cluster by combining the first event correlation mining condition in each group of the digital financial service logs, and at least two quantitative indexes in the event adaptation evaluation and the target difference evaluation of the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, and accurately obtaining whether the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed exist or not by combining the at least two quantitative indexes Determining a visual event change record of a session activity event pointed by the first suspected abnormal activity event cluster according to a second event correlation mining condition of the intrusion destination contact and the second event correlation mining condition; considering that at least two quantitative indexes of the three quantitative indexes of event positioning evaluation, event adaptation evaluation and difference evaluation can be combined to determine whether an invasion target relationship exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, it can be understood that when determining whether the invasion target relationship exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, the method can consider and analyze from more richer dimensions, so that the obtained second event correlation mining condition reflecting whether the invasion target relationship exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed is more accurate and reliable, and thus, the digital financial service log set can be accurately and reliably subjected to big data invasion analysis through the second event correlation mining condition, the method and the system ensure the safe operation of the digital financial service and avoid the damage of the intrusion behavior to the related service data information.
In the description that follows, additional features will be set forth, in part, in the description. These features will be in part apparent to those skilled in the art upon examination of the following and the accompanying drawings, or may be learned by production or use. The features of the present application may be realized and attained by practice or use of various aspects of the methodologies, instrumentalities and combinations particularly pointed out in the detailed examples that follow.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a block diagram illustrating a big data intrusion analysis system according to an embodiment of the present disclosure.
Fig. 2 is a flowchart of a big data intrusion analysis method applied to digital finance according to an embodiment of the present application.
Fig. 3 is a block diagram of a big data intrusion analysis device applied to digital finance according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Fig. 1 shows a block diagram of a big data intrusion analysis system 10 according to an embodiment of the present application. In this embodiment of the present application, the big data intrusion analysis system 10 may be a server with data storage, transmission, and processing functions, as shown in fig. 1, the big data intrusion analysis system 10 includes: a memory 0011, a processor 0012, a network module 0013 and a big data intrusion analysis apparatus 20 applied to digital finance.
The memory 0011, the processor 0012 and the network module 0013 are electrically connected directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 0011 stores therein a big data intrusion analysis device 20 applied to digital finance, the big data intrusion analysis device 20 applied to digital finance includes at least one software function module which can be stored in the memory 0011 in the form of software or firmware (firmware), and the processor 0012 executes various function applications and data processing by running a software program and a module stored in the memory 0011, such as the big data intrusion analysis device 20 applied to digital finance in the embodiment of the present application, so as to implement the big data intrusion analysis method applied to digital finance in the embodiment of the present application.
The Memory 0011 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 0011 is used for storing a program, and the processor 0012 executes the program after receiving an execution instruction.
The processor 0012 may be an integrated circuit chip having data processing capabilities. The Processor 0012 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like. The various methods, steps and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The network module 0013 is configured to establish a communication connection between the big data intrusion analysis system 10 and another communication terminal device through a network, so as to implement transceiving operations of network signals and data. The network signal may include a wireless signal or a wired signal.
It is to be understood that the configuration shown in fig. 1 is merely illustrative and that the big data intrusion analysis system 10 may include more or fewer components than shown in fig. 1 or may have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
Fig. 2 is a flowchart illustrating a big data intrusion analysis method applied to digital finance according to an embodiment of the present application. The method steps defined by the flow associated with the method are applied to a big data intrusion analysis system 10, and can be implemented by the processor 0012, and the method includes the following steps.
Step 101, identifying abnormal activity events for each group of user operation sessions needing intrusion analysis in a digital financial service log set needing intrusion analysis, and determining a first suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters.
The big data intrusion analysis system can identify abnormal activity events for each group of user operation sessions needing intrusion analysis in the digital financial service log set needing intrusion analysis by means of the abnormal activity event identification network, so that whether each group of user operation sessions needing intrusion analysis covers a first suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters or not is identified and obtained. To be seen by some examples, in the embodiments of the present application, the number of the first suspected abnormal activity event cluster is one; in other embodiments, the number of the first suspected abnormal activity event clusters may also be several, and the embodiment of the present application is described with respect to each first suspected abnormal activity event cluster as an example.
In the embodiment of the present application, the digital financial service log set that needs to be subjected to intrusion analysis may be known as a digital financial service log set to be analyzed, for example, the digital financial service log set may be determined by implementing various set conditions, and further, each group of user operation sessions that need to be subjected to intrusion analysis may also be determined by implementing various set conditions.
It can be understood that the digital financial transaction log set to be subjected to intrusion analysis may correspond to in-house online payment, out-house online payment, or blockchain payment, which is not limited in this embodiment of the present application.
In the embodiment of the application, after abnormal activity event identification is performed on a group of user operation sessions to be subjected to intrusion analysis in a digital financial transaction log set to be subjected to intrusion analysis, under the premise that a first suspected abnormal activity event cluster and/or a second suspected abnormal activity event cluster are not identified, or under the premise that the group of user operation sessions to be subjected to intrusion analysis covers the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster, the first suspected abnormal activity event cluster and/or the second suspected abnormal activity event cluster are annotated, and the subsequent digital financial transaction log set to be subjected to intrusion analysis is continuously identified until a suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters are identified in the group of user operation sessions to be subjected to intrusion analysis, and determining the first suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters.
It can be understood that, on the premise that a group of user operation sessions that need to be subjected to intrusion analysis covers a first suspected abnormal activity event cluster and a second suspected abnormal activity event cluster, generally, the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster are in upstream-downstream relation with each other, and it can be understood that, in this embodiment of the application, only a case that a group of user operation sessions that need to be subjected to intrusion analysis covers the first suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters is explained.
In some independently implementable embodiments of the present application, the first suspected abnormal activity event cluster is a cross-border financial transaction event set, and the second suspected abnormal activity event cluster is an online financial transaction event set; or the first suspected abnormal activity event cluster is an online financial service event set, and the second suspected abnormal activity event cluster is a cross-border financial service event set. In the embodiment of the application, the first suspected abnormal activity event cluster is taken as an across-border financial service event set, and the second suspected abnormal activity event cluster is taken as an online financial service event set as an example, so as to explain the subsequent related content of the application.
It can be understood that the set of online financial transaction events described herein is a set of events determined by a global event recognition thread (e.g., can be understood as a first thread), and the set of cross-border financial transaction events is a set of events determined by a local event recognition thread (e.g., can be understood as a second thread); in some examples, a set of user operation sessions to be intrusion analyzed is provided below for the present application, which includes a first thread 1a, a first thread 1b, a first thread 1c, and a second thread 2 d.
On the basis of the above, the abnormal activity event may be an abnormal or possibly risky business session behavior event, including but not limited to a corresponding activity event of frequent password error login, abnormal login, sensitive word detection hit, and the like.
102, performing correlation mining according to independent sessions between the first suspected abnormal activity event cluster and the plurality of second suspected abnormal activity event clusters to obtain a first event correlation mining condition reflecting that upstream and downstream relations exist between the first suspected abnormal activity event cluster and the second suspected abnormal activity event clusters to be processed in the plurality of second suspected abnormal activity event clusters.
In some independently implementable embodiments of the present application, the big data intrusion analysis system may perform, after identifying and obtaining a first suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters contained in a group of user operation sessions to be subjected to intrusion analysis, correlation mining according to an independent session between the first suspected abnormal activity event cluster and the plurality of second suspected abnormal activity event clusters contained in the group of user operation sessions to be subjected to intrusion analysis. In other embodiments that can be implemented independently in the present application, the big data intrusion analysis system may also perform correlation mining according to an independent session (correlation mining prediction according to a single session) between a first suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters that are included in each group of user operation sessions that need to be subjected to intrusion analysis after all abnormal activity events are identified.
It can be understood that the second suspected abnormal activity event clusters covering a plurality of different groups of user operation sessions needing intrusion analysis, where the first suspected abnormal activity event cluster and the plurality of second suspected abnormal activity event clusters are included, may be consistent with each other, and may also have differences.
The first group of user operation sessions needing intrusion analysis cover a first suspected abnormal activity event cluster case _ cluster A, a second suspected abnormal activity event cluster case _ cluster _ Bd and case _ cluster _ Be, and the third group of user operation sessions needing intrusion analysis cover the first suspected abnormal activity event cluster case _ cluster A, the second suspected abnormal activity event cluster case _ cluster _ Bd, the case _ cluster _ Bf and the case _ cluster _ Be; the fourth group of user operation sessions needing intrusion analysis covers the first suspected abnormal activity event cluster case _ cluster _ A, the second suspected abnormal activity event cluster case _ cluster _ Bg and case _ cluster _ Bh; the fifth group of user operation sessions to Be subjected to intrusion analysis covers the first suspected abnormal event cluster case _ cluster a, the second suspected abnormal event cluster case _ cluster _ Bd, the case _ cluster _ Be and the like.
It can be understood that, when a group of user operation sessions that need to be subjected to intrusion analysis covers a first suspected abnormal activity event cluster and a second suspected abnormal activity event cluster, generally the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster belong to the same session activity event, so that correlation mining is not required.
In some independently implementable embodiments of the present application, when the big data intrusion analysis system performs correlation mining according to an independent session, it may determine a difference evaluation (cosine distance) between the first suspected abnormal activity event cluster and each of the second suspected abnormal activity event clusters, determine a second suspected abnormal activity event cluster whose difference evaluation with the first suspected abnormal activity event cluster is not less than a set value as a second suspected abnormal activity event cluster to be processed, and determine that an upstream-downstream relationship exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, thereby obtaining a first event correlation mining condition that reflects the upstream-downstream relationship between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed.
For example, the big data intrusion analysis system determines the difference evaluation between the first suspected abnormal event cluster case _ cluster a and the second suspected abnormal event cluster case _ cluster B1 and case _ cluster B2, obtains the corresponding difference evaluation values, namely, cosine1, cosine2 and cosine3, determines the second suspected abnormal event cluster case _ cluster B1 corresponding to cosine1 and the second suspected abnormal event cluster case _ cluster B2 corresponding to cosine2 as the second suspected abnormal event cluster to be processed on the premise that cosine1 and cosine2 are both greater than the set value, and determines the upstream relation between the first suspected abnormal event cluster case _ cluster a and the second suspected abnormal event cluster case _ cluster B1 to be processed, and determines the downstream relation between the first suspected abnormal event cluster case _ a and the second suspected abnormal event cluster case _ cluster B2, and obtaining a first event correlation mining condition reflecting that the first suspected abnormal activity event cluster case _ cluster _ A and the second suspected abnormal activity event cluster case _ cluster _ B1 and case _ cluster _ B2 are linked up and down.
In an embodiment of the present application, the number of the second suspected abnormal activity event clusters to be processed may be several, that is, the second suspected abnormal activity event clusters to be processed may include several second suspected abnormal activity event sub-clusters. In other independently implementable embodiments of the present application, the number of second clusters of suspected anomalous activity events to be processed may also be one. It will be appreciated that for a set of user operational sessions for which intrusion analysis is required, there is a second cluster of suspected anomalous activity events to be processed.
In some independently implementable embodiments of the present application, the first suspected abnormal activity event cluster carries a first event semantic, the second suspected abnormal activity event cluster to be processed carries a second event semantic, and the event semantics of different first suspected abnormal activity event clusters and different second suspected abnormal activity event clusters are different; after obtaining a first event correlation mining condition that reflects that the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed have upstream and downstream relation with each other, the big data intrusion analysis system may cache a mapping list (correlation description) between the semantics of the first event and the semantics of the second event of the second suspected abnormal activity event cluster to be processed, and output the mapping list between the semantics of the events.
Step 103, aiming at a target digital financial service log which is in a digital financial service log set and covers a first suspected abnormal activity event cluster and needs intrusion analysis, combining a first event correlation mining condition, and obtaining at least two quantitative indexes in event positioning evaluation of the first suspected abnormal activity event cluster, event adaptation evaluation between the first suspected abnormal activity event cluster and a second suspected abnormal activity event cluster to be processed and target difference evaluation.
In the embodiment of the present application, the event positioning evaluation of the first suspected abnormal activity event cluster is a quantitative processing result (which can be understood as a proportional value) between the number of positioning events and the number of statistical events of the first suspected abnormal activity event cluster; wherein the number of positioning events reflects the number of digital financial transaction logs identifying the first suspected abnormal activity event cluster; the statistical event number reflects the session group number statistical results of the user operation sessions which are recorded from the first round of identification to the first group of user operation sessions of the first suspected abnormal activity event cluster to the last round of identification to the last group of user operation sessions of the first suspected abnormal activity event cluster and have a time sequence precedence relationship.
In the embodiment of the application, the event adaptation evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed is a quantitative processing result between the number of adaptation events corresponding to the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed and the number of positioning events of the first suspected abnormal activity event cluster; the adaptive event number reflection covers the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed simultaneously, and the number of digital financial service logs in upstream and downstream connection between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed is larger than the number of digital financial service logs in upstream and downstream connection.
In this embodiment of the application, the difference between a first suspected abnormal activity event cluster and a second suspected abnormal activity event cluster to be processed is evaluated as a quantized processing result of a first cosine distance (local) and a second cosine distance (global) between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, and the target difference between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed is evaluated as a lowest quantized processing result of a plurality of quantized processing results corresponding to the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed.
After the big data intrusion analysis system obtains all digital financial service logs (target digital financial service logs) which are required to carry out intrusion analysis and cover the first suspected abnormal activity event cluster in a digital financial service log set, the correlation mining condition of the first event of each group can be combined in all digital financial service logs covering the first suspected abnormal activity event cluster, determining the event positioning evaluation of the first suspected abnormal activity event cluster, the event adaptation evaluation between the first suspected abnormal activity event cluster and each second suspected abnormal activity event sub-cluster in the second suspected abnormal activity event cluster to be processed, and evaluating the target difference between the first suspected abnormal activity event cluster and each second suspected abnormal activity event sub-cluster in the second suspected abnormal activity event cluster to be processed, wherein at least two quantitative indexes are selected from the three quantitative indexes.
In some independently implementable embodiments of the present application, the step 103 may include the following: and aiming at a target digital financial service log which covers a first suspected abnormal activity event cluster in a digital financial service log set needing intrusion analysis, combining a first event correlation mining condition to obtain at least one of an event positioning evaluation of the first suspected abnormal activity event cluster and a target difference evaluation between the first suspected abnormal activity event cluster and a second suspected abnormal activity event cluster to be processed, and an event adaptation evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed. In this way, one of the at least two quantitative indexes determined is used as the event adaptation evaluation, so that the second suspected abnormal activity event cluster which is determined from the second suspected abnormal activity event cluster to be processed and is associated with the first suspected abnormal activity event cluster can be more accurate and credible.
And step 104, combining at least two quantitative indexes to obtain a second event correlation mining condition which reflects whether an intrusion destination connection exists between the first suspected abnormal activity event cluster and a second suspected abnormal activity event cluster to be processed.
In some independently implementable embodiments of the present application, after obtaining at least two quantitative indicators between the first suspected abnormal activity event cluster and each second suspected abnormal activity event sub-cluster in the second suspected abnormal activity event cluster to be processed, for each second suspected abnormal activity event sub-cluster, the big data intrusion analysis system may determine whether there is a relationship between the second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster by determining whether the at least two quantitative indicators related to the second suspected abnormal activity event sub-cluster meet a first setting requirement. Viewed from some exemplary angles, the big data intrusion analysis system may determine that a second event correlation mining condition of upstream and downstream relation exists between the first suspected abnormal activity event cluster and one of the second suspected abnormal activity event sub-clusters on the premise that at least two quantitative indexes of the one of the second suspected abnormal activity event sub-clusters meet a first setting requirement; determining a second event correlation mining condition that no upstream and downstream connection exists between the first suspected abnormal activity event cluster and one of the second suspected abnormal activity event sub-clusters on the premise that one of the at least two quantitative indexes of the one of the second suspected abnormal activity event sub-clusters does not meet a first set requirement; by means of the method, the second event correlation mining condition between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster is accurately obtained, namely the second event correlation mining condition between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed is obtained.
In an embodiment of the present application, on the premise that no less than two kinds of quantization indexes include event adaptation evaluation, the first setting requirement includes: 【1】 Event adaptation evaluation between the first suspected abnormal activity event cluster and the target second suspected abnormal activity event sub-cluster is not less than a set event adaptation evaluation judgment value; the target second suspected abnormal activity event sub-cluster is the second suspected abnormal activity event sub-cluster with the highest event adaptation evaluation between the target second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event sub-cluster.
In an embodiment of the present application, on the premise that no less than two kinds of quantization indexes include event localization evaluation, the first setting requirement includes: 【2】 And the event positioning evaluation of the first suspected abnormal activity event cluster is not less than a set event positioning evaluation judgment value.
In an embodiment of the present application, on the premise that the target difference evaluation is included in not less than two kinds of quantization indexes, the first setting requirement includes: 【3】 Target difference evaluation between the first suspected abnormal activity event cluster and the target second suspected abnormal activity event sub-cluster is not less than a set difference evaluation judgment value; wherein the target differential evaluation is the lowest differential evaluation of at least one differential evaluation between the first cluster of suspected abnormal activity events and the target second sub-cluster of suspected abnormal activity events.
In the embodiment of the application, since the higher the event adaptation evaluation, the higher the event positioning evaluation, and the higher the difference evaluation between the first suspected abnormal activity event cluster and a certain second suspected abnormal activity event sub-cluster are, the higher the correlation coefficient between the first suspected abnormal activity event cluster and the second suspected abnormal activity event sub-cluster is, it can be understood that an event adaptation evaluation determination value, an event positioning evaluation determination value, and a difference evaluation determination value are correspondingly set here, and a specified determination value is adopted to determine the second event correlation mining condition, so that the second event correlation mining condition can be quickly and accurately determined.
It can be understood that the event adaptation evaluation determination value, the event positioning evaluation determination value and the difference evaluation determination value can be set in combination with actual needs, and the embodiment of the present application does not limit this. For example, on the premise that not less than two quantitative indexes are event adaptation evaluation and event positioning evaluation, the first setting requirement may be [ 1 ] and [ 2 ]; on the premise that not less than two quantitative indexes are event adaptation evaluation and target difference evaluation, the first setting requirement can be [ 1 ] and [ 3 ]; on the premise that not less than two quantitative indexes are event adaptation evaluation, event positioning evaluation and target difference evaluation, the first setting requirement can be [ 1 ], [ 2 ] and [ 3 ]; on the premise that not less than two quantitative indexes are event positioning evaluation and target difference evaluation, the first setting requirement can be [ 2 ] and [ 3 ].
In some independently implementable embodiments of the present application, on the premise of obtaining a second event correlation mining condition between the first suspected abnormal activity event cluster and a certain second suspected abnormal activity event sub-cluster, the session activity event to which the first suspected abnormal activity event cluster points may be located in combination with the second event correlation mining condition.
In the embodiment of the application, in view of being capable of determining whether there is an intrusion target relationship between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed by combining at least two quantitative indexes of the three quantitative indexes of event positioning evaluation, event adaptation evaluation and difference evaluation, it can be understood that when it is determined whether there is an intrusion target relationship between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, consideration and analysis can be performed from more richer dimensions, so that the obtained second event correlation mining condition reflecting whether there is an intrusion target relationship between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed is more accurate and reliable, and thus, accurate and reliable big data intrusion analysis can be performed on the digital financial service log set through the second event correlation mining condition, therefore, accurate and reliable big data intrusion analysis can be carried out on the digital financial service log set through the correlation mining condition of the second event, so that the safe operation of the digital financial service is guaranteed, and the damage of the intrusion behavior to the related service data information is avoided.
In some embodiments, the method may further include: and 105, determining a visual event change record of the session activity event pointed by the first suspected abnormal activity event cluster according to the correlation mining condition of the second event.
In some independently implementable embodiments of the present application, after obtaining a second event correlation mining condition that an upstream-downstream relationship exists between a first suspected abnormal activity event cluster and a certain second suspected abnormal activity event sub-cluster, the big data intrusion analysis system may first determine a session activity event pointed by the first suspected abnormal activity event cluster and the second suspected abnormal activity event sub-cluster, and perform multidimensional identification on digital financial service logs (user operation sessions required to perform intrusion analysis) covering the first suspected abnormal activity event cluster and the second suspected abnormal activity event sub-cluster by using a specified user operation session identification method, so as to obtain multidimensional features corresponding to the first suspected abnormal activity event cluster and the second suspected abnormal activity event sub-cluster, respectively, based on the multidimensional features (timing features, timing characteristics, and timing characteristics, and the like, Regional characteristics, etc.) to completely and accurately determine the visual event change record.
In the embodiment of the application, in view of being capable of determining whether there is an intrusion target relationship between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed by combining at least two quantitative indexes of the three quantitative indexes of event positioning evaluation, event adaptation evaluation and difference evaluation, it can be understood that when it is determined whether there is an intrusion target relationship between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, consideration and analysis can be performed from more richer dimensions, so that the obtained second event correlation mining condition reflecting whether there is an intrusion target relationship between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed is more accurate and reliable, and thus, accurate and reliable big data intrusion analysis can be performed on the digital financial service log set through the second event correlation mining condition, the method has the advantages that the safe operation of the digital financial service is guaranteed, the damage of the intrusion behavior to the related service data information is avoided, and therefore the finally determined visual event change record of the session activity event pointed by the first suspected abnormal activity event cluster is more complete and reliable.
In some embodiments of the present application, which can be implemented independently, the following embodiment of the present application provides an alternative implementation of the big data intrusion analysis method applied to digital finance, and the step 102 can also be implemented by means of the steps 201 and 202.
And step 201, determining the significant event subjects of a plurality of second suspected abnormal activity event clusters by means of an AI neural network.
For a group of user operation sessions needing intrusion analysis, after the big data intrusion analysis system determines the first suspected abnormal activity event cluster and the second suspected abnormal activity event clusters, the AI neural network can be adopted to determine the significant event theme of each second suspected abnormal activity event cluster in the second suspected abnormal activity event clusters. It can be understood that the significant event is a two-dimensional label in the user operation session in which the intrusion analysis is required.
In the embodiment of the present application, the AI neural network may be a network obtained by training the LSTM/CNN/RNN in advance by using, as a positive example, a user operation session to be subjected to intrusion analysis, which is annotated with a significant event topic of the second suspected abnormal activity event cluster, and by using, as a negative example, a user operation session to be subjected to intrusion analysis, which is not annotated with a significant event topic of the second suspected abnormal activity event cluster.
In some independently implementable embodiments of the present application, a significant event topic of a second cluster of suspected anomalous activity events refers to a displaced significant event topic of a first thread, provided that the second cluster of suspected anomalous activity events is the first thread. In other embodiments of the present application, if the second cluster of suspected abnormal activity events is a second thread, the significant event topic of the second cluster of suspected abnormal activity events may refer to a core event topic of the second thread.
Step 202, by combining word vector differences between the significant event topics of the second suspected abnormal activity event clusters and the core event topics of the first suspected abnormal activity event cluster, mining a correlation description between the second suspected abnormal activity event clusters and the first suspected abnormal activity event cluster, and obtaining a first event correlation mining condition reflecting that upstream and downstream relations exist between the first suspected abnormal activity event cluster and second suspected abnormal activity event clusters to be processed in the second suspected abnormal activity event clusters.
It can be understood that the big data intrusion analysis system may determine the significant event topic of each second suspected abnormal activity event cluster, and determine whether each second suspected abnormal activity event cluster is associated with the first suspected abnormal activity event cluster by means of a word vector difference between the significant event topic of each second suspected abnormal activity event cluster and the core event topic of the first suspected abnormal activity event cluster, so as to determine the second suspected abnormal activity event cluster to be processed in the plurality of second suspected abnormal activity event clusters, thereby obtaining a first event correlation mining condition that reflects that the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed in the plurality of second suspected abnormal activity event clusters are associated upstream and downstream.
In some embodiments of the present application, which can be implemented independently, the step 202 can be implemented by steps 11 to 13.
Step 11, determining word vector differences between the significant event topic of each second suspected abnormal activity event cluster in the second suspected abnormal activity event clusters and the core event topic of the first suspected abnormal activity event cluster, and obtaining a plurality of word vector difference values.
The big data intrusion analysis system can determine the topic vector of the core event topic of the first suspected abnormal activity event cluster while determining the topic vector of the significant event topic of each second suspected abnormal activity event cluster, and determine the word vector difference between each second suspected abnormal activity event cluster and the first suspected abnormal activity event cluster by combining the topic vector of the significant event topic of each second suspected abnormal activity event cluster and the topic vector of the core event topic of the first suspected abnormal activity event cluster, so as to obtain the word vector difference value which is the same as the number of the second suspected abnormal activity event clusters. For example, when there are three second suspected abnormal activity event clusters, a word vector difference value between each second suspected abnormal activity event cluster and the first suspected abnormal activity event cluster in the three second suspected abnormal activity event clusters may be determined, so that three word vector difference values are obtained in total.
And step 12, determining a second suspected abnormal activity event cluster corresponding to the lowest word vector difference value in the word vector difference values as a second suspected abnormal activity event cluster to be processed.
After obtaining a plurality of word vector difference values, the big data intrusion analysis system may select a lowest word vector difference value from the word vector difference values, and determine a second suspected abnormal activity event cluster corresponding to the lowest word vector difference value as a second suspected abnormal activity event cluster to be processed, where when there are not less than two word vector difference values, it may correspondingly determine not less than two second suspected abnormal activity event clusters to be processed.
And step 13, excavating the upstream and downstream relation between the second suspected abnormal activity event cluster to be processed and the first suspected abnormal activity event cluster to obtain a first event correlation excavation condition reflecting the upstream and downstream relation between the second suspected abnormal activity event cluster to be processed and the first suspected abnormal activity event cluster.
After the big data intrusion analysis system determines the second suspected abnormal activity event cluster to be processed from the second suspected abnormal activity event cluster, the big data intrusion analysis system can determine that the second suspected abnormal activity event cluster to be processed and the first suspected abnormal activity event cluster are in upstream and downstream relation with each other, so that a first event correlation mining condition reflecting the upstream and downstream relation between the second suspected abnormal activity event cluster to be processed and the first suspected abnormal activity event cluster is obtained.
In the embodiment of the application, on the premise that the second suspected abnormal activity event cluster is the first thread, the AI neural network is used for mining the allopatric significant event theme of the second thread, and the obtained allopatric significant event theme is applied to the correlation description judgment, so that the problem of abnormal correlation analysis caused by the error of the identification thread can be reduced, and the stability of correlation analysis between the first thread and the second thread according to the independent conversation can be improved.
In some independently implementable embodiments of the present application, an alternative to the big data intrusion analysis method applied to digital finance provided in the following embodiments of the present application, the method further includes step 3011 and step 3012.
Step 3011, on the premise that at least two quantitative indexes include target difference evaluations, determining, in combination with a first event correlation mining condition, each second suspected abnormal activity event sub-cluster in each group of target digital financial service logs, and local difference evaluations between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster, for a target digital financial service log covering the first suspected abnormal activity event cluster in a digital financial service log set to be subjected to intrusion analysis, and obtaining at least one local difference evaluation corresponding to each second suspected abnormal activity event sub-cluster; the second cluster of suspected abnormal activity events to be processed comprises: a number of second sub-clusters of suspected anomalous activity events.
The big data intrusion analysis system can determine all second suspected abnormal activity event sub-clusters related to the first suspected abnormal activity event cluster in each group by combining the event correlation mining condition after obtaining the first event correlation mining condition of each group of the target digital financial service log, and determines the information quantity difference evaluation between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster in all the second suspected abnormal activity event sub-clusters, and obtains the local difference evaluation between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster in each group of the target digital financial service log, so that not less than one local difference evaluation corresponding to each second suspected abnormal activity event sub-cluster is accurately obtained. For example, on the premise that a first group of user operation sessions of the target digital financial transaction log covers two second suspected abnormal activity event sub-clusters including the second suspected abnormal activity event sub-cluster part _ Ba and the second suspected abnormal activity event sub-cluster part _ Bb, and a third group covers two second suspected abnormal activity event sub-clusters including the second suspected abnormal activity event sub-cluster part _ Ba and the second suspected abnormal activity event sub-cluster part _ Bc, the big data intrusion analysis system can respectively determine the first group of user operation sessions, the local dissimilarity between the second cluster of suspected-abnormal-activity events part _ Ba and the first cluster of suspected-abnormal-activity events assesses part _ cosine _ a, and, local variance evaluation part _ cosine _ a between the second cluster of suspected abnormal activity events part _ Ba and the first cluster of suspected abnormal activity events in the third group, thereby obtaining two local difference evaluations corresponding to the second suspected abnormal activity event sub-cluster part _ Ba; and determining a local dissimilarity evaluation part _ cosine _ b between the second suspected abnormal activity event sub-cluster part _ Bb and the first suspected abnormal activity event cluster, determining a local dissimilarity evaluation part _ cosine _ b between the second suspected abnormal activity event sub-cluster part _ Bc and the first suspected abnormal activity event cluster, respectively obtaining a local dissimilarity evaluation corresponding to the second suspected abnormal activity event sub-cluster part _ Bb, and obtaining a local dissimilarity evaluation corresponding to the second suspected abnormal activity event sub-cluster part _ Bc.
Step 3012, determining a target differential rating between the first cluster of suspected abnormal activity events and each of the second sub-clusters of suspected abnormal activity events from no less than one local differential rating.
The big data intrusion analysis system may select a lowest local variance evaluation from the at least one local variance evaluation as a target variance evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event sub-cluster on the premise of obtaining at least one local variance evaluation corresponding to each second suspected abnormal activity event sub-cluster. For example, with the above, the lowest local variance evaluation may be selected from the two local variance evaluations corresponding to the second suspected abnormal activity event sub-cluster part _ Ba as the target variance evaluation between the second suspected abnormal activity event sub-cluster part _ Ba and the first suspected abnormal activity event cluster; for another example, in combination with the above, one local variance evaluation corresponding to the second suspected abnormal activity event sub-cluster part _ Bb may be used as a target variance evaluation between the second suspected abnormal activity event sub-cluster part _ Bb and the first suspected abnormal activity event cluster, and one local variance evaluation corresponding to the second suspected abnormal activity event sub-cluster part _ Bc may be used as a target variance evaluation between the second suspected abnormal activity event sub-cluster part _ Bc and the first suspected abnormal activity event cluster.
In this embodiment, in step 3011 to step 3012, after obtaining a first event correlation mining condition of a certain group of user operation sessions to be subjected to intrusion analysis, the big data intrusion analysis system may determine local difference evaluation between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster, which are in upstream and downstream relation with the first suspected abnormal activity event cluster in the group, and determine local difference evaluation between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster in all target digital financial transaction logs on the premise of obtaining all target digital financial transaction logs; in all the target digital financial service logs, a second suspected abnormal activity event sub-cluster part _ Bx can determine and obtain a local difference evaluation between the second suspected abnormal activity event sub-cluster part _ Bx and a first suspected abnormal activity event cluster only under the premise that the upstream and downstream relation exists between the second suspected abnormal activity event sub-cluster part _ Bx and the first suspected abnormal activity event cluster in a user operation session needing intrusion analysis; under the premise that the second suspected abnormal activity event sub-cluster part _ Bx is in upstream and downstream connection with the first suspected abnormal activity event cluster in not less than two user operation sessions needing intrusion analysis, not less than two local difference evaluations between the second suspected abnormal activity event sub-cluster part _ Bx and the first suspected abnormal activity event cluster can be determined and obtained; on the premise that not less than two local difference evaluations are obtained, the lowest local difference evaluation of the not less than two local difference evaluations can be used as a target difference evaluation, and on the premise that one local difference evaluation is obtained, the one local difference evaluation can be used as a target difference evaluation.
In some independently implementable embodiments of the present application, an optional technical solution of the big data intrusion analysis method applied to digital finance provided in the following embodiments of the present application, the method further includes steps 3013 to 3015.
Step 3013, determining the number of first digital financial service logs in the target digital financial service logs, where each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster have a first event correlation mining condition; the second cluster of suspected abnormal activity events to be processed comprises: a number of second sub-clusters of suspected anomalous activity events.
After the big data intrusion analysis system obtains the target digital financial service logs, the number of the digital financial service logs carrying the first event correlation excavation condition between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster in the target digital financial service logs is also determined, so that the number of the first digital financial service logs carrying the first event correlation excavation condition between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster is obtained. For example, when the target digital financial transaction logs have 5 groups, wherein a first event correlation mining condition exists between the second suspected abnormal event sub-cluster part _ Ba and the first suspected abnormal event cluster in the groups 1, 3 and 4, and a first event correlation mining condition exists between the second suspected abnormal event cluster case _ cluster and the first suspected abnormal event cluster in the groups 2 and 5, the second suspected abnormal event cluster case _ cluster _ Bb and the first suspected abnormal event cluster, it can be determined that the first digital financial transaction log number of the first event correlation mining condition exists between the second suspected abnormal event sub-cluster part _ Ba and the first suspected abnormal event cluster is 3, and the first digital financial transaction log number of the first event correlation mining condition exists between the second suspected abnormal event sub-cluster part _ Bb and the first suspected abnormal event cluster is 2.
Step 3014, determine the second number of digital financial transaction logs of the target digital financial transaction log.
The big data intrusion analysis system can determine the total number of the target digital financial service logs covering the first suspected abnormal activity event cluster by combining the abnormal activity event identification result, and takes the total number as the second digital financial service log number of the target digital financial service logs; for example, in combination with the above, when the target digital financial transaction logs have 5 groups, the number of the second digital financial transaction logs is 5.
Step 3015, determining the quantization processing result between the first digital financial transaction log number and the second digital financial transaction log number as the event adaptation evaluation between the first suspected abnormal activity event cluster and each second suspected abnormal activity event sub-cluster.
The number of the second digital financial service logs is the number num1 of all user operation sessions needing intrusion analysis of the first suspected abnormal activity event cluster, the number of the first digital financial service logs corresponding to each second suspected abnormal activity event sub cluster is the number num3 of the user operation sessions needing intrusion analysis, wherein the second suspected abnormal activity event sub cluster and the first suspected abnormal activity event cluster are covered, and the covered second suspected abnormal activity event sub cluster and the first suspected abnormal activity event cluster are in upstream and downstream connection with each other; it is to be appreciated that the big data intrusion analysis system may determine the value of num3/num1 and take the value of num3/num1 as an event fit rating between the first session activity event and the second sub-cluster of suspected abnormal activity events. For example, if the number of the first digital financial service logs corresponding to the second suspected abnormal activity event sub-cluster part _ Ba is num3a, and the number of the first digital financial service logs corresponding to the second suspected abnormal activity event sub-cluster part _ Bb is num3b, the big data intrusion analysis system may use the value of num3a/num1 as the event adaptation rating ass1 between the second suspected abnormal activity event sub-cluster part _ Ba and the first suspected abnormal activity event cluster, and use the value of num3b/num1 as the event adaptation rating ass2 between the second suspected abnormal activity event sub-cluster part _ Bb and the first suspected abnormal activity event cluster.
In some independently implementable embodiments of the present application, an optional technical solution of the big data intrusion analysis method applied to digital finance provided in the following embodiments of the present application, the method further includes steps 3016 to 3018.
Step 3016, determine a second digital financial transaction log number for the target digital financial transaction log.
Since step 3016 is similar to step 3014 described above, it will not be described further herein.
Step 3017, determine session group number statistics result of user operation sessions having time sequence precedence relationship recorded from the first group of user operation sessions to the last group of user operation sessions in the target digital financial service log.
In this embodiment of the present application, in the digital financial transaction logs to be subjected to intrusion analysis, each group of user operation sessions to be subjected to intrusion analysis is uninterrupted, but the first suspected abnormal activity event cluster may not exist in each group of user operation sessions to be subjected to intrusion analysis of the digital financial transaction logs to be subjected to intrusion analysis, for example, the first suspected abnormal activity event cluster may not exist in the first group of user operation sessions to be subjected to intrusion analysis, exists in the third group, exists in the fifth group and the sixth group, and does not exist in the user operation sessions to be subjected to intrusion analysis thereafter (based on this, the number of the second digital financial transaction logs covering the target digital financial transaction logs of the first suspected abnormal activity event cluster is 3); it can be understood that the big data intrusion analysis system further needs to determine the number of user operation sessions having a time sequence precedence relationship, which are recorded from the first group of user operation sessions of the target digital financial service log to the last group of user operation sessions of the target digital financial service log, and take the number of user operation sessions having a time sequence precedence relationship as a session group number statistical result. For example, with the above contents, when the target digital financial transaction log has 3 groups in total, and 6 consecutive groups of user operation sessions that need to be subjected to intrusion analysis actually pass between the 1 st group (the third group described above) and the 3 rd group (the sixth group described above) in the 3 groups, the session group number statistical result of the user operation sessions that have a time sequence precedence relationship and are recorded between the 1 st group and the 3 rd group in the target digital financial transaction log is 6.
It can be understood that, in the digital financial transaction log that needs intrusion analysis, each group of user operation sessions that need intrusion analysis usually carry numbers uninterruptedly, and the big data intrusion analysis system may obtain the number of user operation sessions that have a time sequence precedence relationship, recorded from the first group of user operation sessions to the last group of user operation sessions of the target digital financial transaction log, in combination with the numbers corresponding to the first group of user operation sessions and the last group of user operation sessions of the target digital financial transaction log.
And 3018, determining a quantitative processing result between the number of the second digital financial transaction logs and the statistical result of the number of the session groups as an event positioning evaluation of the first suspected abnormal activity event cluster.
The second number of the digital financial service logs is the number num1 of all user operation sessions needing intrusion analysis and covering the first suspected abnormal activity event cluster, and the statistical result of the session group number is the number num2 of all uninterrupted user operation sessions needing intrusion analysis and recorded from one group of user operation sessions needing intrusion analysis and existing at the beginning of the first suspected abnormal activity event cluster to the other group of user operation sessions needing intrusion analysis and existing at the end of the first suspected abnormal activity event cluster; it is to be appreciated that the big data intrusion analysis system may determine the value of num1/num2 and take the value of num1/num2 as the event localization rating for the first session activity event.
In some independently implementable embodiments of the present application, the big data intrusion analysis system may determine two quantitative indicators, namely, an event positioning evaluation of the first suspected abnormal activity event cluster and an event adaptation evaluation between the first suspected abnormal activity event cluster and each of the second suspected abnormal activity event sub-clusters; or determining the event positioning evaluation of the first suspected abnormal activity event cluster and the target difference evaluation between the first suspected abnormal activity event cluster and each second suspected abnormal activity event sub-cluster; or determining an event adaptation evaluation between the first suspected abnormal activity event cluster and each second suspected abnormal activity event sub-cluster and a target difference evaluation between the first suspected abnormal activity event cluster and each second suspected abnormal activity event sub-cluster; in this way, the accuracy and reliability of the determined event correlation mining scenario can be improved as compared to determining the final event correlation mining scenario based on only a single condition.
In other embodiments that can be implemented independently, three quantitative indicators, namely, an event localization evaluation of the first suspected abnormal activity event cluster, an event adaptation evaluation between the first suspected abnormal activity event cluster and each of the second suspected abnormal activity event sub-clusters, and a target difference evaluation between the first suspected abnormal activity event cluster and each of the second suspected abnormal activity event sub-clusters, can be determined.
In some independently implementable embodiments of the present application, after step 104, the method may further comprise step 2.
And 2, on the premise that the correlation mining condition of the second event reflects that the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed are in upstream and downstream relation, storing and outputting a mapping list between the semantics of the first event and the semantics of the second event.
In an embodiment of the application, after obtaining a second event correlation mining condition that reflects that upstream and downstream connections exist between a first suspected abnormal activity event cluster and a second suspected abnormal activity event cluster to be processed, if the second event correlation mining condition indicates that group association exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, the big data intrusion analysis system may record a second event semantic of the second suspected abnormal activity event cluster to be processed, which is associated with the group of the first suspected abnormal activity event cluster, and a mapping list between the second event semantic of the second suspected abnormal activity event cluster to be processed and the first event semantic of the first suspected abnormal activity event cluster; and outputs a mapping list (correspondence) between event semantics (identification information).
In addition, in some independently implementable embodiments of the present application, after step 104, the method may further comprise the following: determining an intrusion risk analysis result of each group of user operation sessions needing intrusion analysis according to the second event correlation mining condition; determining an information protection strategy aiming at each group of user operation sessions needing intrusion analysis according to the intrusion risk analysis result; and issuing the information protection strategy to each group of digital financial clients corresponding to the user operation sessions needing intrusion analysis.
For example, the intrusion risk analysis result of each group of user operation sessions to be subjected to intrusion analysis may be determined according to the correlation coefficient corresponding to the second event correlation mining condition, and the intrusion risk analysis result may include three types, i.e., a low risk type, a medium risk type and a high risk type, so that the corresponding information protection policy may be formulated and issued according to the risk levels of the different types.
For another example, in some independently implementable embodiments of the present application, an information protection policy may be determined for a high-risk intrusion analysis result, and based on this, an information protection policy for each group of user operation sessions to be subjected to intrusion analysis is determined according to the intrusion risk analysis result, which may be implemented by the following implementation manners: on the premise that the intrusion risk analysis result is in a high risk level, extracting a target session behavior item set to be subjected to intrusion behavior analysis in the user operation session corresponding to the high risk level; respectively carrying out real-time intrusion preference mining and delay intrusion preference mining on a plurality of session behavior items in the target session behavior item set to obtain a real-time intrusion preference mining list and a delay intrusion preference mining list; calling a first designated preference mining verification model, and performing first preference mining verification processing on the real-time intrusion preference mining list to obtain a first session behavior item subset carrying real-time intrusion preferences; calling a second specified preference mining verification model, and performing second preference mining verification processing on the delayed intrusion preference mining list to obtain a second conversation behavior item subset carrying delayed intrusion preference; performing attention processing through the first conversation behavior item subset and the second conversation behavior item subset to obtain an auxiliary conversation behavior item subset bound with the target intrusion preference in the target conversation behavior item set; the target intrusion preference comprises one or two of a real-time intrusion preference and a delay intrusion preference, and the auxiliary conversation behavior item subset is used for carrying out intrusion behavior analysis on the target conversation behavior item set; and analyzing the intrusion behavior of the target session behavior item set through the session keywords in the auxiliary session item subset to obtain an intrusion behavior execution flow of the target session behavior item set, and making an information protection strategy aiming at the intrusion behavior execution flow.
It can be understood that the intrusion behavior execution flow includes a plurality of behavior nodes, and the information protection policy of the user operation session can be formulated in a targeted manner by performing nodal analysis and processing on the intrusion behavior execution flow, so as to ensure that the information protection policy can effectively cope with the relevant intrusion behavior.
Based on the same inventive concept, there is also provided a big data intrusion analysis device 20 applied to digital finance, which is applied to a big data intrusion analysis system 10, and comprises:
the event cluster determining module 21 is configured to perform abnormal activity event identification on each group of user operation sessions, which need to be subjected to intrusion analysis, in the digital financial service log set, which needs to be subjected to intrusion analysis, and determine a first suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters; performing correlation mining according to independent sessions between the first suspected abnormal activity event cluster and the second suspected abnormal activity event clusters to obtain a first event correlation mining condition reflecting that upstream and downstream relations exist between the first suspected abnormal activity event cluster and second suspected abnormal activity event clusters to be processed in the second suspected abnormal activity event clusters;
a correlation mining module 22, configured to obtain, for a target digital financial transaction log that covers the first suspected abnormal activity event cluster in the digital financial transaction log set that needs to be subjected to intrusion analysis, not less than two quantitative indicators from among an event positioning evaluation of the first suspected abnormal activity event cluster, an event adaptation evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, and a target difference evaluation, in combination with the first event correlation mining condition; and combining the at least two quantitative indexes to obtain a second event correlation mining condition which reflects whether an intrusion destination connection exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a big data intrusion analysis system 10, or a network device) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A big data intrusion analysis method applied to digital finance is characterized by being applied to a big data intrusion analysis system, and the method at least comprises the following steps:
identifying abnormal activity events aiming at each group of user operation sessions needing intrusion analysis in a digital financial service log set needing intrusion analysis, and determining a first suspected abnormal activity event cluster and a plurality of second suspected abnormal activity event clusters; performing correlation mining according to independent sessions between the first suspected abnormal activity event cluster and the second suspected abnormal activity event clusters to obtain a first event correlation mining condition reflecting that upstream and downstream relations exist between the first suspected abnormal activity event cluster and second suspected abnormal activity event clusters to be processed in the second suspected abnormal activity event clusters;
aiming at a target digital financial service log which covers the first suspected abnormal activity event cluster in the digital financial service log set needing intrusion analysis, and combining the first event correlation mining condition, obtaining at least two quantitative indexes in event positioning evaluation of the first suspected abnormal activity event cluster, event adaptation evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed and target difference evaluation; and combining the at least two quantitative indexes to obtain a second event correlation mining condition which reflects whether an intrusion destination connection exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed.
2. The big data intrusion analysis method applied to digital finance, according to claim 1, wherein the obtaining, for a target digital financial transaction log in the set of digital financial transaction logs to be subjected to intrusion analysis, which covers the first suspected abnormal activity event cluster, not less than two quantitative indicators of an event positioning evaluation of the first suspected abnormal activity event cluster, an event adaptation evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, and a target difference evaluation, in combination with the first event correlation mining condition, includes:
and aiming at the target digital financial service logs covering the first suspected abnormal activity event cluster in the digital financial service log set needing intrusion analysis, combining the first event correlation mining condition to obtain at least one of the event positioning evaluation of the first suspected abnormal activity event cluster and the target difference evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed, and the event adaptation evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed.
3. The big data intrusion analysis method applied to digital finance, according to claim 1, wherein the second cluster of suspected abnormal activity events to be processed includes: a number of second suspected anomalous activity event sub-clusters;
on the premise that the target difference evaluation is covered in the at least two quantitative indicators, the method further comprises:
for a target digital financial transaction log which covers the first suspected abnormal activity event cluster in the digital financial transaction log set needing intrusion analysis, determining each second suspected abnormal activity event sub-cluster in each group of the target digital financial transaction log by combining the correlation mining condition of the first event, and obtaining at least one local difference evaluation corresponding to each second suspected abnormal activity event sub-cluster by using local difference evaluation between the first suspected abnormal activity event cluster and the second suspected abnormal activity event sub-cluster;
determining the target differential rating between the first cluster of suspected abnormal activity events and each of the second sub-clusters of suspected abnormal activity events from not less than one of the local differential ratings.
4. The big data intrusion analysis method applied to digital finance, according to claim 1, wherein the second cluster of suspected abnormal activity events to be processed includes: a number of second suspected anomalous activity event sub-clusters;
on the premise that the event adaptation evaluation is covered in the at least two quantitative indicators, the method further comprises:
determining the number of first digital financial service logs of the first event correlation mining condition existing between each second suspected abnormal activity event sub-cluster and the first suspected abnormal activity event cluster in the target digital financial service logs;
determining a second digital financial transaction log number for the target digital financial transaction log;
determining a quantitative processing result between the first digital financial transaction log number and the second digital financial transaction log number as the event adaptation evaluation between the first suspected abnormal activity event cluster and each second suspected abnormal activity event sub-cluster.
5. The big data intrusion analysis method for digital finance according to claim 1, wherein on the premise that the event localization evaluation is covered in the at least two quantitative indicators, the method further comprises:
determining a second digital financial transaction log number for the target digital financial transaction log;
determining a session group number statistical result of the user operation sessions which are recorded from a first group of user operation sessions to a last group of user operation sessions and have a time sequence precedence relationship in the target digital financial service log;
and determining a quantitative processing result between the second digital financial service log number and the session group number statistical result as the event positioning evaluation of the first suspected abnormal activity event cluster.
6. The big data intrusion analysis method applied to digital finance, according to claim 1, wherein the second cluster of suspected abnormal activity events to be processed includes: a number of second suspected anomalous activity event sub-clusters;
and the step of obtaining a second event correlation mining condition which reflects whether an intrusion destination connection exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed by combining the at least two quantitative indexes comprises any one of the following steps:
on the premise that the at least two quantitative indexes of one second suspected abnormal activity event sub-cluster meet a first set requirement, determining that a second event correlation mining condition of upstream and downstream connection exists between the first suspected abnormal activity event cluster and the one second suspected abnormal activity event sub-cluster;
determining a second event correlation mining condition that no upstream and downstream relation exists between the first suspected abnormal activity event cluster and one of the second suspected abnormal activity event sub-clusters on the premise that one of the at least two quantitative indexes of one of the second suspected abnormal activity event sub-clusters does not meet a first set requirement;
wherein, on the premise that the at least two quantitative indicators cover the event adaptation evaluation, the first setting requirement includes: the event adaptation evaluation between the first suspected abnormal activity event cluster and the target second suspected abnormal activity event sub-cluster is not less than a set event adaptation evaluation judgment value; the target second suspected abnormal activity event sub-cluster is one of the second suspected abnormal activity event sub-clusters with the highest event adaptation evaluation with the first suspected abnormal activity event cluster;
wherein, on the premise that the at least two quantitative indicators cover the event positioning evaluation, the first setting requirement includes: the event positioning evaluation of the first suspected abnormal activity event cluster is not less than a set event positioning evaluation judgment value;
on the premise that the target difference evaluation is covered in the at least two quantitative indexes, the first setting requirement comprises: the target difference evaluation between the first suspected abnormal activity event cluster and the target second suspected abnormal activity event sub-cluster is not less than a set difference evaluation judgment value; the target differential rating is the lowest differential rating of the at least one differential rating between the first cluster of suspected anomalous activity events and the target second sub-cluster of suspected anomalous activity events;
the target second suspected abnormal activity event sub-cluster is one of the plurality of second suspected abnormal activity event sub-clusters with the highest event adaptation evaluation with the first suspected abnormal activity event cluster.
7. The big data intrusion analysis method applied to digital finance, according to claim 1, wherein the performing correlation mining between the first suspected abnormal activity event cluster and the second suspected abnormal activity event clusters according to independent sessions to obtain a first event correlation mining condition that reflects that upstream and downstream links exist between the first suspected abnormal activity event cluster and a second suspected abnormal activity event cluster to be processed in the second suspected abnormal activity event clusters comprises:
determining a significant event topic of the second plurality of suspected abnormal activity event clusters by means of an AI neural network;
in combination with word vector differences between the significant event topics of the second suspected abnormal activity event clusters and the core event topics of the first suspected abnormal activity event cluster, mining a correlation description between the second suspected abnormal activity event clusters and the first suspected abnormal activity event cluster, and obtaining a first event correlation mining condition which reflects that upstream and downstream relations exist between the first suspected abnormal activity event cluster and a to-be-processed second suspected abnormal activity event cluster in the second suspected abnormal activity event clusters;
the mining method includes the steps of mining a correlation description between a plurality of second suspected abnormal activity event clusters and a first suspected abnormal activity event cluster by combining word vector differences between significant event topics of the plurality of second suspected abnormal activity event clusters and core event topics of the first suspected abnormal activity event cluster, and obtaining a first event correlation mining condition reflecting that upstream and downstream relations exist between the first suspected abnormal activity event cluster and a to-be-processed second suspected abnormal activity event cluster in the plurality of second suspected abnormal activity event clusters, where the first event correlation mining condition includes:
determining word vector differences between the significant event topic of each second suspected abnormal activity event cluster in the second suspected abnormal activity event clusters and the core event topic of the first suspected abnormal activity event cluster to obtain a plurality of word vector difference values;
determining a second suspected abnormal activity event cluster corresponding to the lowest word vector difference value in the plurality of word vector difference values as the second suspected abnormal activity event cluster to be processed;
and mining the upstream and downstream relation between the second suspected abnormal activity event cluster to be processed and the first suspected abnormal activity event cluster, and acquiring the mining condition of the correlation of the first event, which reflects the upstream and downstream relation between the second suspected abnormal activity event cluster to be processed and the first suspected abnormal activity event cluster.
8. The big data intrusion analysis method applied to digital finance, according to claim 1, wherein the first suspected abnormal activity event cluster carries a first event semantic, and the second suspected abnormal activity event cluster to be processed carries a second event semantic;
after the second event correlation mining condition that reflects whether an intrusion destination connection exists between the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed is obtained by combining the at least two quantitative indexes, the method further includes:
and on the premise that the second event correlation mining condition reflects that the first suspected abnormal activity event cluster and the second suspected abnormal activity event cluster to be processed have upstream and downstream relation, storing and outputting a mapping list between the first event semantics and the second event semantics.
9. The big data intrusion analysis method applied to digital finance according to claim 1, wherein the method further comprises: and determining a visual event change record of the session activity event pointed by the first suspected abnormal activity event cluster according to the second event correlation mining condition.
10. A computer storage medium, characterized in that it stores a computer program which, when executed, implements the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111516370.7A CN114138872A (en) | 2021-12-13 | 2021-12-13 | Big data intrusion analysis method and storage medium applied to digital finance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111516370.7A CN114138872A (en) | 2021-12-13 | 2021-12-13 | Big data intrusion analysis method and storage medium applied to digital finance |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114138872A true CN114138872A (en) | 2022-03-04 |
Family
ID=80385767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111516370.7A Pending CN114138872A (en) | 2021-12-13 | 2021-12-13 | Big data intrusion analysis method and storage medium applied to digital finance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114138872A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115080963A (en) * | 2022-07-07 | 2022-09-20 | 济南开耀网络技术有限公司 | Intelligent financial data protection method based on cloud computing and server |
| CN115438979A (en) * | 2022-09-14 | 2022-12-06 | 代洪立 | Expert model decision-making fused data risk identification method and server |
| CN115454781A (en) * | 2022-10-08 | 2022-12-09 | 杭银消费金融股份有限公司 | Data visualization display method and system based on enterprise architecture system |
| CN116976359A (en) * | 2023-09-22 | 2023-10-31 | 太仓市律点信息技术有限公司 | Abnormality detection report analysis method, server and medium for online service session |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005038116A (en) * | 2003-07-18 | 2005-02-10 | Hitachi Ltd | Fraudulent intrusion analysis device |
| CN102045358A (en) * | 2010-12-29 | 2011-05-04 | 深圳市永达电子股份有限公司 | Intrusion detection method based on integral correlation analysis and hierarchical clustering |
| CN102592093A (en) * | 2012-01-16 | 2012-07-18 | 河南科技大学 | Host machine intrusion detection method based on biological immune mechanism |
| US20170116330A1 (en) * | 2015-10-23 | 2017-04-27 | International Business Machines Corporation | Generating Important Values from a Variety of Server Log Files |
| CN109117639A (en) * | 2018-07-27 | 2019-01-01 | 北京梆梆安全科技有限公司 | A kind of detection method and device of intrusion risk |
| CN109117632A (en) * | 2018-07-27 | 2019-01-01 | 北京梆梆安全科技有限公司 | A kind of method and apparatus for the risk that determining vehicle is invaded |
| CN111132230A (en) * | 2019-12-25 | 2020-05-08 | 东南大学 | Bandwidth allocation and data compression joint optimization method for data acquisition |
| CN113706149A (en) * | 2021-09-01 | 2021-11-26 | 杨思亭 | Big data wind control processing method and system for dealing with online payment data threat |
-
2021
- 2021-12-13 CN CN202111516370.7A patent/CN114138872A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005038116A (en) * | 2003-07-18 | 2005-02-10 | Hitachi Ltd | Fraudulent intrusion analysis device |
| CN102045358A (en) * | 2010-12-29 | 2011-05-04 | 深圳市永达电子股份有限公司 | Intrusion detection method based on integral correlation analysis and hierarchical clustering |
| CN102592093A (en) * | 2012-01-16 | 2012-07-18 | 河南科技大学 | Host machine intrusion detection method based on biological immune mechanism |
| US20170116330A1 (en) * | 2015-10-23 | 2017-04-27 | International Business Machines Corporation | Generating Important Values from a Variety of Server Log Files |
| CN109117639A (en) * | 2018-07-27 | 2019-01-01 | 北京梆梆安全科技有限公司 | A kind of detection method and device of intrusion risk |
| CN109117632A (en) * | 2018-07-27 | 2019-01-01 | 北京梆梆安全科技有限公司 | A kind of method and apparatus for the risk that determining vehicle is invaded |
| CN111132230A (en) * | 2019-12-25 | 2020-05-08 | 东南大学 | Bandwidth allocation and data compression joint optimization method for data acquisition |
| CN113706149A (en) * | 2021-09-01 | 2021-11-26 | 杨思亭 | Big data wind control processing method and system for dealing with online payment data threat |
Non-Patent Citations (2)
| Title |
|---|
| 康莉等: "基于数据挖掘的入侵检测系统研究", 《洛阳理工学院学报(自然科学版)》 * |
| 温智宇等: "数据挖掘技术在入侵检测系统中的应用", 《计算机工程与应用》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115080963A (en) * | 2022-07-07 | 2022-09-20 | 济南开耀网络技术有限公司 | Intelligent financial data protection method based on cloud computing and server |
| CN115080963B (en) * | 2022-07-07 | 2023-04-04 | 上海量化森林科技有限公司 | Intelligent financial data protection method and server based on cloud computing |
| CN115438979A (en) * | 2022-09-14 | 2022-12-06 | 代洪立 | Expert model decision-making fused data risk identification method and server |
| CN115438979B (en) * | 2022-09-14 | 2023-06-09 | 深圳蔓延科技有限公司 | Expert model decision-fused data risk identification method and server |
| CN115454781A (en) * | 2022-10-08 | 2022-12-09 | 杭银消费金融股份有限公司 | Data visualization display method and system based on enterprise architecture system |
| CN115454781B (en) * | 2022-10-08 | 2023-05-16 | 杭银消费金融股份有限公司 | Data visualization display method and system based on enterprise architecture system |
| CN116976359A (en) * | 2023-09-22 | 2023-10-31 | 太仓市律点信息技术有限公司 | Abnormality detection report analysis method, server and medium for online service session |
| CN116976359B (en) * | 2023-09-22 | 2023-11-24 | 太仓市律点信息技术有限公司 | Abnormality detection report analysis method, server and medium for online service session |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114138872A (en) | Big data intrusion analysis method and storage medium applied to digital finance | |
| CN113706176B (en) | Information anti-fraud processing method and service platform system combined with cloud computing | |
| CN114139209B (en) | Information anti-theft method and system applied to big data of business user | |
| CN113949577A (en) | Data attack analysis method applied to cloud service and server | |
| CN114139210B (en) | Big data security threat processing method and system based on intelligent service | |
| CN114154990B (en) | Big data anti-attack method based on online payment and storage medium | |
| CN115174231B (en) | Network fraud analysis method and server based on AI Knowledge Base | |
| CN113918621A (en) | Big data protection processing method based on internet finance and server | |
| CN114154995B (en) | Abnormal payment data analysis method and system applied to big data wind control | |
| CN112115468B (en) | Service information detection method based on big data and cloud computing center | |
| CN113298638B (en) | Root cause positioning method, electronic equipment and storage medium | |
| CN114218568B (en) | Big data attack processing method and system applied to cloud service | |
| CN112162999A (en) | Big data processing method based on interactive cloud computing and artificial intelligence server | |
| CN113313479A (en) | Payment service big data processing method and system based on artificial intelligence | |
| CN113901089A (en) | Threat behavior identification method and system applied to big data protection | |
| CN113821815A (en) | Big data protection method based on user behavior and server | |
| CN113486983A (en) | Big data office information analysis method and system for anti-fraud processing | |
| CN114221803B (en) | Network security analysis method, system and storage medium applied to intelligent medical big data | |
| CN114567495B (en) | Network attack analysis method and server applied to cloud computing | |
| CN114244611B (en) | Abnormal attack detection method, device, equipment and storage medium | |
| CN113434857A (en) | User behavior safety analysis method and system applying deep learning | |
| CN113312671A (en) | Digital business operation safety processing method and system applied to big data mining | |
| CN113946819A (en) | Online payment information intrusion detection method based on cloud computing and server | |
| CN113949580A (en) | Intrusion detection analysis method combined with cloud computing service and cloud computing system | |
| CN110990810B (en) | User operation data processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20230228 |
|
| AD01 | Patent right deemed abandoned |