CN115080934A - Method and device for identifying account abnormity in instant messaging system - Google Patents
Method and device for identifying account abnormity in instant messaging system Download PDFInfo
- Publication number
- CN115080934A CN115080934A CN202210144909.9A CN202210144909A CN115080934A CN 115080934 A CN115080934 A CN 115080934A CN 202210144909 A CN202210144909 A CN 202210144909A CN 115080934 A CN115080934 A CN 115080934A
- Authority
- CN
- China
- Prior art keywords
- behavior
- item
- association rule
- behavior item
- association
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2465—Query processing support for facilitating data mining operations in structured databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2468—Fuzzy queries
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/04—Real-time or near real-time messaging, e.g. instant messaging [IM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2216/00—Indexing scheme relating to additional aspects of information retrieval not explicitly covered by G06F16/00 and subgroups
- G06F2216/03—Data mining
Abstract
The embodiment of the application provides a method, a device, equipment and a medium for identifying account abnormity in an instant messaging system, and relates to the technical field of computers. Wherein, the method comprises the following steps: determining a behavior set comprising at least one behavior item set; performing association rule mining on the behavior items in the behavior set by using an Apriori algorithm to obtain at least one association rule and a confidence coefficient thereof; fuzzifying the confidence coefficient of at least one association rule to obtain the fuzzy confidence coefficient of the at least one association rule; screening at least one strong association rule from at least one association rule based on the fuzzy confidence of the at least one association rule, and adding the at least one strong association rule to a strong association rule set; and identifying the use behavior of the user in the instant communication system according to the strong association rule in the strong association rule set. The method and the device solve the problem that the user information safety cannot be guaranteed due to the account abnormity in the instant messaging system in the prior art.
Description
Technical Field
The application relates to the technical field of computers, in particular to a method and a device for identifying account abnormity in an instant messaging system.
Background
With the development of communication technology, instant messaging systems have become a major tool for people to communicate, in which a large amount of important information related to users is stored. In order to avoid frequent input of verification information when a user logs in, the instant communication system keeps a method for logging in the instant communication system for a long time after the user successfully logs in the instant communication system on certain electronic equipment (such as a smart phone) by using an account, and if a lawless person illegally obtains the use right of the electronic equipment through a hacker technology, the account can be used for data stealing and illegal information transmission.
Therefore, the account abnormality in the instant messaging system can cause that the safety of user information cannot be guaranteed, and how to identify the account abnormality in the instant messaging system needs to be solved.
Disclosure of Invention
Embodiments of the present application provide a method and an apparatus for identifying an account abnormality in an instant messaging system, an electronic device, and a storage medium, which can solve the problem in the related art that user information security cannot be guaranteed due to the account abnormality in the instant messaging system. The technical scheme is as follows:
according to one aspect of the embodiment of the application, a method for realizing account abnormity identification in an instant messaging system comprises the following steps: determining a behavior set containing at least one behavior item set, wherein the behavior item set contains at least one behavior item, and the behavior item is used for representing the usage behavior of a user in the instant messaging system; performing association rule mining on the behavior items in the behavior set by using an Apriori algorithm to obtain at least one association rule and a confidence degree thereof, wherein the association rule is used for indicating a first association behavior item and a second association behavior item which are associated with each other; fuzzifying the confidence coefficient of at least one association rule to obtain the fuzzy confidence coefficient of the at least one association rule; screening at least one strong association rule from at least one association rule based on the fuzzy confidence of the at least one association rule, and adding the at least one strong association rule to a strong association rule set; and identifying the use behavior of the user in the instant messaging system according to the strong association rule in the strong association rule set.
According to an aspect of an embodiment of the present application, an apparatus for implementing account abnormality recognition in an instant messaging system includes: a behavior set generation module, configured to determine a behavior set including at least one behavior item set, where the behavior item set includes at least one behavior item, and the behavior item is used to represent a usage behavior of a user in the instant messaging system; an association rule mining module, configured to perform association rule mining on the behavior items in the behavior set by using an Apriori algorithm to obtain at least one association rule and a confidence thereof, where the association rule is used to indicate a first association behavior item and a second association behavior item that are associated with each other; the association rule confidence fuzzification processing module is used for fuzzifying the confidence of at least one association rule to obtain the fuzzy confidence of the at least one association rule; the strong association rule set generation module is used for screening at least one strong association rule from at least one association rule based on the fuzzy confidence coefficient of the at least one association rule and adding the at least one strong association rule to the strong association rule set; and the account abnormity identification module is used for identifying the use behavior of the user in the instant messaging system according to the strong association rule in the strong association rule set.
According to an aspect of an embodiment of the present application, an electronic device includes: the system comprises at least one processor, at least one memory and at least one communication bus, wherein the memory is stored with computer programs, and the processor reads the computer programs in the memory through the communication bus; when being executed by a processor, the computer program realizes the account abnormity identification method in the instant messaging system.
According to an aspect of the embodiment of the present application, a storage medium stores a computer program thereon, and the computer program is executed by a processor to implement the account abnormality identification method in the instant messaging system as described above.
According to an aspect of an embodiment of the present application, a computer program product includes a computer program, the computer program is stored in a storage medium, a processor of a computer device reads the computer program from the storage medium, and the processor executes the computer program, so that when the computer device executes, the computer device implements the account abnormality identification method in the instant messaging system as described above.
The beneficial effect that technical scheme that this application provided brought is:
in the above technical solution, based on a behavior set including at least one behavior item set, an Apriori algorithm is used to perform association rule mining on the behavior items in the behavior set to obtain at least one association rule and a confidence thereof, and fuzzification processing is performed on the confidence of the at least one association rule to obtain a fuzzy confidence of the at least one association rule, so as to filter at least one strong association rule from the at least one association rule based on the fuzzy confidence of the at least one association rule to add the at least one strong association rule to a strong association rule set, and finally, according to the strong association rule in the strong association rule set, a usage behavior of a user in the instant messaging system is identified, that is, by combining the Apriori algorithm and the fuzzification processing, the fuzzified association rule is used to mine characteristics of the usage behavior of the user in the instant messaging system, which not only can effectively identify account abnormality in the instant messaging system, therefore, the problem that the safety of user information cannot be guaranteed due to account abnormity in the instant messaging system in the related technology is solved, and the accuracy of account abnormity identification can be effectively improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below.
FIG. 1 is a schematic illustration of an implementation environment according to the present application;
fig. 2 is a flowchart illustrating a method for implementing account abnormality recognition in an instant messaging system according to an exemplary embodiment;
FIG. 3 is a flow diagram illustrating a method for filtering frequent sets according to the Apriori algorithm in accordance with an exemplary embodiment;
FIG. 4 is a method flow diagram illustrating a fuzzy confidence calculation process for an association rule in accordance with an exemplary embodiment;
fig. 5 is a flowchart illustrating an account abnormality recognition method implemented in another instant messaging system according to an exemplary embodiment;
FIG. 6 is a flowchart illustrating a method of a behavior set update process in accordance with an exemplary embodiment;
fig. 7 is a block diagram illustrating a structure of an apparatus for recognizing account abnormality in an instant messaging system according to an exemplary embodiment;
FIG. 8 is a schematic diagram illustrating the structure of a server in accordance with an exemplary embodiment;
FIG. 9 is a block diagram illustrating the structure of an electronic device in accordance with an exemplary embodiment.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary only for the purpose of explaining the present application and are not to be construed as limiting the present application.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.
The following is a description and explanation of several terms involved in the present application:
apriori algorithm, a frequent item set algorithm for mining association rules, aims to discover association rules among different items in a data set.
The instant communication system allows two or more people to use the network to transmit characters, pictures, files, voice and video in real time, and can send and receive services such as internet messages and the like in real time.
The account number, which is used for logging in the instant messaging system, may be composed of Chinese, numeric, or English, or even some symbols. That is, after the user logs in the instant messaging system by using the account, the user can use the network to transmit texts, pictures, files, voice and video in real time with other people, and services such as internet messages and the like can be sent and received instantly.
As described above, in order to avoid frequent input of authentication information when a user logs in, the instant messaging system keeps a method for the user to log in the instant messaging system for a long time after the user successfully logs in the instant messaging system on an electronic device using an account, and during this period, if a lawless person illegally obtains the right to use the electronic device through a hacking technique, illegal activities such as data theft, illegal information transmission and the like may be performed by using the account.
Therefore, the defect that the security of the user information cannot be guaranteed due to the account abnormity in the instant messaging system still exists in the related technology.
In view of the above problems, the present application provides a method, an apparatus, an electronic device and a storage medium for implementing account abnormality recognition in an instant messaging system, which can effectively recognize the recognition of account abnormality in the instant messaging system, thereby solving the problem in the related art that user information security cannot be guaranteed due to account abnormality in the instant messaging system.
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of an implementation environment related to implementing an account abnormality identification method in an instant messaging system. The implementation environment includes a terminal 100, and a server 200.
Specifically, the terminal 100 is operable by a client (e.g., an instant messaging system), and may be an electronic device such as a desktop computer 110, a notebook computer 130, a tablet computer 150, a smart phone 170, and the like, which is not limited herein.
The client, for example, the instant messaging system, provides an instant messaging function, and may be in the form of an application program or a web page, and accordingly, a user interface of the client for performing instant messaging may be in the form of a program window or a web page, which is not limited herein.
The server 200 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, middleware service, a domain name service, a security service, a CDN, a big data and artificial intelligence platform, and the like. For example, in this embodiment, the server 200 provides the account abnormality recognition service to the terminal 100.
A communication connection is established in advance between the terminal 100 and the server 200 by wire/wireless or the like, so that data transmission between the terminal 100 and the server 200 is realized through the established communication connection. The transmitted data can be behavior items to be recognized, strong association rule sets, identity authentication messages and the like.
As the instant messaging system operates in the terminal 100, the usage behavior of the user in the instant messaging system is reported to the server 200 as a behavior item to be identified, and the server 200 is requested to provide an account abnormal identification service.
Through the interaction between the terminal 100 and the server 200, the server 200 can receive the behavior item to be identified, and further identify the behavior item to be identified according to the strong association rule in the strong association rule set.
Referring to fig. 2, an embodiment of the present application provides a method for implementing account abnormality recognition in an instant messaging system, where the method is applicable to a server 200 in the implementation environment shown in fig. 1.
In the following method embodiments, for convenience of description, the execution subject of each step is described as a server, but the method is not particularly limited thereto.
As shown in fig. 2, the method may include the steps of:
at step 310, a behavior collection comprising at least one behavior item set is determined.
The action item set comprises at least one action item, and the action item is used for representing the use action of the user in the instant communication system.
The following is an introduction and explanation of several terms referred to in step 310:
the behavior item refers to a use behavior of the user in the instant messaging system, and specifically refers to various interaction behaviors and results of the user and page elements in the instant messaging system during the process of logging in the instant messaging system by using an account.
A set of action items, i.e., a collection of action items. In one embodiment, the set of behavior items includes, but is not limited to, a user identification and a behavior item, wherein the user identification is used to uniquely represent a user logging into the instant messaging system using an account. In one embodiment, a behavior item set is generated corresponding to a plurality of behavior items of the same user in a setting period, and the setting period can be flexibly adjusted according to the actual needs of an application scenario, for example, the setting period is 12 hours in this embodiment.
The behavior set is composed of a plurality of behavior item sets.
For example, the usage behavior of the xiaoming user in the instant messaging system includes: login behavior, session behavior, transfer behavior, exit behavior and the like, and correspondingly, the behavior items at least comprise: login, session, transfer, logout, etc.
For a small user, the set of behavior items may be represented as at least { login, session, transfer, logout }.
By analogy, for a large number of users, a behavior collection can substantially contain behavior item sets corresponding to different users, that is, the behavior collection contains at least one behavior item set.
After determining the behavior set containing at least one behavior item set, account abnormity identification in the instant communication system can be realized based on the behavior set.
And step 330, mining association rules of the behavior items in the behavior set by using an Apriori algorithm to obtain at least one association rule and a confidence thereof.
First, it is explained that the association rule is used to indicate the first association behavior item and the second association behavior item that are associated with each other.
The following is an introduction and explanation of several terms involved in step 330:
the support degree is as follows: the support degree of the behavior item in the behavior item set specifically refers to the probability of the behavior item appearing in the behavior item set. The calculation formula of the support degree is as follows:
in the formula: p sup (A) The support degree of the behavior item A, C (A) the number of times the behavior item A appears in the behavior item set I in the behavior set C,
the total number of all behavior item sets I in the behavior set C.
Confidence coefficient: and on the premise that the association rule indicates the first association behavior item and the second association behavior item which are associated with each other, the confidence of the association rule specifically indicates the confidence of the association between the first association behavior item and the second association behavior item. The confidence coefficient calculation formula is as follows:
in the formula:
as association rules
The confidence level of (A) is the confidence level of the correlation between the first correlation behavior item A and the second correlation behavior item B, P sup (Assemble B) is the support degree of the mutual association of the first association behavior item A and the second association behavior item B, specifically, the probability that the first association behavior item A and the second association behavior item B appear in the same behavior item set at the same time, and P sup (A) The support degree of the behavior item A;
now, with reference to the above nouns, the following description is made of the process of mining association rules using Apriori algorithm:
and 331, screening the behavior items in the behavior set to obtain frequent items according to the support of each behavior item in the behavior set, and forming a frequent item set of the behavior set by the frequent items obtained by screening.
Wherein, the frequent item refers to an action item with the support degree in the action item set larger than the set support degree; the frequent item set refers to a set of frequent items.
Specifically, the formation process of the frequent item set of the behavior set may include the following steps:
in a first step, a first candidate item set is generated from each behavior item in the behavior set.
TABLE 1 behavior set C
As shown in Table 1 above, in the behavior collection C, 10 behavior item sets I are included, and each behavior item set I contains at least one behavior item. Wherein, the action items in each action item set I can be any one or more of transfer, conversation, mail opening, exit and login. It should be noted that the 10 behavior item sets may correspond to the same setting period of different users, and may also correspond to different setting periods of the same user, which is not limited herein.
As shown in fig. 3, the candidates in the first candidate set C1 include: { transfer }, { session }, { open mail }, { quit }, { login }.
And secondly, screening the candidate items in the first candidate item set based on the support of the candidate items in the first candidate item set, and generating a frequent item set from the screened candidate items.
The calculation formula of the support of the candidate item a in the first candidate item set C1 is as follows:
in the formula: p sup (A) (b) the number of times that candidate a appears in the behavioral set C as the behavioral set I,
is the sum of all behavior item sets I in the behavior set CA number (10);
taking the candidate a as an example of the transfer, the number of times that the transfer appears in each action item set I in the action set C in table 1 is 7, and the support degree of the transfer is 7/10 ═ 0.7. By analogy, as shown in fig. 3, the support degrees of the remaining candidates (conversation, mail opening, logout, login) in the first candidate set are 0.8, 0.7, 0.2, and 0.3, respectively.
In one embodiment, the candidate items in the first candidate item set are filtered, specifically, if the support of the candidate item in the first candidate item set is greater than the set support, the candidate item is regarded as a frequent item. Based on this, if the support degree is set to be 0.2, the support degrees of the candidate items { transfer }, { session }, { open mail }, { quit }, and { login } in the first candidate item set C1 are all greater than 0.2 and can be regarded as frequent items.
Thus, as shown in fig. 3, a frequent item set L1 is obtained, and the frequent items in the frequent item set L1 include: { transfer }, { session }, { open mail }, { quit }, { login }. That is, the frequent item in the frequent item set L1 includes a behavior item, and the frequent item set L1 can also be regarded as a 1-item frequent item set.
And thirdly, generating a second candidate item set according to the frequent items in the frequent item set.
Specifically, as shown in fig. 3, in the frequent item set L1, any two frequent items are selected as candidates, and a second candidate item set C2 is generated, where the candidates in the second candidate item set C2 include: { transfer, session }, { transfer, open mail }, { transfer, logout }, { transfer, login }, { session, open mail }, { session, logout }, { session, login }, { open mail, logout }, { open mail, login }, { logout, login }.
And fourthly, screening the candidate items in the second candidate item set based on the support degree of the candidate items in the second candidate item set, and generating a frequent item set from the screened candidate items.
Similarly, in the candidate screening process in the first candidate set, if the support degree is set to be 0.2, as shown in fig. 3, the candidates with the support degree greater than 0.2 in the second candidate set include: { transfer, session }, { transfer, open mail }, { transfer, login }, { session, open mail }, { session, logout }, { open mail, login }, may be used as frequent items.
Thus, as shown in fig. 3, a frequent item set L2 is obtained, and the frequent items in the frequent item set L2 include: { transfer, session }, { transfer, open mail }, { transfer, login }, { session, open mail }, { session, logout }, { open mail, login }. That is, the frequent item in the frequent item set L2 includes two behavior items, and the frequent item set L2 can also be regarded as a 2-item frequent item set.
And fifthly, returning to execute the third step of generating a second candidate item set according to the frequent items in the frequent item set until the support degrees of the candidate items in the second candidate item set are all smaller than the set support degree, and forming the frequent item set of the behavior set by the generated frequent item set.
For example, as shown in fig. 3, after the frequent item set L3 is obtained, any two frequent items are selected as candidates, and a second candidate item set C4 is generated, where the candidates in the second candidate item set C4 include: { transfer, conversation, opening mail, logging }, and determining that the support degree of the candidate item is 1/10 ═ 0.1 in combination with table 1, wherein the support degree of the candidate item is 0.1 less than the set support degree of 0.2, the frequent item set cannot be obtained again, and at this time, the third step is not returned, and the frequent item set of the behavior set is formed by the generated frequent item set.
That is, as shown in fig. 3, based on the behavior set C, frequent item sets L1, L2, L3 can be obtained.
Step 333, based on each frequent item in the frequent item set, determining a first associated behavior item and a second associated behavior item which are associated with each other in the frequent item.
As shown in fig. 3, in the frequent item set L1, the frequent item includes one action item, and there is no first associated action item and second associated action item associated with each other.
In the frequent item set L2, the frequent item includes two behavior items, and the first associated behavior item and the second associated behavior item associated with each other in the frequent item can be determined. For example, the first associated action item in the frequent items { transfer, session } which are associated with each other is transfer, and the second associated action item is session.
Similarly, in the frequent item set L3, the frequent item includes three behavior items, and the first associated behavior item and the second associated behavior item associated with each other in the frequent item can also be determined. For example, the first associated action item in the frequent item { transfer, conversation, open mail } is transfer, the second associated action item may be conversation, open mail, and similarly, the associated action items may also be: the first associated action item is a conversation, the second associated action item is transfer and open mail, the first associated action item is open mail, the second associated action item is transfer and conversation, the first associated action item is transfer and conversation, the second associated action item is open mail, the first associated action item is transfer and open mail, the second associated action item is conversation, the first associated action item is conversation and open mail, the second associated action item is transfer and the like.
As can be seen from the above, the first/second associated action item may be one action item, or may be multiple action items, and is specifically related to the number of the action items included in the frequent item, which is not specifically limited herein.
Step 335, for each first associated behavior item, calculating a confidence degree of the first associated behavior item and the second associated behavior item being associated with each other.
The calculation formula of the degree of confidence of the correlation between the first correlation behavior item and the second correlation behavior item is as follows:
in the formula:
represents the confidence degree of the correlation between the first correlation behavior item A and the second correlation behavior item B, P sup (Au.B) represents the support degree of the behavior item set I in the behavior set C when the first associated behavior item A and the second associated behavior item B simultaneously appear, and P is sup (A) The support degree of the first associated behavior item A;
on the premise of the first associated behavior item and the second associated behavior item which are determined by the frequent item sets L1, L2 and L3 and are associated with each other, the confidence level of the association between the first associated behavior item and the second associated behavior item is shown in table 2.
TABLE 2 confidence of association of a first associated behavior item and a second associated behavior item
Step 337, mining to obtain at least one association rule and the confidence thereof based on the confidence of the mutual association between the first association behavior item and the second association behavior item.
As shown in table 2 above, an association rule and its confidence are obtained by mining, where the association rule is used to indicate the first association behavior item and the second association behavior item that are associated with each other. For example, if the first associated action item is { transfer }, and the second associated action item is { session }, the association rule may be expressed as transfer- > session with a confidence of 71.43%; or, if the first associated behavior item is { transfer, session }, and the second associated behavior item is { open mail }, the association rule may be expressed as transfer, session- > open mail with a confidence of 60%; or, if the first associated behavior item is { login }, and the second associated behavior item is { transfer, open mail }, the association rule may be expressed as login- > transfer, open mail, with a confidence of 100%.
And 350, performing fuzzification processing on the confidence coefficient of at least one association rule to obtain the fuzzy confidence coefficient of at least one association rule.
The fuzzification processing can be realized by a gaussian membership function, a generalized seed membership function, an S-type membership function, a trapezoidal membership function, a triangular membership function, a Z-type membership function, and the like, as well as a gravity center method, a maximum membership degree method, a coefficient weighted average method, an arithmetic average method, and the like. In this embodiment, the fuzzification is implemented by a triangle membership function and an arithmetic mean method.
Specifically, as shown in FIG. 4, in one embodiment, step 350 may include the steps of:
In one embodiment, step 351 may include the steps of: obtaining a plurality of triangular fuzzy numbers of which the first associated behavior items and the second associated behavior items are associated with each other according to the constructed triangular fuzzy number storage table; and calculating to obtain an average value according to the plurality of triangular fuzzy numbers, wherein the average value is used as a triangular fuzzy set in which the first associated behavior item and the second associated behavior item are associated with each other.
It is explained here that the triangular fuzzy number storage table actually establishes the correspondence between the semantic variable and the triangular fuzzy number. The semantic variables are used for describing the judgment result of the behavior item occurrence probability of the technical staff, and specifically include 7 semantic variables such as "very high", "medium", "low", "very low", and the like. Based on this, a triangular blur number storage table formed by the correspondence between each semantic variable and the triangular blur number is shown in table 3.
TABLE 3 triangular fuzzy number storage Table
| Serial number | Semantic variables | Triangular fuzzy number |
| 1 | Is very high | (0.9,1.0,1.0) |
| 2 | Height of | (0.7,0.9,1.0) |
| 3 | Is higher than the original | (0.5,0.7,0.9) |
| 4 | Medium and high grade | (0.3,0.5,0.7) |
| 5 | Is on the low side | (0.1,0.3,0.5) |
| 6 | Is low in | (0,0.1,0.3) |
| 7 | Is very low | (0,0,0.1) |
Then, after collecting the evaluation results of behavior item occurrence probabilities of multiple technicians, the semantic variables describing the evaluation results of behavior item occurrence probabilities of the multiple technicians can be converted into a plurality of triangular fuzzy numbers through table 3, wherein each triangular fuzzy number corresponds to the evaluation result of behavior item occurrence probability of one technician.
The results of the multiple technician evaluations are then combined using arithmetic mean, i.e., based on the plurality of triangular modesCalculating the fuzzy number to obtain an average value which is used as a triangular fuzzy set of the first associated behavior item and the second associated behavior item which are associated with each other and is represented as P fuz =<a,b,c>。
That is to say, on the premise that the confidence degrees of the first associated behavior item and the second associated behavior item which are associated with each other are considered, the triangular fuzzy set combines the probabilities that a plurality of technicians have the first associated behavior item and the second associated behavior item appearing in the same behavior item set at the same time, so that the accuracy rate of account number abnormality identification is improved.
Specifically, assume that the triangular fuzzy set in which the first associated behavior item a and the second associated behavior item B are associated with each other is P fuz =<a,b,c>Then, the fuzzy confidence of the association rule is calculated as follows:
in the formula:
as the degree of confidence that the first associated action item a and the second associated action item B are associated with each other,
the fuzzy confidence degree of the correlation between the first correlation behavior item A and the second correlation behavior item B, i.e. the correlation rule A->B fuzzy confidence.
And 370, screening at least one strong association rule from the at least one association rule based on the fuzzy confidence of the at least one association rule, and adding the at least one strong association rule to the strong association rule set.
In particular, in terms of minimum confidence P min_con To passAnd (3) judging the fuzzy confidence of the union rule: if it is
Greater than or equal to P min_con Defining the association rule as a strong association rule and adding the strong association rule to a strong association rule set; if it is
Is less than P min_con Then the association rule is defined as a weak association rule. Wherein the minimum confidence P min_con The minimum reliability for representing the association rule can be flexibly adjusted according to the actual needs of the application scenario, and is not limited herein.
For example, as shown in Table 2, assume a minimum confidence level P min_con 70%, the strong association rules in the strong association rule set include: transfer money>Conversation; transfer money>Opening the mail; open mail->Transferring accounts; open mail->Conversation; login->Transferring accounts; login->Opening the mail; quit->Conversation; login->Transferring accounts and opening mails; transfer, login->Opening the mail; open mail, log-in->And (6) transferring accounts.
And identifying abnormal account number, namely identifying the use behavior of the user in the instant messaging system, and if the abnormal use behavior of the user in the instant messaging system is identified, considering that the account number used by the user for logging in the instant messaging system is abnormal.
In one embodiment, step 390 may include the steps of: receiving a behavior item to be recognized, wherein the behavior item to be recognized is used for representing the use behavior of a user waiting to be recognized in the instant communication system; searching a strong association rule indicating a behavior item to be identified in the strong association rule set; if the strong association rule is found, determining whether a second association behavior item which is associated with the behavior item to be identified exists or not based on the first association behavior item and the second association behavior item which are indicated in the found strong association rule and are associated with each other; and if not, determining the behavior item to be identified as an abnormal behavior item, otherwise, determining the behavior item to be identified as a normal behavior item.
For example, the behavior habit of the xiaoming user in the instant messaging system is to open an email before transferring to confirm the transfer information, then for the xiaoming user, the correlated behavior items at least comprise transferring and opening email, and correspondingly, based on the usage behavior of the xiaoming user in the instant messaging system, the strong association rule in the formed strong association rule set at least comprises transferring- > opening email. Therefore, for the Xiaoming user, if the Xiaoming user logs in by himself, the account number can be recognized to be normal, otherwise, if the Xiaoming user logs in illegally, since the behavior habit of the Xiaoming user in the instant messaging system is unknown, for example, direct transfer is possible, at this time, for the server, for the action item to be recognized, transfer is performed because only the first associated action item exists, transfer is performed, and the second associated action item does not exist, i.e., the first associated action item does not exist, the second associated action item which is associated with the first associated action item is opened, and then the action item to be recognized, transfer is determined to be an abnormal action item, i.e., the account number is recognized to be abnormal.
Through the process, the Apriori algorithm and the fuzzification processing are combined, the characteristics of the using behavior of the user in the instant messaging system are mined by using the fuzzified association rule, the account abnormity in the instant messaging system can be effectively identified, the problem that the user information safety cannot be guaranteed due to the account abnormity in the instant messaging system in the related technology is solved, and the accuracy of account abnormity identification can be effectively improved.
Referring to fig. 5, in an embodiment of the present application, a possible implementation manner of implementing an account abnormality identification method in an instant messaging system is provided, and after step 390, the method may further include the following steps:
and step 410, if the behavior item to be identified is an abnormal behavior item, determining the risk level of the abnormal behavior item according to the first set values of different risk levels.
Specifically, setting three risk levels (low risk level, medium risk level, high risk level) ranks the abnormal behavior of the user:
P 1 =P min_con ;
in the formula: p 1 Indicating a low risk level probability, P 2 Representing the probability of a risk level, P 3 Represents a high risk level probability and satisfies 0 ≦ P 1 <P 2 <P 3 ≤1。
In other words, the first set point for the low risk level is P1, the first set point for the medium risk level is P2, and the first set point for the high risk level is P3. For example, if the fuzzy confidence of the abnormal behavior item is less than P1, the risk level of the abnormal behavior item is a low risk level.
And step 420, pushing a corresponding identity authentication message to the instant messaging system based on the risk level of the abnormal behavior item.
Wherein the identity authentication message is used for indicating the risk level of the abnormal behavior item violating the strong association rule. That is to say, the server pushes the corresponding identity authentication message to the instant messaging system based on the risk level of the abnormal behavior item, so that the instant messaging system can initiate challenges of different strengths to the user to verify whether the user logs in the instant messaging system by using the account is the user himself or not, that is, if the user responses to the user and passes, the user is deemed to pass by himself or herself, and then the user can continue to execute other operations, thereby further fully ensuring the security of the user information in the instant messaging system.
Specifically, the identity authentication mechanism is set as follows:
1) if μ A (x i ) Less than P 1 Then determine the abnormal behavior term x i At a low risk level, and the abnormal behavior item x i The related strong association rule is determined to be a low-intensity strong association rule, and correspondingly, the instant messaging system sets a low-difficulty identity authentication mode for inputting account related information such as a mobile phone number or a mailbox associated with a user;
2) if μ A (x i ) Greater than P 1 And is not more than P 2 Then determine the abnormal behavior term x i In the risk level, and the abnormal behavior item x i The related strong association rule is determined to be a medium-strength strong association rule, and correspondingly, the instant messaging system sets a medium-difficulty identity authentication mode for answering preset account verification problems such as preset account secret protection problems and the like;
3) if μ A (x i ) Greater than P 2 And less than or equal to 1, determining the abnormal behavior item x i At a high risk level, and the abnormal behavior item x i The related strong association rule is determined as a strong association rule with high strength, and correspondingly, the instant messaging system sets a high-difficulty identity authentication mode for inputting a mobile phone verification code and an account password.
Based on the above, if the user passes through the corresponding identity authentication mode, the user is considered to pass through the identity authentication and represents that the user logs in the instant messaging system himself, the user can continue to perform other operations.
On the contrary, if the user fails to pass the corresponding identity authentication mode, the user identity authentication is considered to be failed, which indicates that other people may illegally log in the instant messaging system, and the other people cannot continue to execute other operations. In one embodiment, the instant messaging system forces the account to be quitted, locks the account to be unavailable within ten minutes, and triggers a notification mechanism to notify the user of account exception information in the form of mails or short messages.
In one embodiment, the server receives an authentication feedback message indicating whether the user is authenticated.
And 430, if the behavior item to be recognized is a normal behavior item, updating the behavior set according to the behavior item to be recognized when the accumulated receiving times of the behavior item to be recognized does not reach a second set value.
The accumulative receiving times refer to the times of the server for accumulatively receiving the behavior item to be identified sent by the instant messaging system.
In one embodiment, the second setting value is 1000000, and the second setting value can be flexibly adjusted according to the actual needs of the application scenario, and is not specifically limited herein.
In one embodiment, the update process for the behavior set may be a full-scale update or an incremental update.
Specifically, as shown in fig. 6, the incremental update process of the behavior set may include the following steps:
and 431, searching a matching behavior item matched with the behavior item to be identified in a behavior item set contained in the behavior set.
If so, go to step 433; otherwise, step 435 or step 437 is performed.
And 433, determining whether the behavior item set to which the matching behavior item belongs is consistent with the behavior item set to which the behavior to be identified belongs based on the searched matching behavior item. Specifically, step 4331, if yes, deleting the behavior item to be recognized; otherwise, step 4333, increase the frequency of the matching behavior items in the behavior item set to which the matching behavior items belong.
Step 435, if no matching behavior item is found in all behavior item sets included in the behavior set, adding a behavior item set, and adding the behavior item to be identified and the frequency thereof in the added behavior item set.
In step 437, if no matching behavior item is found in the behavior item set to which the behavior item to be identified belongs, the behavior item to be identified is added to the behavior item set to which the behavior item to be identified belongs.
Therefore, incremental updating of the behavior set is achieved, repeated updating is avoided, updating efficiency of the behavior set can be effectively improved, and efficiency of abnormal account identification is improved.
And step 450, if the accumulated receiving times of the behavior item to be identified reaches a third set value, updating the strong association rule set according to the behavior set.
In one embodiment, the third setting value refers to the second setting value × 10% ═ 1000000 × 10% ═ 100000, and the third setting value can be flexibly adjusted according to the actual needs of the application scenario, and is not specifically limited herein.
The updating process of the strong association rule set is steps 310 to 370 described in the foregoing embodiment, and will not be described repeatedly here.
Further, as mentioned above, the instant messaging system will feed back to the server whether the user passes the identity, that is, send an identity authentication feedback message to the server, and accordingly, the server can receive the identity authentication feedback message, thereby determining whether the user passes the identity authentication based on the identity authentication feedback message.
On one hand, if the user fails the identity authentication, and the behavior item to be recognized is an abnormal behavior item, the server does not update the accumulated receiving times based on the behavior item to be recognized.
On the other hand, if the user passes the identity authentication, at this time, because the behavior item to be recognized is an abnormal behavior item, it indicates that the account abnormal recognition may be wrong, the third setting value is modified, and the update of the strong association rule set is triggered, so that the accuracy of the account abnormal recognition is improved.
In one embodiment, the third setting value before modification is 100000, and the third setting value after modification is 10000. That is to say, the threshold for triggering the update of the strong association rule set is reduced, and the update frequency of the strong association rule set is increased, so that the accuracy of the abnormal account identification is fully guaranteed.
And then, when the accumulated receiving times of the behavior items to be identified reach the modified third set value, updating the strong association rule set according to the behavior set.
Under the action of the embodiment, an updating mechanism of the association rule set is realized, and the balance between updating frequency and excessive updating is fully ensured by matching with an identity authentication mechanism on the premise of ensuring the statistical significance of the quantity of the behavior items to be identified, so that the efficiency and the accuracy of account number abnormal identification are favorably improved.
The following is an embodiment of an apparatus of the present application, which may be used to implement an account abnormality identification method in an instant messaging system according to the present application. For details that are not disclosed in the embodiment of the apparatus of the present application, please refer to an embodiment of a method for implementing an account abnormality identification method in an instant messaging system according to the present application.
Referring to fig. 7, an embodiment of the present application provides an apparatus 900 for implementing account abnormality recognition in an instant messaging system, including but not limited to: the system comprises a behavior set generation module 901, an association rule mining module 902, an association rule confidence fuzzification processing module 903, a strong association rule set generation module 904 and an account number abnormity identification module 905.
The behavior set generating module 901 is configured to determine a behavior set including at least one behavior item set, where the behavior item set includes at least one behavior item, and the behavior item is used to represent a usage behavior of a user in the instant messaging system.
An association rule mining module 902, configured to perform association rule mining on the behavior items in the behavior set by using an Apriori algorithm to obtain at least one association rule and a confidence thereof, where the association rule is used to indicate a first association behavior item and a second association behavior item that are associated with each other.
An association rule confidence fuzzification processing module 903, configured to fuzzify the confidence of at least one association rule to obtain a fuzzy confidence of the at least one association rule.
And a strong association rule set generating module 904, configured to filter the at least one strong association rule from the at least one association rule based on the fuzzy confidence of the at least one association rule, and add the at least one strong association rule to the strong association rule set.
The account number abnormality identification module 905 is configured to identify a usage behavior of the user in the instant messaging system according to a strong association rule in the strong association rule set.
It should be noted that, when the device for implementing account abnormality recognition in the instant messaging system provided in the foregoing embodiment performs account abnormality recognition, only the division of the functional modules is described as an example, in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device for implementing account abnormality recognition in the instant messaging system is divided into different functional modules, so as to complete all or part of the functions described above.
In addition, the apparatus for implementing the account abnormality identification method in the instant messaging system provided in the above embodiment and the embodiment for implementing the account abnormality identification method in the instant messaging system belong to the same concept, wherein specific ways of executing operations by the respective modules have been described in detail in the method embodiment, and are not described herein again.
FIG. 8 illustrates a schematic diagram of a server, according to an example embodiment. The server is suitable for use in the server 200 of the implementation environment shown in fig. 1.
It should be noted that the server is only an example adapted to the application and should not be considered as providing any limitation to the scope of use of the application. The server should not be interpreted as having to rely on or have to have one or more components of the exemplary server 2000 illustrated in fig. 8.
The hardware structure of the server 2000 may be greatly different due to the difference of configuration or performance, as shown in fig. 8, the server 2000 includes: a power supply 210, an interface 230, at least one memory 250, and at least one Central Processing Unit (CPU) 270.
Specifically, the power supply 210 is used to provide operating voltages for the various hardware devices on the server 2000.
The interface 230 includes at least one wired or wireless network interface for interacting with external devices. For example, the interaction between the terminal 100 and the server 200 in the implementation environment shown in fig. 1 is performed.
Of course, in other examples of the present application, the interface 230 may further include at least one serial-to-parallel conversion interface 233, at least one input/output interface 235, at least one USB interface 237, and the like, as shown in fig. 8, which is not limited thereto.
The storage 250 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon include an operating system 251, an application 253, data 255, etc., and the storage manner may be a transient storage or a permanent storage.
The operating system 251 is used for managing and controlling each hardware device and the application 253 on the server 200 to implement the operation and processing of the mass data 255 in the memory 250 by the central processing unit 270, which may be Windows server, Mac OS XTM, unix, linux, FreeBSDTM, or the like.
The application 253 is a computer program that performs at least one specific task on the operating system 251, and may include at least one module (not shown in fig. 8), each of which may include a computer program for the server 2000. For example, the data monitoring device may be considered an application 253 deployed on the server 2000.
The data 255 may be photographs, pictures, etc. stored in a disk, or may be key values, etc. stored in the memory 250.
The central processor 270 may include one or more processors and is configured to communicate with the memory 250 through at least one communication bus to read the computer programs stored in the memory 250, and further implement operations and processing on the mass data 255 in the memory 250. The information recommendation method is accomplished, for example, by the central processor 270 reading a form of a series of computer programs stored in the memory 250.
Furthermore, the present application can be implemented by hardware circuits or by hardware circuits in combination with software, and therefore, the implementation of the present application is not limited to any specific hardware circuits, software, or a combination of the two.
Referring to fig. 9, in an embodiment of the present application, an electronic device 4000 is provided, where the electronic device 400 may include: desktop computers, notebook computers, servers, etc.
In fig. 9, the electronic device 4000 includes at least one processor 4001, at least one communication bus 4002, and at least one memory 4003.
The Processor 4001 may be a CPU (Central Processing Unit), a general-purpose Processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor 4001 may also be a combination that performs a computational function, including, for example, a combination of one or more microprocessors, a combination of a DSP and a microprocessor, or the like.
The Memory 4003 may be a ROM (Read Only Memory) or other types of static storage devices that can store static information and instructions, a RAM (Random Access Memory) or other types of dynamic storage devices that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory), a CD-ROM (Compact Disc Read Only Memory) or other optical Disc storage, optical Disc storage (including Compact Disc, laser Disc, optical Disc, digital versatile Disc, blu-ray Disc, etc.), a magnetic Disc storage medium or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these.
A computer program is stored in the memory 4003, and the processor 4001 reads the computer program stored in the memory 4003 through the communication bus 4002.
When executed by the processor 4001, the computer program implements the account abnormality recognition method in the instant messaging system in the embodiments described above.
In addition, a storage medium is provided in this embodiment of the present application, where a computer program is stored on the storage medium, and when executed by a processor, the computer program implements the account abnormality identification method in the instant messaging system in the foregoing embodiments.
A computer program product is provided in an embodiment of the present application, the computer program product comprising a computer program stored in a storage medium. The processor of the computer device reads the computer program from the storage medium, and the processor executes the computer program, so that the computer device executes the method for recognizing the account abnormality in the instant messaging system in the embodiments.
Compared with the related technology, the scheme of the embodiment of the application combines an Apriori algorithm and fuzzification processing, and uses the fuzzified association rule base to mine the characteristics of the use behavior of the user in the instant messaging system, so that the accuracy rate of account number abnormality identification can be effectively improved; aiming at different risk levels of the abnormal behavior items, corresponding identity authentication information is pushed to the instant messaging system, so that misjudgment can be prevented, and the accuracy rate of abnormal account identification can be further ensured; the updating mechanism of the association rule set is matched with the identity authentication mechanism to fully ensure the balance between updating frequency and excessive updating on the premise of ensuring the statistical significance of the quantity of the behavior items to be identified, and is favorable for improving the efficiency and accuracy of account number abnormal identification.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The foregoing is only a partial embodiment of the present application, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present application, and these modifications and decorations should also be regarded as the protection scope of the present application.
Claims (10)
1. A method for realizing account abnormity identification in an instant messaging system is characterized by comprising the following steps:
determining a behavior set containing at least one behavior item set, wherein the behavior item set contains at least one behavior item, and the behavior item is used for representing the usage behavior of a user in the instant messaging system;
performing association rule mining on the behavior items in the behavior set by using an Apriori algorithm to obtain at least one association rule and a confidence degree thereof, wherein the association rule is used for indicating a first association behavior item and a second association behavior item which are associated with each other;
fuzzifying the confidence coefficient of at least one association rule to obtain the fuzzy confidence coefficient of the at least one association rule;
screening at least one strong association rule from at least one association rule based on the fuzzy confidence of the at least one association rule, and adding the at least one strong association rule to a strong association rule set;
and identifying the use behavior of the user in the instant messaging system according to the strong association rule in the strong association rule set.
2. The method of claim 1, wherein the mining association rules for the behavior items in the behavior set using Apriori algorithm to obtain at least one association rule and its confidence level comprises:
according to the support degree of each behavior item in the behavior set, frequent items are screened from the behavior items in the behavior set, and a frequent item set of the behavior set is formed by the frequent items obtained through screening;
determining a first associated behavior item and a second associated behavior item which are associated with each other in the frequent items based on each frequent item in the frequent item set;
for each first associated behavior item, calculating a confidence level of the first associated behavior item and the second associated behavior item associated with each other;
and mining at least one association rule and the confidence degree thereof based on the mutual association confidence degree of the first association behavior item and the second association behavior item.
3. The method of claim 1, wherein the fuzzifying the confidence level of the at least one association rule to obtain a fuzzy confidence level of the at least one association rule comprises:
for each association rule, determining a triangular fuzzy set of the first association behavior item and the second association behavior item which are associated with each other and indicated by the association rule based on the first association behavior item and the second association behavior item which are associated with each other;
and calculating the fuzzy confidence coefficient of the correlation of the first correlation behavior item and the second correlation behavior item as the fuzzy confidence coefficient of the correlation rule according to the confidence coefficient of the correlation of the first correlation behavior item and the second correlation behavior item and the triangular fuzzy set.
4. The method of claim 3, wherein determining the triangular fuzzy set of the first associated behavior item and the second associated behavior item associated with each other based on the first associated behavior item and the second associated behavior item associated with each other as indicated by the association rule comprises:
obtaining a plurality of triangular fuzzy numbers of which the first associated behavior items and the second associated behavior items are associated with each other according to a constructed triangular fuzzy number storage table;
and calculating to obtain an average value according to a plurality of triangular fuzzy numbers, wherein the average value is used as a triangular fuzzy set in which the first associated behavior item and the second associated behavior item are associated with each other.
5. The method of any one of claims 1 to 4, wherein the identifying the usage behavior of the user in the instant messaging system according to the strong association rule in the set of strong association rules comprises:
receiving a behavior item to be recognized, wherein the behavior item to be recognized is used for representing the use behavior of the user waiting to be recognized in the instant messaging system;
searching a strong association rule indicating the behavior item to be identified in the strong association rule set;
if the strong association rule is found, determining whether a second association behavior item which is associated with the behavior item to be identified exists or not based on the first association behavior item and the second association behavior item which are indicated in the found strong association rule and are associated with each other;
and if not, determining the behavior item to be recognized as an abnormal behavior item.
6. The method of claim 5, wherein after identifying the usage behavior of the user in the instant messaging system according to the strong association rule of the set of strong association rules, the method further comprises:
if the behavior item to be identified is an abnormal behavior item, determining the risk level of the abnormal behavior item according to first set values of different risk levels;
and pushing a corresponding identity authentication message to the instant messaging system based on the risk level of the abnormal behavior item, wherein the identity authentication message is used for indicating the risk level of the abnormal behavior item violating the strong association rule.
7. The method of claim 5, wherein after identifying the usage behavior of the user in the instant messaging system according to the strong association rule of the set of strong association rules, the method further comprises:
if the behavior item to be recognized is a normal behavior item, updating the behavior set according to the behavior item to be recognized when the accumulated receiving times of the behavior item to be recognized does not reach a second set value;
and if the accumulated receiving times of the behavior item to be identified reach a third set value, updating the strong association rule set according to the behavior set.
8. The method of claim 7, wherein the method further comprises:
receiving an identity authentication feedback message, wherein the identity authentication feedback message is used for indicating whether the user passes identity authentication or not;
and if the user passes the identity authentication, modifying the third set value so as to update the strong association rule set according to the behavior set when the cumulative receiving times of the behavior item to be identified reach the modified third set value.
9. The method of claim 7, wherein the updating the behavior collection according to the behavior item to be recognized comprises:
searching a matching behavior item matched with the behavior item to be identified in a behavior item set contained in the behavior set;
determining whether the behavior item set to which the matching behavior item belongs is consistent with the behavior item set to which the behavior to be identified belongs based on the searched matching behavior item;
if the behavior items are consistent, deleting the behavior items to be recognized;
otherwise, increasing the frequency of the matching behavior items in the behavior item set to which the matching behavior items belong.
10. An apparatus for implementing account abnormality recognition in an instant messaging system, the apparatus comprising:
a behavior set determining module, configured to determine a behavior set including at least one behavior item set, where the behavior item set includes at least one behavior item, and the behavior item is used to represent a usage behavior of a user in the instant messaging system;
an association rule mining module, configured to perform association rule mining on the behavior items in the behavior set by using an Apriori algorithm to obtain at least one association rule and a confidence thereof, where the association rule is used to indicate a first association behavior item and a second association behavior item that are associated with each other;
the fuzzification processing module is used for fuzzifying the confidence coefficient of the at least one association rule to obtain the fuzzy confidence coefficient of the at least one association rule;
the strong association rule determining module is used for screening at least one strong association rule from at least one association rule based on the fuzzy confidence coefficient of the at least one association rule and adding the at least one strong association rule to a strong association rule set;
and the account abnormity identification module is used for identifying the use behavior of the user in the instant messaging system according to the strong association rule in the strong association rule set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210144909.9A CN115080934A (en) | 2022-02-17 | 2022-02-17 | Method and device for identifying account abnormity in instant messaging system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210144909.9A CN115080934A (en) | 2022-02-17 | 2022-02-17 | Method and device for identifying account abnormity in instant messaging system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115080934A true CN115080934A (en) | 2022-09-20 |
Family
ID=83245998
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210144909.9A Pending CN115080934A (en) | 2022-02-17 | 2022-02-17 | Method and device for identifying account abnormity in instant messaging system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115080934A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115730251A (en) * | 2022-12-06 | 2023-03-03 | 贝壳找房(北京)科技有限公司 | Relationship recognition method |
-
2022
- 2022-02-17 CN CN202210144909.9A patent/CN115080934A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115730251A (en) * | 2022-12-06 | 2023-03-03 | 贝壳找房(北京)科技有限公司 | Relationship recognition method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2708508C1 (en) | Method and a computing device for detecting suspicious users in messaging systems | |
| JP7391110B2 (en) | Phishing campaign detection | |
| Caminha et al. | A smart trust management method to detect on-off attacks in the internet of things | |
| US10547618B2 (en) | Method and apparatus for setting access privilege, server and storage medium | |
| US10609087B2 (en) | Systems and methods for generation and selection of access rules | |
| US20050262343A1 (en) | Pervasive, user-centric network security enabled by dynamic datagram switch and an on-demand authentication and encryption scheme through mobile intelligent data carriers | |
| CN110046297B (en) | Operation and maintenance violation identification method and device and storage medium | |
| EP4147147A1 (en) | Detection of slow brute force attacks based on user-level time series analysis | |
| US8170978B1 (en) | Systems and methods for rating online relationships | |
| US11645386B2 (en) | Systems and methods for automated labeling of subscriber digital event data in a machine learning-based digital threat mitigation platform | |
| CN115080934A (en) | Method and device for identifying account abnormity in instant messaging system | |
| US20230046813A1 (en) | Selecting communication schemes based on machine learning model predictions | |
| Prusty et al. | SMS Fraud detection using machine learning | |
| Queiroz et al. | Eavesdropping hackers: Detecting software vulnerability communication on social media using text mining | |
| US20220050751A1 (en) | Fallback artificial intelligence system for redundancy during system failover | |
| Sandhya et al. | Enhancing the Performance of an Intrusion Detection System Using Spider Monkey Optimization in IoT. | |
| CN116738369A (en) | Traffic data classification method, device, equipment and storage medium | |
| WO2023102105A1 (en) | Detecting and mitigating multi-stage email threats | |
| CN111464837B (en) | Video terminal access verification method and server of online live broadcast system | |
| US20220210189A1 (en) | Mitigation of phishing risk | |
| Dada et al. | Logistic Model Tree Induction Machine Learning Technique for Email Spam Filtering | |
| US20230047190A1 (en) | Detecting malicious activity associated with resetting authentication information | |
| Pitre et al. | Blockchain and Machine Learning Based Approach to Prevent Phishing Attacks | |
| Das et al. | An Effecient Approach to Detect Fraud Instagram Accounts Using Supervised ML Algorithms | |
| CN118035590A (en) | User information processing method, apparatus, electronic device and computer readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |