Disclosure of Invention
The invention provides a method and a server for processing abnormal user behaviors of a cloud computing service, and adopts the following technical scheme in order to achieve the technical purpose.
The first aspect is an abnormal user behavior processing method for cloud computing service, which is applied to a cloud computing security server and comprises the following steps:
determining a plurality of abnormal user label capturing windows and a plurality of window weight scores corresponding to the abnormal user label capturing windows through a target cloud service interactive stream type record and a previous cloud service interactive stream type record of which the target cloud service interactive stream type record has a time sequence precedence relationship; each abnormal user label capturing window in the plurality of abnormal user label capturing windows corresponds to one window weight score;
determining a disturbance weight score between every two abnormal user tag capture windows in the plurality of abnormal user tag capture windows based on the target cloud service interactive stream record;
and determining a target abnormal user label capturing window from the plurality of abnormal user label capturing windows based on the plurality of window weight scores and the disturbance weight scores, and determining a first target abnormal user label carried in the target abnormal user label capturing window so as to perform operation behavior continuous analysis on the first target abnormal user label.
In some possible embodiments, the determining, by the previous cloud service interaction stream record in which the target cloud service interaction stream record and the target cloud service interaction stream record have a time sequence precedence relationship, a plurality of abnormal user tag capture windows and a plurality of window weight scores corresponding to the plurality of abnormal user tag capture windows includes:
determining the plurality of abnormal user tag capturing windows and a plurality of tag capturing credibility coefficients corresponding to the plurality of abnormal user tag capturing windows based on the target cloud service interactive stream record, wherein each abnormal user tag capturing window in the plurality of abnormal user tag capturing windows corresponds to one tag capturing credibility coefficient;
determining a plurality of time sequence correlation variables corresponding to the plurality of abnormal user tag capturing windows based on the target cloud service interactive flow record and the previous cloud service interactive flow record, wherein each abnormal user tag capturing window corresponds to one time sequence correlation variable;
and determining a plurality of window weight scores corresponding to the plurality of abnormal user label capturing windows based on the plurality of label capturing credibility coefficients and the plurality of time sequence correlation variables.
In some possible embodiments, the determining, based on the target cloud service interactive streaming record and the previous cloud service interactive streaming record, a number of timing correlation variables corresponding to the number of abnormal user tag capture windows includes:
determining a plurality of previous abnormal user label capturing windows in the previous cloud service interactive stream recording;
determining a plurality of relative distribution characteristic values between a first abnormal user label capturing window and the plurality of previous abnormal user label capturing windows, wherein the first abnormal user label capturing window is one abnormal user label capturing window in the plurality of abnormal user label capturing windows;
determining the maximum characteristic value in the relative distribution characteristic values as a first time sequence associated variable corresponding to the first abnormal user label capturing window;
and determining a plurality of first time sequence related variables corresponding to a plurality of first abnormal user tag capturing windows so as to determine a plurality of time sequence related variables corresponding to the plurality of abnormal user tag capturing windows.
In some possible embodiments, the determining, based on the target cloud service interaction streaming record, a disturbance weight score between every two abnormal user tag capture windows of the number of abnormal user tag capture windows includes:
in the target cloud service interactive streaming recording, determining a relative distribution common variable and a recording content common variable between every two abnormal user label capturing windows;
and determining a disturbance weight score between every two abnormal user label capturing windows based on the relative distribution common variable and the recorded content common variable.
In some possible embodiments, the determining, in the target cloud service interactive streaming recording, a relative distribution commonality variable between each two exceptional user tag capture windows includes:
respectively acquiring an information capturing unit of a first abnormal user label capturing window and an information capturing unit of a second abnormal user label capturing window, wherein the first abnormal user label capturing window and the second abnormal user label capturing window are every two abnormal user label capturing windows;
and determining a relative distribution common variable between the first abnormal user label capturing window and the second abnormal user label capturing window based on the information capturing unit of the first abnormal user label capturing window and the information capturing unit of the second abnormal user label capturing window so as to determine the relative distribution common variable between every two abnormal user label capturing windows.
In some possible embodiments, the determining a target abnormal user tag capture window from the plurality of abnormal user tag capture windows based on the plurality of window weight scores and the disturbance weight score includes:
the plurality of window weight scores are used as influence factors for capturing disturbance feature members of the disturbance relation network;
scoring the disturbance weight between every two abnormal user label capturing windows to serve as an influence factor of a connection vector between two disturbance feature members corresponding to every two abnormal user label capturing windows, and generating a capturing disturbance relation network;
determining at least one local relation network in the capturing disturbance relation networks, and determining a first local relation network from the at least one local relation network based on a window weight score and a disturbance weight score carried by the at least one local relation network;
and determining an abnormal user label capturing window carried by the first local relationship network as the target abnormal user label capturing window.
In some possible embodiments, the determining a first local relationship network from the at least one local relationship network based on the window weight score and the disturbance weight score carried by the at least one local relationship network includes:
respectively determining at least one group of local stream type records corresponding to at least one local relationship network, wherein each local relationship network in the at least one local relationship network corresponds to one group of local stream type records, and the group of local stream type records comprises at least one local stream type record;
determining at least one analysis index corresponding to each local relationship network in the at least one local relationship network based on the window weight score and the disturbance weight score carried by the at least one local stream record, wherein each local stream record in the at least one local stream record corresponds to one analysis index;
determining a target analysis index with the maximum analysis index from not less than one analysis index corresponding to each local relationship network until not less than one target analysis index corresponding to not less than one local relationship network is determined;
determining at least one relation network characteristic distribution corresponding to the at least one target analysis index from the at least one local relation network;
and splicing the at least one relational network characteristic distribution into the first local relational network.
In some possible embodiments, after determining the first target abnormal user tag carried in the target abnormal user tag capture window, the method further comprises:
determining an activity event identification result corresponding to the first target abnormal user tag and a noise event identification result corresponding to a noise tag based on the target cloud service interactive streaming record, wherein the noise tag is a user tag with the highest correlation degree with a target abnormal user tag in the first target abnormal user tag;
determining a previous interaction behavior description field set corresponding to the first target abnormal user tag and a previous noise behavior description field set corresponding to the noise tag based on a previous cloud service interaction streaming record set before the target cloud service interaction streaming record;
determining a current activity event distribution characteristic and a current interaction behavior description field corresponding to a second target abnormal user tag through a subsequent cloud service interaction stream record having a time sequence precedence relationship with the target cloud service interaction stream record, wherein the second target abnormal user tag is a target abnormal user tag included in a target abnormal user tag capture window of the subsequent cloud service interaction stream record;
determining a label word vector distance between the first target abnormal user label and the second target abnormal user label based on the activity event recognition result, the set of previous interaction behavior description fields, the current activity event distribution characteristics and the current interaction behavior description field;
determining a noise word vector distance based on the noise event recognition result, the set of previous noise behavior description fields, the current activity event distribution feature, and the current interaction behavior description field;
and determining an operation behavior analysis indication of the first target abnormal user label based on the label word vector distance and the noise word vector distance.
In some possible embodiments, the determining, based on the tag word vector distance and the noise word vector distance, an operational behavior analysis indication of the first target abnormal user tag includes:
determining the upstream and downstream characteristics of the operation behavior between the first target abnormal user label and the second target abnormal user label based on the label word vector distance and the noise word vector distance;
and extracting a risk user label linked with the first target abnormal user label from the second target abnormal user label by combining the upstream and downstream characteristics of the operation behavior so as to determine the operation behavior analysis indication of the first target abnormal user label.
A second aspect is a cloud computing security server comprising a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud computing security server to perform the method of the first aspect.
A third aspect is a computer-readable storage medium having stored thereon a computer program which, when executed, performs the method of the first aspect.
According to one embodiment of the invention, a plurality of abnormal user tag capturing windows and a plurality of window weight scores corresponding to the abnormal user tag capturing windows are determined through a previous cloud service interactive stream record of which a target cloud service interactive stream record and the target cloud service interactive stream record have a time sequence precedence relationship, and each abnormal user tag capturing window in the abnormal user tag capturing windows corresponds to one window weight score; determining a disturbance weight score between every two abnormal user tag capture windows in a plurality of abnormal user tag capture windows through target cloud service interactive stream recording; and determining a target abnormal user label capturing window from the plurality of abnormal user label capturing windows through the plurality of window weight scores and the disturbance weight scores, and determining a first target abnormal user label carried in the target abnormal user label capturing window so as to continuously analyze the operation behavior of the first target abnormal user label. The cloud computing security server is applied to the embodiment of the invention, respectively obtains a plurality of window weight scores of a plurality of abnormal user label capturing windows and a plurality of disturbance weight scores between every two abnormal user label capturing windows, filters out capturing information with errors and disturbances from the plurality of abnormal user label capturing windows based on the plurality of window weight scores and the plurality of disturbance weight scores, and then determines a target capturing window needing to be subjected to continuous analysis of the operation behavior.
Detailed Description
In the following, the terms "first", "second" and "third", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to imply that the number of indicated technical features is significant. Thus, a feature defined as "first," "second," or "third," etc., may explicitly or implicitly include one or more of that feature.
Fig. 1 illustrates a flowchart of a method for processing an abnormal user behavior of a cloud computing service according to an embodiment of the present invention, where the method for processing an abnormal user behavior of a cloud computing service may be implemented by a cloud computing security server, and the cloud computing security server may include a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; when the processor executes the computer instructions, the cloud computing security server is enabled to execute the technical scheme described in the following steps.
Step 101, determining a plurality of abnormal user tag capture windows and a plurality of window weight scores corresponding to the abnormal user tag capture windows through a previous cloud service interactive stream record of which a time sequence precedence relationship exists between a target cloud service interactive stream record and the target cloud service interactive stream record, wherein each abnormal user tag capture window in the abnormal user tag capture windows corresponds to one window weight score.
For the embodiment of the invention, the abnormal user tag in the abnormal user tag capturing window can be a user ID and an interactive event theme.
For the embodiment of the invention, the cloud computing security server determines an abnormal user tag capturing window comprising the abnormal user tag in the target cloud service interactive stream record, wherein the abnormal user tag capturing window can be a set visual shape comprising the abnormal user tag.
For the embodiment of the invention, the cloud computing security server determines a plurality of abnormal user label capturing windows and a plurality of label capturing credibility coefficients corresponding to the abnormal user label capturing windows through the target cloud service interactive stream recording, wherein each abnormal user label capturing window in the abnormal user label capturing windows corresponds to one label capturing credibility coefficient.
For example, the information capture module performs a confidence coefficient operation on an abnormal user tag capture window in the target cloud service interactive streaming record to obtain a tag capture confidence coefficient corresponding to the abnormal user tag capture window, wherein the information capture module can be a functional module such as a support vector machine which can provide the tag capture confidence coefficient of the abnormal user tag capture window.
For the embodiment of the invention, the cloud computing security server determines a plurality of time sequence related variables corresponding to a plurality of abnormal user tag capturing windows through the target cloud service interactive stream recording and the previous cloud service interactive stream recording, wherein each abnormal user tag capturing window corresponds to one time sequence related variable (continuous credibility coefficient).
For example, the process of determining a plurality of time sequence related variables corresponding to a plurality of abnormal user tag capture windows by the cloud computing security server through the target cloud service interactive stream recording and the previous cloud service interactive stream recording comprises the following steps: the cloud computing security server determines a plurality of prior abnormal user label capturing windows in prior cloud service interactive stream recording; then, the cloud computing security server determines a plurality of relative distribution characteristic values between a first abnormal user label capturing window and a plurality of previous abnormal user label capturing windows, wherein the first abnormal user label capturing window is one abnormal user label capturing window of the abnormal user label capturing windows; the cloud computing security server determines the maximum characteristic value in the relative distribution characteristic values as a first time sequence associated variable corresponding to a first abnormal user label capturing window; and determining a plurality of first time sequence associated variables corresponding to the plurality of first abnormal user label capturing windows, and then obtaining a plurality of time sequence associated variables corresponding to the plurality of abnormal user label capturing windows by the cloud computing security server.
For example, the cloud computing security and protection server determines a plurality of window overlapping variables (a plurality of relative distribution characteristic values) between a first abnormal user label capturing window in the target cloud service interactive streaming record and a plurality of previous abnormal user label capturing windows in the previous cloud service interactive streaming record one by one, and then the cloud computing security and protection server determines a maximum window overlapping variable from the plurality of window overlapping variables, so that the value of the maximum window overlapping variable can be a first time sequence associated variable of the first abnormal user label capturing window. The cloud computing security server adopts the above thought to realize the abnormal user tag capturing windows, so that a plurality of time sequence related variables corresponding to the abnormal user tag capturing windows are obtained.
In some examples, the time-series associated variables corresponding to the abnormal user tag capture windows are obtained through superposition calculation data of the abnormal user tag capture windows with different time series, and the superposition calculation data is obtained through calculation of the visual coverage areas of the different abnormal user tag capture windows.
For the embodiment of the invention, after the cloud computing security server obtains a plurality of tag capturing credibility coefficients and a plurality of time sequence related variables corresponding to a plurality of abnormal user tag capturing windows, the cloud computing security server determines a plurality of window weight scores corresponding to the plurality of abnormal user tag capturing windows through the plurality of tag capturing credibility coefficients and the plurality of time sequence related variables.
For the embodiment of the present invention, the window weight score may be obtained by performing global processing (for example, weighting processing) on the tag capture confidence coefficient and the time-series association variable, and an exemplary algorithm is as follows: p1= F P2+ (1-F) P3.
Wherein, P1 is the window weight score of the abnormal user label capturing window, P2 is the time sequence related variable, P3 is the label capturing credibility coefficient, and F is the compatibility index.
102, determining a disturbance weight score between every two abnormal user tag capture windows in a plurality of abnormal user tag capture windows through target cloud service interactive stream recording.
For the embodiment of the invention, after the cloud computing security server determines a plurality of abnormal user tag capture windows through the previous cloud service interactive streaming record of which the target cloud service interactive streaming record and the target cloud service interactive streaming record have a time sequence precedence relationship, the cloud computing security server combines the abnormal user tag capture windows in pairs to obtain a plurality of splicing strategies, and the cloud computing security server calculates disturbance weight scores (interference weight and conflict weight) between the two abnormal user tag capture windows in various splicing strategies (combination modes) through the target cloud service interactive streaming record.
For the embodiment of the invention, in the target cloud service interactive streaming recording, the cloud computing security server determines a relative distribution common variable (which can be understood as position similarity) between every two abnormal user tag capturing windows and a recorded content common variable (which can be understood as content similarity).
For the embodiment of the invention, the cloud computing security server determines the cloud service interactive content description information carried in the abnormal user tag capturing window by combining with the dominant content mining module, then the cloud computing security server determines the vector difference value between the two cloud service interactive content description information, and determines the vector difference value (such as cosine distance) as the recorded content common variable between the two abnormal user tag capturing windows corresponding to the two cloud service interactive content description information.
For the embodiment of the invention, a cloud computing security server respectively acquires an information capturing unit of a first abnormal user label capturing window and an information capturing unit of a second abnormal user label capturing window, wherein the first abnormal user label capturing window and the second abnormal user label capturing window are every two abnormal user label capturing windows; then, the cloud computing security and protection server determines a relative distribution common variable between the first abnormal user label capturing window and the second abnormal user label capturing window through the information capturing unit of the first abnormal user label capturing window and the information capturing unit of the second abnormal user label capturing window so as to determine the relative distribution common variable between every two abnormal user label capturing windows.
In one illustrative example, the information capture unit may be a window range which occupies 0.5 times of a first window size constraint value and a second window size constraint value of the abnormal user tag capture window, the cloud computing security server determines a window overlapping variable between the information capture unit of the first abnormal user tag capture window and the information capture unit of the second abnormal user tag capture window, and the cloud computing security server determines a relative distribution common variable (position similarity) between the first abnormal user tag capture window and the second abnormal user tag capture window through the information capture unit of the first abnormal user tag capture window, the information capture unit of the second abnormal user tag capture window and the window overlapping variable. Further, the window overlay variable may be understood as an intersection variable between the information capturing unit of the first abnormal user tag capturing window and the information capturing unit of the second abnormal user tag capturing window.
For the embodiment of the invention, the cloud computing security server determines the disturbance weight score between every two abnormal user label capturing windows through the relative distribution common variable and the recorded content common variable.
103, determining a target abnormal user label capturing window from the plurality of abnormal user label capturing windows through the plurality of window weight scores and the disturbance weight scores, and determining a first target abnormal user label carried in the target abnormal user label capturing window so as to perform operation behavior continuous analysis on the first target abnormal user label.
For the embodiment of the invention, after the cloud computing security server respectively determines a plurality of window weight scores corresponding to a plurality of abnormal user tag capturing windows and a disturbance weight score between every two abnormal user tag capturing windows, the cloud computing security server determines a target abnormal user tag capturing window from the plurality of abnormal user tag capturing windows through the plurality of window weight scores and the disturbance weight scores, and determines a first target abnormal user tag carried in the target abnormal user tag capturing window so as to perform operation behavior continuous analysis on the first target abnormal user tag. The operation behavior persistence analysis can be understood as operation behavior detection analysis or tracking analysis, and is used for performing real-time analysis processing on an operation behavior layer.
For the embodiment of the invention, the cloud computing security server takes a plurality of window weight scores as influence factors (weight values) of disturbance feature members (relation network nodes or relation network elements) of a disturbance relation network (disturbance feature graph capture); and scoring the disturbance weight between every two abnormal user label capturing windows to serve as an influence factor of a connection vector between two disturbance feature members corresponding to every two abnormal user label capturing windows, so that the cloud computing security server generates a complete and rich capturing disturbance relation network corresponding to a plurality of abnormal user label capturing windows.
For the embodiment of the invention, the cloud computing security server determines at least one local relation network in the capturing disturbance relation network, and determines a first local relation network from the at least one local relation network through the window weight score and the disturbance weight score carried by the at least one local relation network; and determining the abnormal user label capture window carried by the first local relation network as a target abnormal user label capture window.
For the embodiment of the invention, the cloud computing security server accesses the capturing disturbance relation networks one by one, sequentially determines all possible local relation networks for capturing the relation description in the disturbance relation network, and determines that at least one local relation network is obtained from all possible local relation networks, wherein the relation description comprises disturbance feature members and connection vectors.
For the embodiment of the invention, the cloud computing security server determines the local stream type record with the maximum analysis index from each local relationship network in no less than one local relationship network, and determines the set of the local stream type record with the maximum analysis index in each local relationship network as the first local relationship network for capturing the disturbance relationship network; then, the cloud computing security server determines at least one analysis index corresponding to each local relation network in at least one local relation network through the window weight score and the disturbance weight score carried by at least one local stream type record, wherein each local stream type record in at least one local stream type record corresponds to one analysis index; determining a target analysis index with the maximum analysis index from not less than one analysis index corresponding to each local relationship network until not less than one target analysis index corresponding to not less than one local relationship network is determined; finally, the cloud computing security server determines at least one relation network feature distribution corresponding to at least one target analysis index from at least one local relation network; and at least one relation network characteristic distribution is spliced into a first local relation network.
In actual implementation, in view of the fact that the number of disturbance feature members and connection vectors in the disturbance capturing relationship network is large, the cloud computing security server disassembles the disturbance capturing relationship network into at least one local relationship network, determines at least one relationship network feature distribution from the at least one local relationship network, and forms the first local relationship network by the at least one relationship network feature distribution, so that the efficiency of determining the first local relationship network can be improved.
For the embodiment of the invention, the analysis index can be a comparison result between a window weight score self-product carried by the local streaming record and a disturbance weight score statistic value, so that the disturbance between target abnormal user tag capture windows determined by the cloud computing security server through the analysis index is minimum, and the obtained target abnormal user tag capture windows are more credible.
For the embodiment of the invention, a cloud computing security server acquires a disturbance feature member carried by a first local relation network, determines an abnormal user label capturing window corresponding to the disturbance feature member as a target abnormal user label capturing window, and determines a first target abnormal user label carried in the target abnormal user label capturing window so as to realize the operation behavior analysis indication processing of the first target abnormal user label; the cloud computing security server filters abnormal user label capturing windows which are not contained in the first local relation network in the abnormal user label capturing windows.
By applying the embodiment, the cloud computing security server respectively obtains a plurality of window weight scores of a plurality of abnormal user label capturing windows and a plurality of disturbance weight scores between every two abnormal user label capturing windows, a disturbance capturing relation network of the abnormal user labels is generated based on the plurality of window weight scores and the plurality of disturbance weight scores, the cloud computing security server filters capturing information with errors and disturbance from the plurality of abnormal user label capturing windows through the disturbance capturing relation network, and then a target capturing window needing continuous analysis of the operation behavior is determined.
For a technical solution that can be implemented independently, the embodiment of the present invention further illustrates a method for processing abnormal user behavior of cloud computing service, where the method may include the following steps 201 to 206.
Step 201, determining an activity event identification result corresponding to a first target abnormal user tag and a noise event identification result corresponding to a noise tag through target cloud service interactive streaming recording, where the noise tag may be a user tag with the highest correlation with the first target abnormal user tag.
For the embodiment of the invention, after the cloud computing security server determines the target abnormal user label capturing window, the cloud computing security server obtains a first target abnormal user label in the target abnormal user label capturing window, the cloud computing security server determines the first target abnormal user label and a noise label which is most similar to the first target abnormal user label in the target cloud service interactive stream recording, and then an algorithm capable of realizing single label analysis is utilized to determine an activity event recognition result of the first target abnormal user label and a noise event recognition result of the noise label. Further, the algorithm capable of realizing the single label analysis may be an algorithm formed by means of a single label analysis model.
For the embodiment of the invention, the cloud computing security server determines a target visual text unit including a first target abnormal user tag in the target cloud service interactive streaming record, and then, the cloud computing security server determines a noise tag most similar to the first target abnormal user tag according to the target abnormal user tag which is corresponding to the window superposition variable of the target visual text unit and meets a set condition (such as a judgment condition of a window coverage surface).
For the embodiment of the invention, the cloud computing security server determines the activity event recognition result of the first target abnormal user tag in the subsequent cloud service interactive streaming record and the noise event recognition result of the noise tag in the subsequent cloud service interactive streaming record based on the algorithm of single tag analysis. Further, the algorithm of the single tag analysis includes a bigram model and the like, which is not limited in this embodiment of the present invention.
Step 202, a previous interaction behavior description field set corresponding to a first target abnormal user tag and a previous noise behavior description field set corresponding to a noise tag are determined through a previous cloud service interaction stream recording set before the target cloud service interaction stream recording.
For the embodiment of the invention, the cloud computing security server determines a first target abnormal user tag and a noise tag most similar to the first target abnormal user tag through a previous cloud service interactive streaming record set before the target cloud service interactive streaming record, and then determines a previous interactive behavior description field set of the first target abnormal user tag and a previous noise behavior description field set of the noise tag by combining a user ID secondary analysis strategy.
For the embodiment of the invention, the cloud computing security server obtains continuous groups of interactive records before the target cloud service interactive stream record, the continuous groups of interactive records are used as a previous cloud service interactive stream record set, and a previous interactive behavior description field set of a first target abnormal user label and a previous noise behavior description field set of a noise label are determined based on a user ID secondary analysis strategy.
For the embodiment of the present invention, the number of fields in the previous interactive behavior description field set and the number of fields in the previous noise behavior description field set correspond to the number of groups in the previous cloud service interactive streaming record set one by one.
In some examples, the user ID secondary analysis policy may be implemented using a model composed of user ID secondary analysis policies. Further, the user ID secondary analysis strategy includes a long-short term memory model.
In some examples, the number of the first target abnormal user tags is several.
In the embodiment of the present invention, step 201 and step 202 are two steps of simultaneous processing before step 203, there is no fixed precedence relationship between step 201 and step 202, and the specific implementation steps may be operated through actual situations, and the implementation order of step 201 and step 202 is not limited in the embodiment of the present invention.
Step 203, determining a current activity event distribution characteristic and a current interaction behavior description field corresponding to a second target abnormal user tag through a subsequent cloud service interaction stream record having a time sequence precedence relationship with the target cloud service interaction stream record, wherein the second target abnormal user tag is a target abnormal user tag included in a target abnormal user tag capture window of the subsequent cloud service interaction stream record.
For the embodiment of the invention, the cloud computing security server determines the second target abnormal user tag and the current active event distribution characteristics and the current interaction behavior description field corresponding to the second target abnormal user tag through the subsequent cloud service interaction stream recording. The first target abnormal user tag and the second target abnormal user tag are at least partially paired, which can be understood as at least part of the risky user tags in the first target abnormal user tag and at least part of the risky user tags in the second target abnormal user tag are paired. The number of the abnormal user tags of the second target abnormal user tags is several.
And 204, determining a label word vector distance between a first target abnormal user label and a second target abnormal user label through the activity event recognition result, the previous interaction behavior description field set, the current activity event distribution characteristic and the current interaction behavior description field.
For the embodiment of the invention, the cloud computing security server determines the relative distribution commonality variable of the target according to the identification result of the activity event and the distribution characteristics of the current activity event; the cloud computing security server determines a behavior description common variable set through a previous interaction behavior description field set and a current interaction behavior description field; then, the cloud computing security server determines a target relative distribution common variable and a behavior description common variable set as a tag word vector distance (difference of user type/user behavior type/user interaction event type) between a first target abnormal user tag and a second target abnormal user tag.
For the embodiment of the invention, the cloud computing security server performs common variable operation on the activity event identification result and the current activity event distribution characteristics to obtain a target relative distribution common variable; and the cloud computing security server performs common variable operation on the previous interaction behavior description field set and the current interaction behavior description field to obtain a behavior description common variable set.
And step 205, determining the noise word vector distance through the noise event recognition result, the previous noise behavior description field set, the current activity event distribution characteristic and the current interaction behavior description field.
For the embodiment of the invention, the cloud computing security server determines the relative distribution common variable of the noise label according to the noise event identification result and the distribution characteristics of the current activity event; the cloud computing security server determines a behavior description common variable of the noise label through a previous noise behavior description field set and a current interaction behavior description field; then, the cloud computing security server determines the relative distribution common variable of the noise labels and the behavior description common variable of the noise labels as the noise word vector distance.
For the embodiment of the invention, the cloud computing security server performs common variable operation on the noise event identification result and the current activity event distribution characteristics to obtain the relative distribution common variable of the noise label; and the cloud computing security server performs common variable operation on the previous noise behavior description field set and the current interaction behavior description field to obtain a behavior description common variable of the noise label.
Further, the target relative distribution common variable is a quotient of a window superposition variable and a window sharing variable of the target visualization text unit, and the behavior description common variable set is a behavior description vector distance.
It can be understood that the operation flow of the noise label relative distribution common variable is consistent with the operation flow of the target relative distribution common variable, and the operation flow of the behavior description common variable of the noise label is consistent with the operation flow of the behavior description common variable set, which is not described herein too much in the embodiments of the present invention.
In the embodiment of the present invention, step 204 and step 205 are two steps of simultaneous processing after step 203 and before step 206, there is no fixed precedence relationship between step 204 and step 205, and the specific implementation steps may be operated through actual situations, and the implementation order of step 204 and step 205 is not limited in the embodiment of the present invention.
And step 206, determining the operation behavior analysis indication of the first target abnormal user label through the label word vector distance and the noise word vector distance.
For the embodiment of the invention, the cloud computing security server determines the upstream and downstream characteristics (associated behavior description vectors) of the operation behavior between the first target abnormal user tag and the second target abnormal user tag through the tag word vector distance and the noise word vector distance; the cloud computing security server extracts risk user tags in the second target abnormal user tags, which are linked with the first target abnormal user tags, by using the upstream and downstream characteristics of the operation behaviors, so as to determine operation behavior analysis instructions (used for guiding behavior analysis mining guidance of the target abnormal user tags) of the first target abnormal user tags.
For the embodiment of the invention, the cloud computing security server transmits the label word vector distance and the noise word vector distance into a set logistic regression model; then, determining a plurality of voting values of the upstream and downstream characteristics of various operation behaviors by setting a logistic regression model, wherein the upstream and downstream characteristics of various operation behaviors can be the upstream and downstream characteristics of the operation behaviors obtained by performing operation behavior joint analysis between a first target abnormal user tag and a second target abnormal user tag; the cloud computing security server determines the upstream and downstream characteristics of the operation behavior with the highest voting value (judgment score) from the upstream and downstream characteristics of the various operation behaviors as the upstream and downstream characteristics of the operation behavior.
For the embodiment of the present invention, a logistic regression model is set to generate a voting value between each associated behavior event in the upstream and downstream features of the multiple operation behaviors, and then the voting values in the upstream and downstream features of each operation behavior are accumulated to obtain voting values corresponding to the upstream and downstream features of the operation behavior.
For the embodiment of the invention, the cloud computing security server performs operation behavior joint analysis on a first target abnormal user tag in the target cloud service interactive streaming record and a second target abnormal user tag in the subsequent cloud service interactive streaming record by combining with the set operation behavior analysis model, so as to obtain the upstream and downstream characteristics of various operation behaviors between the first target abnormal user tag and the second target abnormal user tag.
For embodiments of the present invention, the logistic regression model may be a decision tree. The set operational behavior analysis model may be a two-classification algorithm.
Further, when the cloud computing security server determines the upstream and downstream characteristics of the operation behavior, then the cloud computing security server determines a risk user tag which is linked with a second target abnormal user tag in first target abnormal user tags in the upstream and downstream characteristics of the operation behavior, when the cloud computing security server determines a third target abnormal user tag which is irrelevant to the second target abnormal user tag in the first target abnormal user tags in the upstream and downstream characteristics of the operation behavior, the cloud computing security server obtains an activity event identification result through a credibility value of the third target abnormal user tag, and then the cloud computing security server determines an operation behavior analysis instruction of the first target abnormal user tag by using the upstream and downstream characteristics of the operation behavior and the activity event identification result.
For example, when the cloud computing security server determines a third target abnormal user tag irrelevant to the second target abnormal user tag in the first target abnormal user tag, the cloud computing security server judges that the third target abnormal user tag in the target cloud service interactive streaming record does not appear in the latter cloud service interactive streaming record, at this time, the cloud computing security server judges that the third target abnormal user tag does not appear in the latter cloud service interactive streaming record, and when the credibility value of the third target abnormal user tag does not accord with the set credibility coefficient threshold, the third target abnormal user tag is represented to be switched out of the latter cloud service interactive streaming record; when the credibility value of the third target abnormal user label accords with the set credibility threshold, the third target abnormal user label is represented to be interfered by the noise label in the subsequent cloud service interactive stream-type record, and at the moment, the cloud computing security server estimates the relative distribution condition of the third target abnormal user label in the subsequent cloud service interactive stream-type record according to the activity event identification result corresponding to the third target abnormal user label.
Further, the cloud computing security server determines a risk user tag in contact with the first target abnormal user tag in a second target abnormal user tag in the upstream and downstream features of the operation behavior, and when the cloud computing security server determines a fourth target abnormal user tag irrelevant to the first target abnormal user tag in the second target abnormal user tag in the upstream and downstream features of the operation behavior, the cloud computing security server adds the fourth target abnormal user tag to a next round of upstream and downstream features, wherein the next round of upstream and downstream features are upstream and downstream features generated for the target cloud service interactive streaming record by a subsequent cloud service interactive streaming record.
For example, when the cloud computing security server determines a fourth target abnormal user tag irrelevant to the first target abnormal user tag in the second target abnormal user tag, the fourth target abnormal user tag is represented as a newly added target abnormal user tag, and at this time, the cloud computing security server performs behavior analysis on the fourth target abnormal user tag by using the abnormal user tag.
For the embodiment of the invention, in the upstream and downstream characteristics of the operation behavior, a matched target abnormal user tag in a first target abnormal user tag and a matched target abnormal user tag in a second target abnormal user tag form a tag pair, an isolated member is formed by the unmatched target abnormal user tag in the first target abnormal user tag and the unmatched target abnormal user tag in the second target abnormal user tag, and the cloud computing security server searches the target abnormal user tag in the second target abnormal user tag from the isolated member to be used as a fourth target abnormal user tag irrelevant to the first target abnormal user tag; and the cloud computing security server searches a target abnormal user label in the first target abnormal user label from the isolated member to serve as a third target abnormal user label irrelevant to the second target abnormal user label.
For the embodiment of the invention, the cloud computing security server respectively determines the credibility value and the activity event identification result corresponding to the first target abnormal user label by using a single label analysis algorithm.
For the embodiment of the invention, the cloud computing security server compares the credibility value corresponding to the third target abnormal user label with the set credibility value, and when the credibility value corresponding to the third target abnormal user label reaches the set credibility value, the cloud computing security server obtains the activity event identification result.
It can be understood that the algorithm of single tag analysis, the user ID secondary analysis strategy, the set logistic regression model and the set operation behavior analysis model in the embodiment of the present invention are all dynamic algorithm models.
For the embodiment of the invention, the cloud computing security server determines the real-time operation behavior record of different target abnormal user tags in the streaming session from the upstream and downstream characteristics of the operation behavior, so that the target abnormal user tags can be analyzed.
By applying the embodiment, the cloud computing security server determines the noise event identification result of the noise tag through the target cloud service interactive stream recording, determines the prior noise behavior description field set of the noise tag through the prior cloud service interactive stream recording set before the target cloud service interactive stream recording, and fuses the noise event identification result of the noise tag and the prior noise behavior description field set to determine the operation behavior analysis indication of the first target abnormal user tag in the target cloud service interactive stream recording, so that when abnormal user behavior analysis is performed, the noise event identification result of the noise tag and the prior noise behavior description field set are utilized, interference of the noise tag on the abnormal user behavior analysis is further weakened, and the behavior analysis and detection reliability for the abnormal user is improved.
In the embodiment of the invention, the cloud service interaction stream recording can be a recording aiming at cloud computing services such as block chain finance, virtual reality activities, administrative enterprise cloud business, cloud game fighting and the like, and the stream recording can record related session interaction information according to the time sequence.
Based on the above, for some independent embodiments, after determining the first target abnormal user tag carried in the target abnormal user tag capture window, the method may further include the following steps: performing operation behavior continuous analysis on the first target abnormal user label to obtain an operation behavior log corresponding to the first target abnormal user label; determining a risk tendency field of the first target abnormal user tag based on the operation behavior log; and determining a risk prevention and control scheme aiming at the first target abnormal user label according to the risk tendency field.
For example, a series of operation behaviors of the first target abnormal user tag may be tracked and recorded, so as to obtain an operation behavior log including a series of operation behavior events, and then the risk tendency field is mined through the risk tendency field, so that the risk prevention and control scheme corresponding to the risk tendency field may be matched.
For some independent embodiments, determining the risk propensity field for the first target anomalous user label based on the operational behavior log may include: acquiring an operation behavior text to be identified corresponding to the operation behavior log; utilizing an operation behavior text mining network to extract a risk tendency for the operation behavior text to be identified on a specified interaction scene; and obtaining a risk tendency field of the operation behavior text to be identified according to the risk tendency.
For some independent embodiments, before the obtaining the text of the operation behavior to be recognized, the method further includes: and obtaining the operation behavior text mining network according to the correlation debugging of the reference behavior text of the reference interaction scene and the operation behavior text of the specified interaction scene.
For some independent embodiments, the obtaining the operation behavior text mining network according to the correlation debugging between the reference behavior text of the reference interaction scenario and the operation behavior text of the specified interaction scenario includes: converting the reference behavior text into a specified interactive scene through a text scene adjustment model to obtain a scene behavior text; performing joint feature mining on the scene behavior text and the operation behavior text by using the operation behavior text mining network to obtain a global field cost; and performing associated debugging on the operation behavior text mining network according to the global field cost.
For some independent embodiments, the global field cost includes a joint cost and an identification cost; the mining of the joint detail description of the scenario behavior text and the operation behavior text by using the operation behavior text mining network to obtain the global field cost comprises the following steps: respectively extracting the detailed description of the scene behavior text and the detailed description of the operation behavior text by using the operation behavior text mining network to obtain the detailed description of the scene behavior text and the detailed description of the operation behavior text; obtaining a first risk tendency field of the scene behavior text according to the detailed description of the scene behavior text, and obtaining a second risk tendency field of the operation behavior text according to the detailed description of the operation behavior text; obtaining the joint cost according to the detailed description of the scenario behavior text and the detailed description of the operation behavior text, and obtaining the identification cost according to the positive comments of the first risk tendency field and the scenario behavior text and the negative comments of the second risk tendency field and the operation behavior text; and performing weighting processing on the joint cost and the identification cost to obtain the global field cost.
Based on the same inventive concept, fig. 2 shows a block diagram of an abnormal user behavior processing apparatus provided in an embodiment of the present invention, and the abnormal user behavior processing apparatus may include a window determining module 21, a weight determining module 22, and a behavior analyzing module 23 for implementing the relevant method steps shown in fig. 1.
The window determining module 21 is configured to determine a plurality of abnormal user tag capture windows and a plurality of window weight scores corresponding to the abnormal user tag capture windows through a target cloud service interactive streaming record and a previous cloud service interactive streaming record in which the target cloud service interactive streaming record has a time sequence precedence relationship; wherein each abnormal user label capturing window in the plurality of abnormal user label capturing windows corresponds to a window weight score.
A weight determining module 22, configured to determine a disturbance weight score between every two abnormal user tag capture windows in the plurality of abnormal user tag capture windows based on the target cloud service interactive streaming record.
And the behavior analysis module 23 is configured to determine a target abnormal user tag capture window from the plurality of abnormal user tag capture windows based on the plurality of window weight scores and the disturbance weight score, and determine a first target abnormal user tag carried in the target abnormal user tag capture window, so as to perform operation behavior persistence analysis on the first target abnormal user tag.
The related embodiment applied to the invention can achieve the following technical effects: determining a plurality of abnormal user label capturing windows and a plurality of window weight scores corresponding to the abnormal user label capturing windows through a previous cloud service interactive stream record of which the target cloud service interactive stream record and the target cloud service interactive stream record have a time sequence precedence relationship, wherein each abnormal user label capturing window in the abnormal user label capturing windows corresponds to one window weight score; determining a disturbance weight score between every two abnormal user tag capture windows in a plurality of abnormal user tag capture windows through target cloud service interactive stream recording; and determining a target abnormal user label capturing window from the plurality of abnormal user label capturing windows through the plurality of window weight scores and the disturbance weight scores, and determining a first target abnormal user label carried in the target abnormal user label capturing window so as to continuously analyze the operation behavior of the first target abnormal user label. The cloud computing security server respectively obtains a plurality of window weight scores of a plurality of abnormal user label capturing windows and a plurality of disturbance weight scores between every two abnormal user label capturing windows, filters capturing information with errors and disturbance from the abnormal user label capturing windows based on the window weight scores and the disturbance weight scores, and then determines a target capturing window needing to be subjected to continuous analysis of the operation behavior.
The above description is only a specific embodiment of the present invention. Those skilled in the art will appreciate that various modifications and substitutions can be made in the present invention based on the specific embodiments of the present invention, and the present invention is intended to cover the scope of the present invention.