CN115168917B - A cloud computing service abnormal user behavior processing method and server - Google Patents

Abstract

The invention provides an abnormal user behavior processing method and a server of cloud computing service, wherein a cloud computing security server respectively acquires a plurality of window weight scores of a plurality of abnormal user tag capturing windows and a plurality of disturbance weight scores between every two abnormal user tag capturing windows, filters capturing information with errors and disturbances from the plurality of abnormal user tag capturing windows based on the plurality of window weight scores and the plurality of disturbance weight scores, and then determines a target capturing window needing to be subjected to continuous analysis of operation behaviors, so that the precision and the credibility of continuous analysis can be ensured when an operation behavior analysis instruction is determined, and the behavior analysis and detection reliability of abnormal users is improved.

Description

A cloud computing service abnormal user behavior processing method and server

Technical field

The present invention relates to the technical field of cloud computing, and in particular to a method and server for processing abnormal user behavior of cloud computing services.

Background technique

Cloud computing is a type of distributed computing, which refers to decomposing huge data computing processing programs into countless small programs through the network "cloud", and then processing and analyzing these small programs through a system composed of multiple servers. The program gets the results and returns them to the user.

At present, the service functions and service types of cloud computing are constantly increasing, involving blockchain finance, virtual reality activities, government and enterprise cloud services, cloud game battles, etc. At the same time, security protection for cloud computing services is essential. One of the important steps in the security protection of related cloud computing services is to analyze and process abnormal user behavior. However, how to accurately and reliably achieve continuous analysis of abnormal user behavior and reduce unnecessary interference and errors is what needs to be overcome at present. One of the difficulties.

Contents of the invention

The present invention provides a cloud computing service abnormal user behavior processing method and server. In order to achieve the above technical objectives, the present invention adopts the following technical solutions.

The first aspect is a method for processing abnormal user behavior of cloud computing services, which is applied to cloud computing security servers. The method includes:

Determine several abnormal user tag capture windows and the several abnormal user tag capture windows through the target cloud service interactive streaming record and the target cloud service interactive streaming record that has a temporal relationship with the previous cloud service interactive streaming record Corresponding several window weight scores; wherein each abnormal user label capture window among the several abnormal user label capture windows corresponds to one window weight score;

Based on the target cloud service interactive streaming record, determine the disturbance weight score between each two abnormal user tag capture windows in the several abnormal user tag capture windows;

Based on the several window weight scores and the disturbance weight score, a target abnormal user label capture window is determined from the several abnormal user label capture windows, and the first abnormal user label capture window carried in the target abnormal user label capture window is determined. The target abnormal user tag is used to conduct a continuous analysis of the operating behavior of the first target abnormal user tag.

In some possible embodiments, several abnormal user tag capture windows are determined through the target cloud service interaction streaming record and the target cloud service interaction streaming record that has a temporal relationship with the previous cloud service interaction streaming record. Several window weight scores corresponding to the several abnormal user tag capture windows include:

Based on the target cloud service interactive streaming record, determine the several abnormal user tag capture windows and several tag capture credibility coefficients corresponding to the several abnormal user tag capture windows, and determine the several abnormal user tag capture windows. Each abnormal user tag capture window in corresponds to a tag capture credibility coefficient;

Based on the target cloud service interactive streaming record and the previous cloud service interactive streaming record, several timing associated variables corresponding to the several abnormal user tag capture windows are determined, and each of the abnormal user tag capture windows corresponds to one time series related variables;

Based on the several tag capture credibility coefficients and the several time series correlation variables, several window weight scores corresponding to the several abnormal user tag capture windows are determined.

In some possible embodiments, determining a number of timing associated variables corresponding to the several abnormal user tag capture windows based on the target cloud service interaction streaming record and the previous cloud service interaction streaming record, include:

In the previous cloud service interactive streaming record, determine several previous abnormal user tag capture windows;

Determine several relative distribution characteristic values between the first abnormal user tag capture window and the several previous abnormal user tag capture windows, and the first abnormal user tag capture window is one of the several abnormal user tag capture windows. One of the exception user tag capture windows;

Determine the maximum eigenvalue among the several relative distribution eigenvalues as the first time series associated variable corresponding to the first abnormal user tag capture window;

Determine a plurality of first timing associated variables corresponding to a plurality of the first abnormal user tag capture windows, so as to determine the plurality of timing associated variables corresponding to the several abnormal user tag capture windows.

In some possible embodiments, determining the disturbance weight score between each two abnormal user tag capture windows in the several abnormal user tag capture windows based on the target cloud service interaction streaming record includes:

In the target cloud service interactive streaming record, determine the relative distribution common variables and record content common variables between each two abnormal user tag capture windows;

Based on the relative distribution common variables and the recorded content common variables, the disturbance weight score between each two abnormal user tag capture windows is determined.

In some possible embodiments, determining the relative distribution common variables between each two abnormal user tag capture windows in the target cloud service interaction streaming record includes:

Obtain the information capture unit of the first abnormal user tag capture window and the information capture unit of the second abnormal user tag capture window respectively, and the first abnormal user tag capture window and the second abnormal user tag capture window are the two An abnormal user label capture window;

Based on the information capture unit of the first abnormal user tag capture window and the information capture unit of the second abnormal user tag capture window, determine the first abnormal user tag capture window and the second abnormal user tag capture window. The relative distribution common variables between each two abnormal user tag capture windows are determined to determine the relative distribution common variables between each two abnormal user tag capture windows.

In some possible embodiments, determining a target abnormal user label capture window from the several abnormal user label capture windows based on the several window weight scores and the disturbance weight score includes:

The several window weight scores are used as influencing factors to capture the disturbance feature members of the disturbance relationship network;

The disturbance weight score between each two abnormal user label capture windows is used as the influencing factor of the connection vector between the two disturbance feature members corresponding to each two abnormal user label capture windows to generate a capture disturbance relationship network;

Determine no less than one local relationship network in the capturing disturbance relationship network, and determine from the no less than one local relationship network based on the window weight score and the disturbance weight score carried by the no less than one local relationship network. Out of the first local relationship network;

The abnormal user tag capture window carried by the first local relationship network is determined as the target abnormal user tag capture window.

In some possible embodiments, determining the first local relationship network from the no less than one local relationship network based on the window weight score and the perturbation weight score carried by the no less than one local relationship network includes: :

Respectively determine no less than a set of local streaming records corresponding to no less than one local relationship network, each local relationship network in the no less than one local relationship network corresponding to a set of local streaming records, and the set of local streaming records The streaming record includes no less than one partial streaming record;

Based on the window weight score and the perturbation weight score carried by the no less than one local streaming record, determine no less than one parsing index corresponding to each local relationship network in the no less than one local relationship network, the no less than Each local streaming record in a local streaming record corresponds to a parsing index;

Determine the target resolution index with the largest resolution index from no less than one resolution index corresponding to each of the local relationship networks, until no less than one target resolution index corresponding to the no less than one local relationship network is determined;

From the no less than one local relationship network, determine the characteristic distribution of no less than one relationship network corresponding to the no less than one target resolution index;

The feature distribution of no less than one relationship network is spliced into the first local relationship network.

In some possible embodiments, after determining the first target abnormal user label carried in the target abnormal user label capture window, the method further includes:

Based on the target cloud service interactive streaming record, determine the activity event identification result corresponding to the first target abnormal user label and the noise event identification result corresponding to the noise label, and the noise label is the same as the first target abnormal user label The user label with the highest correlation to the target abnormal user label;

Based on the previous cloud service interactive streaming record set before the target cloud service interactive streaming record, determine the previous interactive behavior description field set corresponding to the first target abnormal user tag and the previous noise behavior description corresponding to the noise tag. fieldset;

By determining the current activity event distribution characteristics and the current interaction behavior description field corresponding to the second target abnormal user tag through the subsequent cloud service interactive streaming record that has a temporal relationship with the target cloud service interaction streaming record, the second The target abnormal user label is the target abnormal user label included in the target abnormal user label capture window of the interactive streaming record of the latter cloud service;

Based on the activity event identification result, the previous interaction behavior description field set, the current activity event distribution characteristics and the current interaction behavior description field, the first target abnormal user label and the second target abnormality are determined Tag word vector distance between user tags;

Determine the noise word vector distance based on the noise event identification result, the previous noise behavior description field set, the current activity event distribution characteristics and the current interactive behavior description field;

Based on the tag word vector distance and the noise word vector distance, an operation behavior analysis indication of the first target abnormal user tag is determined.

In some possible embodiments, determining the operation behavior analysis indication of the first target abnormal user tag based on the tag word vector distance and the noise word vector distance includes:

Based on the label word vector distance and the noise word vector distance, determine the upstream and downstream characteristics of the operating behavior between the first target abnormal user label and the second target abnormal user label;

Combining the upstream and downstream characteristics of the operation behavior, extract risk user tags that are related to the first target abnormal user tag from the second target abnormal user tag to determine the operation behavior analysis of the first target abnormal user tag. instruct.

The second aspect is a cloud computing security server, including a memory and a processor; the memory is coupled to the processor; the memory is used to store computer program code, and the computer program code includes computer instructions; wherein, when the When the processor executes the computer instructions, the cloud computing security server is caused to execute the method of the first aspect.

The third aspect is a computer-readable storage medium having a computer program stored thereon, the computer program executing the method of the first aspect when running.

According to an embodiment of the present invention, several abnormal user tag capture windows and several exceptions are determined through the target cloud service interactive streaming record and the target cloud service interactive streaming record that have a temporal relationship with the previous cloud service interactive streaming record. Several window weight scores corresponding to the user tag capture window, and each abnormal user tag capture window in the several abnormal user tag capture windows corresponds to a window weight score; several abnormal user tag capture windows are determined through the target cloud service interactive streaming record The disturbance weight score between each two abnormal user label capture windows; through several window weight scores and disturbance weight scores, the target abnormal user label capture window is determined from several abnormal user label capture windows, and the target abnormal user is determined The tag captures the first target abnormal user tag carried in the window to conduct continuous analysis of the operation behavior of the first target abnormal user tag. Applied to the embodiment of the present invention, the cloud computing security server obtains several window weight scores of several abnormal user tag capture windows and several disturbance weight scores between every two abnormal user tag capture windows, and based on several window weights Scores and several disturbance weight scores filter out capture information with errors and disturbances from several abnormal user tag capture windows, and then determine the target capture window that requires continuous analysis of operational behavior. In this way, when determining the operational behavior analysis When instructed, it can ensure the accuracy and credibility of continuous analysis and improve the reliability of behavioral analysis and detection of abnormal users.

Description of the drawings

Figure 1 is a schematic flowchart of a method for processing abnormal user behavior of cloud computing services provided by an embodiment of the present invention.

Figure 2 is a module block diagram of an abnormal user behavior processing device provided by an embodiment of the present invention.

Detailed ways

Hereinafter, the terms “first”, “second” and “third” are used for descriptive purposes only and cannot be understood as indicating or implying relative importance or implicitly indicating the number of indicated technical features. Thus, a feature defined as "first", "second", "third", etc. may explicitly or implicitly include one or more of these features.

Figure 1 shows a schematic flowchart of a method for processing abnormal user behavior of cloud computing services provided by an embodiment of the present invention. The method of processing abnormal user behavior of cloud computing services can be implemented through a cloud computing security server. The cloud computing security server can include a memory and a processor. The memory is coupled to the processor; the memory is used to store computer program code, the computer program code includes computer instructions; wherein when the processor executes the computer instructions, the cloud computing The security server implements the technical solution described in the following steps.

Step 101: Determine the correspondence between several abnormal user tag capture windows and several abnormal user tag capture windows through the target cloud service interactive streaming record and the target cloud service interactive streaming record that have a temporal relationship with the previous cloud service interactive streaming record. There are several window weight scores, and each abnormal user label capture window in several abnormal user label capture windows corresponds to a window weight score.

For this embodiment of the present invention, the abnormal user tag in the abnormal user tag capture window may be a user ID or an interaction event theme.

For this embodiment of the present invention, the cloud computing security server determines an abnormal user tag capture window including an abnormal user tag in the target cloud service interactive streaming record. The abnormal user tag capture window may be a set visualization shape including the abnormal user tag. .

For the embodiment of the present invention, the cloud computing security server determines several abnormal user tag capture windows and several tag capture credibility coefficients corresponding to several abnormal user tag capture windows through the target cloud service interactive streaming record, and several abnormal user tag capture windows. Each abnormal user tag capture window in the user tag capture window corresponds to a tag capture credibility coefficient.

For example, the information capture module performs a credibility coefficient calculation on the abnormal user tag capture window in the target cloud service interactive streaming record, and obtains the tag capture credibility coefficient corresponding to the abnormal user tag capture window, where the information capture module can support Vector machines and other functional modules can provide tag capture confidence coefficients for abnormal user tag capture windows.

For the embodiment of the present invention, the cloud computing security server determines several timing associated variables corresponding to several abnormal user tag capture windows through the target cloud service interactive streaming record and the previous cloud service interactive streaming record. Each abnormal user tag The capture window corresponds to a time series correlation variable (continuous confidence coefficient).

For example, the cloud computing security server uses the target cloud service interactive streaming record and the previous cloud service interactive streaming record to determine several time series associated variables corresponding to several abnormal user tag capture windows, including: The cloud computing security server In the first cloud service interactive streaming record, several previous abnormal user tag capture windows are determined; then, the cloud computing security server determines several previous abnormal user tag capture windows between the first abnormal user tag capture window and several previous abnormal user tag capture windows. Relative distribution feature values, the first abnormal user tag capture window is one of several abnormal user tag capture windows; the cloud computing security server determines the largest feature value among several relative distribution feature values as the first First timing associated variables corresponding to the abnormal user tag capture window; and determine several first timing associated variables corresponding to several first abnormal user tag capture windows, and then the cloud computing security server obtains several corresponding to several abnormal user tag capture windows time series related variables.

For example, the cloud computing security server determines one by one the first abnormal user tag capture window in the target cloud service interaction streaming record and several previous abnormal user tag capture windows in the previous cloud service interaction streaming record. window overlay variables (several relative distribution characteristic values), then, the cloud computing security server determines the maximum window overlay variable from several window overlay variables, then the value of the maximum window overlay variable can be captured by the first abnormal user tag The first timing associated variable of the window. The cloud computing security server uses the above ideas to implement several abnormal user tag capture windows, thereby obtaining several time series associated variables corresponding to several abnormal user tag capture windows.

In some examples, the time series associated variables corresponding to the abnormal user label capture window are obtained by superimposing calculation data of abnormal user label capture windows of different time series. The superposition calculation data is calculated by the visual coverage area of different abnormal user label capture windows.

For the embodiment of the present invention, after the cloud computing security server obtains several tag capture credibility coefficients and several timing associated variables corresponding to several abnormal user tag capture windows, the cloud computing security server captures the credibility coefficient through several tags and several time series associated variables to determine several window weight scores corresponding to several abnormal user tag capture windows.

For the embodiment of the present invention, the window weight score can be obtained by performing global processing (such as weighting processing) on tag capture credibility coefficients and time series related variables. The exemplary algorithm is as follows: P1=F*P2+(1-F )*P3.

Among them, P1 is the window weight score of the abnormal user tag capture window, P2 is the time series correlation variable, P3 is the tag capture credibility coefficient, and F is the compatibility index.

Step 102: Determine the disturbance weight score between each two abnormal user tag capture windows in several abnormal user tag capture windows through the target cloud service interactive streaming record.

For the embodiment of the present invention, when the cloud computing security server determines several abnormal user tag captures through the target cloud service interaction streaming record and the target cloud service interaction streaming record that have a temporal relationship with the previous cloud service interaction streaming record After the window, the cloud computing security server combines the abnormal user tag capture windows in several abnormal user tag capture windows to obtain several splicing strategies. The cloud computing security server records various splicing through the target cloud service interactive streaming record. The disturbance weight score (interference weight, conflict weight) between the two abnormal user label capture windows in the strategy (combination method) is calculated.

For the embodiment of the present invention, the cloud computing security server determines the relative distribution common variables (which can be understood as position similarity) and record content between each two abnormal user tag capture windows in the target cloud service interactive streaming record. Common variables (can be understood as content similarity).

For the embodiment of the present invention, the cloud computing security server combines the explicit content mining module to determine the cloud service interactive content description information carried in the abnormal user tag capture window. Then, the cloud computing security server determines one of the two cloud service interactive content description information. The vector difference value (such as cosine distance) is determined as the common variable of the recorded content between the two abnormal user tag capture windows corresponding to the interactive content description information of the two cloud services.

For the embodiment of the present invention, the cloud computing security server obtains the information capture unit of the first abnormal user tag capture window and the information capture unit of the second abnormal user tag capture window respectively, wherein the first abnormal user tag capture window and the second abnormal user tag capture window The abnormal user tag capture window is every two abnormal user tag capture windows; then, the cloud computing security server determines the first abnormality through the information capture unit of the first abnormal user tag capture window and the information capture unit of the second abnormal user tag capture window. The relative distribution common variables between the user tag capture window and the second abnormal user tag capture window are used to determine the relative distribution common variables between each two abnormal user tag capture windows.

In an illustrative example, the information capture unit may be a window range that accounts for 0.5 times the first window size constraint value and the second window size constraint value of the abnormal user tag capture window, and the cloud computing security server determines the first abnormality The window overlay variable between the information capture unit of the user tag capture window and the information capture unit of the second abnormal user tag capture window, the cloud computing security server captures the information through the information capture unit of the first abnormal user tag capture window and the second abnormal user tag capture window The information capture unit and window overlay variable of the window determine the relative distribution common variable (position similarity) between the first abnormal user label capture window and the second abnormal user label capture window. Further, the window overlay variable can be understood as a cross variable between the information capturing unit of the first abnormal user tag capturing window and the information capturing unit of the second abnormal user tag capturing window.

For the embodiment of the present invention, the cloud computing security server determines the disturbance weight score between each two abnormal user tag capture windows through the relative distribution of common variables and the recorded content common variables.

Step 103: Determine the target abnormal user label capture window from several abnormal user label capture windows through several window weight scores and disturbance weight scores, and determine the first target abnormal user label carried in the target abnormal user label capture window, To conduct continuous analysis of operating behavior on the first target abnormal user tag.

For the embodiment of the present invention, when the cloud computing security server determines several window weight scores corresponding to several abnormal user tag capture windows and the disturbance weight score between every two abnormal user tag capture windows, the cloud computing security server The server determines the target abnormal user label capture window from several abnormal user label capture windows through several window weight scores and disturbance weight scores, and determines the first target abnormal user label carried in the target abnormal user label capture window to target The first target abnormal user label conducts continuous analysis of operating behavior. Among them, continuous analysis of operating behavior can be understood as operating behavior detection analysis or tracking analysis, which is used for real-time analysis and processing at the level of operating behavior.

For the embodiment of the present invention, the cloud computing security server uses several window weight scores as the influencing factors (weight values) of the disturbance feature members (relationship network nodes or relationship network elements) that capture the disturbance relationship network (capture the disturbance feature map); And the disturbance weight score between each two abnormal user label capture windows is used as the influencing factor of the connection vector between the two disturbance feature members corresponding to each two abnormal user label capture windows. In this way, the cloud computing security server A complete and rich capture perturbation relationship network corresponding to several abnormal user tag capture windows is generated.

For the embodiment of the present invention, the cloud computing security server determines no less than one local relationship network in the capture disturbance relationship network, and uses the window weight score and the disturbance weight score carried by no less than one local relationship network, and is never less than The first local relationship network is determined in a local relationship network; the abnormal user label capture window carried by the first local relationship network is determined as the target abnormal user label capture window.

For the embodiment of the present invention, the cloud computing security server accesses the capture disturbance relationship network one by one, determines all possible local relationship networks described in the capture disturbance relationship network, and determines a number of possible local relationship networks from all possible local relationship networks. In a local relationship network, the relationship description includes perturbation feature members and connection vectors.

For the embodiment of the present invention, the cloud computing security server determines the local streaming record with the largest resolution index from each local relationship network in no less than one local relationship network, and records the local streaming record with the largest resolution index in each local relationship network. The set of streaming records is determined as the first partial relationship network that captures the disturbance relationship network. In actual implementation, the cloud computing security server determines no less than one local relationship network and no less than a set of local streaming records corresponding to it, where, Each local relationship network in no less than one local relationship network corresponds to a set of local streaming records, and a set of local streaming records includes no less than one local streaming record; then, the cloud computing security server passes no less than one local streaming record. The window weight score and perturbation weight score carried by the streaming record determine no less than one parsing index corresponding to each local relationship network in no less than one local relationship network, where no less than each local flow in one local streaming record is The formula record corresponds to an analytic index; and the target analytic index with the largest analytic index is determined from no less than one analytic index corresponding to each local relationship network, until no less than one target analytic index corresponding to no less than one local relationship network is determined. ; Finally, the cloud computing security server determines no less than one relationship network feature distribution corresponding to no less than one target resolution index from no less than one local relationship network; and splices no less than one relationship network feature distribution into the first local network.

In actual implementation, in view of the large number of disturbance feature members and connection vectors in the capture disturbance relationship network, the cloud computing security server disassembles the capture disturbance relationship network into no less than one local relationship network, and no less than one partial relationship network respectively. Determining at least one relationship network feature distribution in the relationship network, so as to form the first partial relationship network by combining at least one relationship network feature distribution, can improve the efficiency of determining the first partial relationship network.

For the embodiment of the present invention, the parsing index can be the comparison result between the self-product sum of the window weight score carried by the local streaming record and the statistical value of the disturbance weight score. In this way, the cloud computing security server determines by parsing the index The disturbance between the target abnormal user label capture windows is minimal, and the obtained target abnormal user label capture window is more credible.

For the embodiment of the present invention, the cloud computing security server obtains the disturbance feature members carried by the first local relationship network, determines the abnormal user tag capture window corresponding to the disturbance feature member as the target abnormal user tag capture window, and determines the target abnormality The first target abnormal user tag carried in the user tag capture window is used to realize the operation behavior analysis and instruction processing of the first target abnormal user tag; the cloud computing security server captures several abnormal user tags that are not included in the first part Abnormal user tag capture window filtering in relationship networks.

Applying the above embodiments, the cloud computing security server obtains several window weight scores of several abnormal user tag capture windows and several disturbance weight scores between every two abnormal user tag capture windows, and based on the several window weight scores and Several disturbance weight scores generate a capture disturbance relationship network of abnormal user tags. The cloud computing security server filters out the capture information with errors and disturbances from several abnormal user tag capture windows through the capture disturbance relationship network, and then determines the required operation behavior. The target capture window of continuous analysis can ensure the accuracy and credibility of continuous analysis when determining operation behavior analysis instructions, and improve the reliability of behavior analysis and detection of abnormal users.

As a technical solution that can be implemented independently, the embodiment of the present invention also shows a method for processing abnormal user behavior of cloud computing services. The method may include the following steps 201 to 206.

Step 201: Determine the activity event identification result corresponding to the first target abnormal user label and the noise event identification result corresponding to the noise label through the target cloud service interactive streaming record. The noise label can be the one with the highest correlation with the first target abnormal user label. user tag.

For the embodiment of the present invention, after the cloud computing security server determines the target abnormal user label capture window, the cloud computing security server obtains the first target abnormal user label in the target abnormal user label capture window, and the cloud computing security server determines the target abnormal user label capture window. Determine the first target abnormal user label and the noise label most similar to the first target abnormal user label in the service interaction streaming record, and then use an algorithm that can realize single label analysis to determine the activity event identification results of the first target abnormal user label and noise event identification results of noise labels. Furthermore, the algorithm that can implement single-label analysis may be an algorithm composed of a single-label analysis model.

For the embodiment of the present invention, the cloud computing security server determines the target visual text unit including the first target abnormal user label in the target cloud service interactive streaming record, and then, the cloud computing security server superimposes variables according to the window of the target visual text unit. The corresponding target abnormal user label that meets the set conditions (such as the window coverage judgment condition) is determined as the noise label most similar to the first target abnormal user label.

For the embodiment of the present invention, the cloud computing security server determines the activity event recognition results of the first target abnormal user tag in the latter cloud service interactive streaming record and the noise tag in the latter cloud service based on the algorithm of single tag analysis. Noisy event identification results in interactive streaming recordings. Furthermore, the single-label analysis algorithm includes twin models, etc., and the embodiments of the present invention do not limit this.

Step 202: Determine the previous interactive behavior description field set corresponding to the first target abnormal user label and the previous noise behavior description field corresponding to the noise label through the previous cloud service interactive streaming record set before the target cloud service interactive streaming record. set.

For the embodiment of the present invention, the cloud computing security server determines the first target abnormal user label and the most similar first target abnormal user label through the previous cloud service interactive streaming record set before the target cloud service interactive streaming record. noise tags, and then combined with the user ID secondary analysis strategy to determine the previous interaction behavior description field set of the first target abnormal user tag and the previous noise behavior description field set of the noise tag.

For the embodiment of the present invention, the cloud computing security server obtains multiple consecutive sets of interaction records before the target cloud service interaction streaming record as a set of previous cloud service interaction streaming records, and based on the user ID secondary analysis strategy, Determine the previous interaction behavior description field set of the first target abnormal user label and the previous noise behavior description field set of the noise label.

For this embodiment of the present invention, the number of fields in the previous interaction behavior description field set and the number of fields in the previous noise behavior description field set correspond to the number of groups in the previous cloud service interaction streaming record set.

In some examples, the user ID secondary analysis strategy may be implemented using a model composed of the user ID secondary analysis strategy. Further, the user ID secondary analysis strategy includes a long short-term memory model.

In some examples, the number of first target abnormal user labels is several.

In the embodiment of the present invention, step 201 and step 202 are two simultaneous processing steps before step 203. There is no fixed sequence relationship between step 201 and step 202. The specific implementation steps can be operated according to the actual situation. The present invention The embodiment does not limit the execution order of step 201 and step 202.

Step 203: Determine the current activity event distribution characteristics and current interaction behavior description fields corresponding to the second target abnormal user tag through the interactive streaming record of the subsequent cloud service that has a temporal relationship with the target cloud service. The second target The abnormal user label is a target abnormal user label included in the target abnormal user label capture window recorded by the latter cloud service interactive streaming.

For the embodiment of the present invention, the cloud computing security server determines the second target abnormal user label and the current activity event distribution characteristics and current interactive behavior description field corresponding to the second target abnormal user label through the latter cloud service interactive streaming record. . The first target abnormal user label and the second target abnormal user label are at least partially matched, which can be understood as at least part of the risk user labels in the first target abnormal user label and at least part of the risk user label in the second target abnormal user label. There are several abnormal user labels of the second target abnormal user label.

Step 204: Determine the tag word vector distance between the first target abnormal user tag and the second target abnormal user tag through the activity event recognition results, the previous interaction behavior description field set, the current activity event distribution characteristics and the current interaction behavior description field. .

For the embodiment of the present invention, the cloud computing security server determines the target relative distribution common variables through the activity event recognition results and the current activity event distribution characteristics; the cloud computing security server determines the target relative distribution common variables through the previous interaction behavior description field set and the current interaction behavior description field, Determine the behavior description common variable set; then, the cloud computing security server determines the target relative distribution common variable and the behavior description common variable set as the label word vector distance (user type) between the first target abnormal user label and the second target abnormal user label /Differences in user behavior types/user interaction event types).

For the embodiment of the present invention, the cloud computing security server performs common variable operations on the activity event recognition results and the current activity event distribution characteristics to obtain the common variables of the target relative distribution; the cloud computing security server calculates the previous interaction behavior description field set and the current interaction The behavior description field performs common variable operations to obtain a set of behavior description common variables.

Step 205: Determine the noise word vector distance through the noise event recognition results, the previous noise behavior description field set, the current activity event distribution characteristics and the current interactive behavior description field.

For the embodiment of the present invention, the cloud computing security server determines the common variables of the relative distribution of noise tags through the noise event recognition results and the current active event distribution characteristics; the cloud computing security server determines the common variables of the relative distribution of noise tags through the previous noise behavior description field set and the current interaction behavior description field. , determine the common variables of the behavior description of the noise tag; then, the cloud computing security server determines the common variable of the relative distribution of the noise tag and the common variable of the behavior description of the noise tag as the noise word vector distance.

For the embodiment of the present invention, the cloud computing security server performs common variable calculations on the noise event recognition results and the current active event distribution characteristics to obtain the common variables of the relative distribution of noise tags; the cloud computing security server performs common variable calculations on the previous noise behavior description field set and the current active event distribution characteristics. The interactive behavior description field performs common variable operations to obtain the common variables of the noise label's behavior description.

Furthermore, the target relative distribution common variable is the quotient of the window overlay variable and the window shared variable of the target visual text unit, and the behavior description common variable set is the behavior description vector distance.

It can be understood that the operation process of the common variables of the relative distribution of noise tags is consistent with the operation process of the common variables of the relative distribution of the target, and the operation process of the behavior description common variables of the noise tags is consistent with the operation process of the behavior description common variable set. The embodiment of the present invention does not apply here. Too much description.

In the embodiment of the present invention, step 204 and step 205 are two simultaneous processing steps after step 203 and before step 206. There is no fixed sequence relationship between step 204 and step 205. The specific implementation steps can be carried out according to the actual situation. Operation, the embodiment of the present invention does not limit the execution order of step 204 and step 205.

Step 206: Determine the operation behavior analysis indication of the first target abnormal user tag through the tag word vector distance and the noise word vector distance.

For the embodiment of the present invention, the cloud computing security server determines the upstream and downstream characteristics of the operating behavior (associated behavior description vector) between the first target abnormal user label and the second target abnormal user label through the label word vector distance and the noise word vector distance. ); the cloud computing security server uses the upstream and downstream characteristics of the operation behavior to extract the risk user tags that are related to the first target abnormal user tags from the second target abnormal user tags to determine the operation behavior analysis instructions of the first target abnormal user tags ( Used to guide behavioral analysis and mining of target abnormal user tags).

For the embodiment of the present invention, the cloud computing security server transmits the tag word vector distance and the noise word vector distance into the set logistic regression model; then by setting the logistic regression model, several upstream and downstream characteristics of various operating behaviors are determined. Voting value, among which the upstream and downstream characteristics of various operating behaviors can be the upstream and downstream characteristics of operating behaviors obtained by jointly analyzing the operating behaviors between the first target abnormal user label and the second target abnormal user label; the cloud computing security server obtains the upstream and downstream characteristics of the operating behavior from a variety of Among the upstream and downstream characteristics of the operation behavior, the upstream and downstream characteristics of the operation behavior with the highest voting value (judgment score) are determined as the upstream and downstream characteristics of the operation behavior.

For the embodiment of the present invention, a logistic regression model is set to generate voting values between each associated behavioral event in the upstream and downstream characteristics of multiple operating behaviors, and then the voting values in the upstream and downstream characteristics of each operating behavior are accumulated. Through processing, the voting values corresponding to the upstream and downstream characteristics of the operation behavior are obtained. In view of this, several voting values for the upstream and downstream characteristics of various operation behaviors are obtained.

For the embodiment of the present invention, the cloud computing security server combines the set operation behavior analysis model to analyze the first target abnormal user tag in the target cloud service interactive streaming record and the second target in the latter cloud service interactive streaming record. The abnormal user labels conduct joint analysis of operation behaviors to obtain a variety of upstream and downstream characteristics of operation behaviors between the first target abnormal user label and the second target abnormal user label.

For this embodiment of the present invention, the logistic regression model may be a decision tree. The operating behavior analysis model can be set as a binary classification algorithm.

Further, when the cloud computing security server determines the upstream and downstream characteristics of the operation behavior, the cloud computing security server determines the risk user label that is related to the second target abnormal user label among the first target abnormal user labels in the upstream and downstream characteristics of the operation behavior. , when the cloud computing security server determines the third target abnormal user label that is not related to the second target abnormal user label among the first target abnormal user labels in the upstream and downstream characteristics of the operation behavior, the cloud computing security server passes the third target abnormal user label The credibility coefficient value of the user tag is used to obtain the activity event identification results. Then, the cloud computing security server uses the upstream and downstream characteristics of the operation behavior and the activity event identification results to determine the operation behavior analysis instructions of the first target abnormal user tag.

For example, when the cloud computing security server determines in the first target abnormal user label a third target abnormal user label that is not related to the second target abnormal user label, the cloud computing security server determines that the target cloud service interaction streaming record The third target abnormal user label did not appear in the latter cloud service interactive streaming record. At this time, the cloud computing security server determined that the third target abnormal user label did not appear in the latter cloud service interactive streaming record. The reason is that when the credibility coefficient value of the third target abnormal user label does not meet the set credibility coefficient threshold, it means that the third target abnormal user label switches out of the subsequent cloud service interactive streaming record; when the third target abnormal user label When the credibility coefficient value meets the set credibility coefficient threshold, it means that the third target abnormal user label is interfered by the noise label in the latter cloud service interactive streaming record. At this time, the cloud computing security server corresponds to the third target abnormal user label through The activity event identification results are used to estimate the relative distribution of the third target abnormal user tags in the latter cloud service interactive streaming records.

Further, the cloud computing security server determines a risk user label that is related to the first target abnormal user label in the second target abnormal user label in the upstream and downstream characteristics of the operation behavior. When the cloud computing security server determines the risk user label in the upstream and downstream characteristics of the operation behavior. When the fourth target abnormal user label that is not related to the first target abnormal user label is determined from the second target abnormal user label, the cloud computing security server adds the fourth target abnormal user label to the next round of upstream and downstream features, where, The next round of upstream and downstream features are the upstream and downstream features generated by taking the next cloud service interaction streaming record as the target cloud service interaction streaming record.

For example, when the cloud computing security server determines a fourth target abnormal user label that is not related to the first target abnormal user label among the second target abnormal user labels, it indicates that the fourth target abnormal user label is a newly added target abnormality. User tag, at this time, the cloud computing security server performs abnormal user behavior analysis on the fourth target abnormal user tag.

For the embodiment of the present invention, in the upstream and downstream characteristics of the operation behavior, the first target abnormal user label and the matching target abnormal user label in the second target abnormal user label form a label pair, and the first target abnormal user label and the second target abnormal user label form a label pair. The unmatched target abnormal user tags in the target abnormal user tags form an orphan member. The cloud computing security server searches for the target abnormal user tag in the second target abnormal user tag from the isolated members as a tag that is not related to the first target abnormal user tag. The fourth target abnormal user label; the cloud computing security server searches for the target abnormal user label in the first target abnormal user label from the isolated member as a third target abnormal user label that is not related to the second target abnormal user label.

For this embodiment of the present invention, the cloud computing security server uses a single tag analysis algorithm to determine the credibility coefficient value and activity event identification result corresponding to the first target abnormal user tag.

For the embodiment of the present invention, the cloud computing security server compares the credibility coefficient value corresponding to the third target abnormal user label with the set credibility coefficient value. When the credibility coefficient value corresponding to the third target abnormal user label reaches the set credibility coefficient value, When the credibility coefficient value is determined, the cloud computing security server obtains the activity event identification results.

It can be understood that the single tag analysis algorithm, the user ID secondary analysis strategy, the set logistic regression model and the set operation behavior analysis model in the embodiment of the present invention are all dynamic algorithm models.

For the embodiment of the present invention, the cloud computing security server determines the real-time operation behavior records of different target abnormal user tags in the streaming session from the upstream and downstream characteristics of the operation behavior, and can then analyze the target abnormal user tags.

Applying the above embodiments, the cloud computing security server determines the noise event recognition result of the noise tag through the target cloud service interactive streaming record, and determines the noise tag through the previous cloud service interactive streaming record set before the target cloud service interactive streaming record. The previous noise behavior description field set is combined with the noise event recognition result of the noise tag and the previous noise behavior description field set to determine the operation behavior analysis indication of the first target abnormal user tag in the target cloud service interactive streaming record. When analyzing the behavior of abnormal users, the noise event recognition results of noise tags and the previous noise behavior description field set are used, thereby weakening the interference of noise tags on the behavior analysis of abnormal users and improving the behavior analysis of abnormal users. and detection reliability.

In embodiments of the present invention, cloud service interaction streaming records may be records for cloud computing services such as blockchain finance, virtual reality activities, government and enterprise cloud services, cloud game battles, etc. The streaming records may record relevant information in chronological order. Conversation interaction information is recorded.

Based on the above content, for some independent embodiments, after determining the first target abnormal user tag carried in the target abnormal user tag capture window, the method may also include the following content: A target abnormal user tag performs a continuous analysis of operation behavior to obtain an operation behavior log corresponding to the first target abnormal user tag; determine the risk tendency field of the first target abnormal user tag based on the operation behavior log; and based on the risk The tendency field determines the risk prevention and control plan for the first target abnormal user label.

For example, a series of operation behaviors of the first target abnormal user tag can be tracked and recorded to obtain an operation behavior log including a series of operation behavior events. However, the risk propensity field can be obtained through risk propensity field mining, so that the risk propensity field can be matched Corresponding risk prevention and control plans.

For some independent embodiments, determining the risk tendency field of the first target abnormal user label based on the operation behavior log may include the following: obtaining the to-be-identified operation behavior text corresponding to the operation behavior log; using the operation The behavioral text mining network extracts the risk tendency of the operation behavior text to be identified on a designated interaction scene; and obtains the risk tendency field of the operation behavior text to be identified based on the risk tendency.

For some independent embodiments, before obtaining the operation behavior text to be identified, the method further includes: debugging to obtain the operation behavior based on the reference behavior text of the reference interaction scene and the operation behavior text of the specified interaction scene. Text mining network.

For some independent embodiments, debugging the reference behavior text based on the reference interaction scene and the operation behavior text of the specified interaction scene to obtain the operation behavior text mining network includes: converting the reference behavior text through text The scene adjustment model is converted to the specified interaction scene to obtain the scene behavior text; the operation behavior text mining network is used to perform joint feature mining on the scene behavior text and the operation behavior text to obtain the global field cost; according to the global Field cost performs correlation debugging on the operational behavior text mining network.

For some independent embodiments, the global field cost includes a joint cost and an identification cost; the operation behavior text mining network is used to perform joint detail description mining on the scenario behavior text and the operation behavior text, Obtaining the global field cost includes: using the operation behavior text mining network to extract detailed descriptions of the scene behavior text and the operation behavior text respectively, and obtaining the scene behavior text detail description and the operation behavior text detail description; according to The first risk propensity field of the scenario-based behavior text is obtained from the detailed description of the scenario-based behavior text, and the second risk propensity field of the operation behavior text is obtained according to the detailed description of the operation behavior text; according to the details of the scenario-based behavior text Description and the detailed description of the operation behavior text, the joint cost is obtained, and based on the positive annotation of the first risk tendency field and the scenario behavior text, as well as the second risk tendency field and the operation behavior text negative annotation to obtain the recognition cost; perform weighting processing on the joint cost and the recognition cost to obtain the global field cost.

Based on the same inventive concept, Figure 2 shows a module block diagram of an abnormal user behavior processing device provided by an embodiment of the present invention. The abnormal user behavior processing device may include a window determination module 21 that implements the relevant method steps shown in Figure 1, and a weight determination module. module 22 and behavior analysis module 23.

The window determination module 21 is used to determine several abnormal user tag capture windows and the described target cloud service interactive streaming record through the target cloud service interactive streaming record and the previous cloud service interactive streaming record that has a chronological relationship. Several window weight scores corresponding to several abnormal user label capture windows; wherein, each abnormal user label capture window in the several abnormal user label capture windows corresponds to one window weight score.

The weight determination module 22 is configured to determine the disturbance weight score between each two abnormal user tag capture windows in the several abnormal user tag capture windows based on the target cloud service interactive streaming record.

Behavior analysis module 23, configured to determine a target abnormal user label capture window from the several abnormal user label capture windows based on the several window weight scores and the disturbance weight score, and determine the target abnormal user label Capture the first target abnormal user tag carried in the window to perform a continuous analysis of the operating behavior of the first target abnormal user tag.

The following technical effects can be achieved when applied to relevant embodiments of the present invention: several abnormal user tags are determined through the target cloud service interactive streaming record and the target cloud service interactive streaming record that has a temporal relationship with the previous cloud service interactive streaming record. Several window weight scores corresponding to the capture window and several abnormal user label capture windows. Each abnormal user label capture window in the several abnormal user label capture windows corresponds to a window weight score; through the target cloud service interactive streaming record, determine a number of The disturbance weight score between every two abnormal user label capture windows in the abnormal user label capture windows; through several window weight scores and disturbance weight scores, the target abnormal user label capture window is determined from several abnormal user label capture windows , and determine the first target abnormal user tag carried in the target abnormal user tag capture window, so as to conduct a continuous analysis of the operation behavior of the first target abnormal user tag. Applied to the embodiment of the present invention, the cloud computing security server obtains several window weight scores of several abnormal user tag capture windows and several disturbance weight scores between every two abnormal user tag capture windows, and based on several window weights Scores and several disturbance weight scores filter out capture information with errors and disturbances from several abnormal user tag capture windows, and then determine the target capture window that requires continuous analysis of operational behavior. In this way, when determining the operational behavior analysis When instructed, it can ensure the accuracy and credibility of continuous analysis and improve the reliability of behavioral analysis and detection of abnormal users.

The above descriptions are only specific embodiments of the present invention. Those skilled in the art may think of changes or substitutions based on the specific embodiments provided by the present invention, and they shall all be included within the protection scope of the present invention.

Claims (6)

1. The abnormal user behavior processing method for the cloud computing service is characterized by being applied to a cloud computing security server, and comprises the following steps:

determining a plurality of abnormal user tag capturing windows and a plurality of window weight scores corresponding to the plurality of abnormal user tag capturing windows through a target cloud service interaction stream record and a previous cloud service interaction stream record with a time sequence relation; wherein each of the plurality of abnormal user tag capture windows corresponds to a window weight score;

determining disturbance weight scores between every two abnormal user tag capturing windows in the plurality of abnormal user tag capturing windows based on the target cloud service interactive streaming records;

determining a target abnormal user tag capturing window from the abnormal user tag capturing windows based on the window weight scores and the disturbance weight scores, and determining a first target abnormal user tag carried in the target abnormal user tag capturing window so as to perform continuous analysis on the operation behaviors of the first target abnormal user tag;

The window weight score is obtained by performing global processing on the tag capturing trusted coefficient and the time sequence related variable, wherein the global processing is weighting processing; the disturbance weight score is an interference weight or a conflict weight;

the determining a plurality of abnormal user tag capturing windows and a plurality of window weight scores corresponding to the plurality of abnormal user tag capturing windows according to the previous cloud service interaction flow records with time sequence relations between the target cloud service interaction flow records comprises the following steps:

determining the plurality of abnormal user tag capturing windows and a plurality of tag capturing trusted coefficients corresponding to the plurality of abnormal user tag capturing windows based on the target cloud service interactive streaming record, wherein each abnormal user tag capturing window in the plurality of abnormal user tag capturing windows corresponds to one tag capturing trusted coefficient;

determining a plurality of time sequence related variables corresponding to the plurality of abnormal user tag capturing windows based on the target cloud service interaction flow record and the previous cloud service interaction flow record, wherein each abnormal user tag capturing window corresponds to one time sequence related variable;

Determining a plurality of window weight scores corresponding to the plurality of abnormal user tag capture windows based on the plurality of tag capture trusted coefficients and the plurality of time sequence associated variables;

the determining, based on the target cloud service interaction flow record and the previous cloud service interaction flow record, a plurality of time sequence related variables corresponding to the plurality of abnormal user tag capturing windows includes:

determining a plurality of prior abnormal user tag capturing windows in the prior cloud service interactive streaming records;

determining a plurality of relative distribution characteristic values between a first abnormal user tag capture window and the plurality of previous abnormal user tag capture windows, wherein the first abnormal user tag capture window is one of the plurality of abnormal user tag capture windows;

determining the maximum characteristic value in the plurality of relative distribution characteristic values as a first time sequence associated variable corresponding to the first abnormal user tag capture window;

determining a plurality of first time sequence related variables corresponding to a plurality of first abnormal user tag capturing windows to determine the plurality of time sequence related variables corresponding to the plurality of abnormal user tag capturing windows;

The determining, based on the target cloud service interactive streaming record, a disturbance weight score between every two abnormal user tag capturing windows in the plurality of abnormal user tag capturing windows includes:

in the target cloud service interactive streaming record, determining a relative distribution common variable and a record content common variable between every two abnormal user tag capturing windows;

determining a disturbance weight score between every two abnormal user tag capture windows based on the relative distribution common variable and the recorded content common variable;

in the target cloud service interactive flow record, determining a relative distribution commonality variable between every two abnormal user tag capturing windows comprises the following steps:

the method comprises the steps of respectively obtaining an information capturing unit of a first abnormal user tag capturing window and an information capturing unit of a second abnormal user tag capturing window, wherein the first abnormal user tag capturing window and the second abnormal user tag capturing window are the two abnormal user tag capturing windows;

and determining relative distribution common variables between the first abnormal user tag capture window and the second abnormal user tag capture window based on the information capture unit of the first abnormal user tag capture window and the information capture unit of the second abnormal user tag capture window so as to determine the relative distribution common variables between every two abnormal user tag capture windows.

2. The method of claim 1, wherein the determining a target outlier user tag capture window from the number of outlier user tag capture windows based on the number of window weight scores and the perturbation weight score comprises:

taking the window weight scores as influence factors for capturing disturbance characteristic members of a disturbance relation network;

the disturbance weight scores between every two abnormal user tag capturing windows are used as influence factors of connection vectors between two disturbance feature members corresponding to the two abnormal user tag capturing windows, and a capturing disturbance relation network is generated;

determining at least one local relation network in the captured disturbance relation network, and determining a first local relation network from the at least one local relation network based on a window weight score and a disturbance weight score carried by the at least one local relation network;

and determining an abnormal user tag capturing window carried by the first local relation network as the target abnormal user tag capturing window.

3. The method of claim 2, wherein the determining a first local relationship network from the at least one local relationship network based on the window weight score and the perturbation weight score carried by the at least one local relationship network comprises:

Respectively determining at least one group of local streaming records corresponding to at least one local relation network, wherein each local relation network in the at least one local relation network corresponds to one group of local streaming records, and the group of local streaming records comprises at least one local streaming record;

determining at least one resolution index corresponding to each local relation network in the at least one local relation network based on the window weight score and the disturbance weight score carried by the at least one local flow record, wherein each local flow record in the at least one local flow record corresponds to one resolution index;

determining a target analysis index with the maximum analysis index from at least one analysis index corresponding to each local relation network until at least one target analysis index corresponding to the at least one local relation network is determined;

determining at least one relation network characteristic distribution corresponding to the at least one target analysis index from the at least one local relation network;

and splicing the at least one relationship network characteristic distribution into the first local relationship network.

4. The method of claim 1, wherein after the determining the first target anomalous user tag carried in the target anomalous user tag capture window, the method further comprises:

Determining an activity event identification result corresponding to the first target abnormal user tag and a noise event identification result corresponding to a noise tag based on the target cloud service interactive streaming record, wherein the noise tag is a user tag with highest correlation degree with a target abnormal user tag in the first target abnormal user tag;

determining a previous interaction behavior description field set corresponding to the first target abnormal user tag and a previous noise behavior description field set corresponding to the noise tag based on a previous cloud service interaction flow record set before the target cloud service interaction flow record;

determining a current active event distribution characteristic and a current interaction behavior description field corresponding to a second target abnormal user tag through a later cloud service interaction flow record with a time sequence relation with the target cloud service interaction flow record, wherein the second target abnormal user tag is a target abnormal user tag included in a target abnormal user tag capturing window of the later cloud service interaction flow record;

determining a tag word vector distance between the first target abnormal user tag and the second target abnormal user tag based on the activity event recognition result, the set of previous interaction behavior description fields, the current activity event distribution feature and the current interaction behavior description field;

Determining a noise word vector distance based on the noise event recognition result, the set of prior noise behavior description fields, the current active event distribution feature and the current interaction behavior description field;

and determining an operation behavior analysis indication of the first target abnormal user tag based on the tag word vector distance and the noise word vector distance.

5. The method of claim 4, wherein the determining an operational behavioral analysis indication of the first target abnormal user tag based on the tag word vector distance and the noise word vector distance comprises:

determining an operational behavior upstream-downstream feature between the first target abnormal user tag and the second target abnormal user tag based on the tag word vector distance and the noise word vector distance;

and extracting a risk user tag which is in contact with the first target abnormal user tag from the second target abnormal user tag by combining the upstream and downstream characteristics of the operation behaviors so as to determine an operation behavior analysis indication of the first target abnormal user tag.

6. The cloud computing security server is characterized by comprising: a memory and a processor; the memory is coupled to the processor; the memory is used for storing computer program codes, and the computer program codes comprise computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud computing security server to perform the method of any of claims 1-5.