CN115600191A - Behavior recognition method, device, equipment and medium - Google Patents

Behavior recognition method, device, equipment and medium Download PDF

Info

Publication number
CN115600191A
CN115600191A CN202110723019.9A CN202110723019A CN115600191A CN 115600191 A CN115600191 A CN 115600191A CN 202110723019 A CN202110723019 A CN 202110723019A CN 115600191 A CN115600191 A CN 115600191A
Authority
CN
China
Prior art keywords
detected
behavior data
historical
access behavior
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110723019.9A
Other languages
Chinese (zh)
Inventor
张盼
李可
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202110723019.9A priority Critical patent/CN115600191A/en
Publication of CN115600191A publication Critical patent/CN115600191A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a behavior recognition method, a behavior recognition device, equipment and a medium, wherein the method comprises the following steps: acquiring historical user access behavior data of a system to be detected, wherein the historical user access behavior data is user access behavior data within a preset time before the time to be detected; if the historical user access behavior data is historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is not smaller than a first preset value, predicting the access behavior data of the time to be detected based on the historical access behavior data to obtain predicted access behavior data of the time to be detected; and determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the predicted accessed behavior data and the actual accessed behavior data of the time to be detected. This can improve the recognition rate and the recognition accuracy.

Description

Behavior recognition method, device, equipment and medium
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a behavior recognition method, apparatus, device, and medium.
Background
In the application of an actual service system, there may be a behavior that some users access the service system, download a large amount of data from the service system, and leak out data inside the service system, which is very dangerous. And possibly, a host in the service system is attacked, and the broiler chicken still accesses the service system to steal internal data.
Therefore, there is a need to identify abnormal user access behaviors existing in a business system, and there are two main types of conventional identification technologies: one is to set a fixed baseline for all behaviors, for example, the number of times of an individual user accessing a certain business system per hour cannot exceed 20 times, and if the number of times of the individual user accessing the certain business system exceeds 20 times, the user accessing the business system for the hour is represented as abnormal behavior. Secondly, a simple statistical method is adopted for identification, for example, the mean value, the variance and the like of the times of accessing a certain service system by one user are counted, and if the value of the next access amount exceeds several times of the mean value, the behavior is considered to be abnormal.
However, in the first mode, the fixed baseline cannot change along with the change of the access behavior of the user, so that a large number of misjudgments and missed judgments are caused, and the accuracy of identification is reduced.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a behavior recognition method, apparatus, device, and medium, which can improve recognition rate and recognition accuracy. The specific scheme is as follows:
in a first aspect, the present application discloses a behavior recognition method, including:
acquiring historical user access behavior data of a system to be detected, wherein the historical user access behavior data is user access behavior data within a preset time length before the time to be detected;
if the historical user access behavior data is historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is not smaller than a first preset value, predicting the access behavior data of the time to be detected based on the historical access behavior data to obtain predicted access behavior data of the time to be detected;
and determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the predicted accessed behavior data and the actual accessed behavior data of the time to be detected.
Optionally, the predicting the visited behavior data of the time to be detected based on the historical visited behavior data to obtain the predicted visited behavior data of the time to be detected includes:
constructing a regression tree by using the historical accessed behavior data;
and presetting the visited behavior data of the time to be detected by using the regression tree to obtain the predicted visited behavior data of the time to be detected.
Optionally, the constructing a regression tree by using the historical visited behavior data includes:
smoothing abnormal values in the historical accessed behavior data;
and dividing the processed historical accessed behavior data into feature data and label data, and generating a regression tree by using the feature data and the label data.
Optionally, the smoothing of the outliers in the historical accessed behavior data includes:
determining abnormal values in the historical visited behavior data by using a box plot;
and processing the abnormal value by using an exponential weighted moving average method to obtain processed historical accessed behavior data.
Optionally, the dividing the processed historical accessed behavior data into feature data and tag data includes:
and taking every continuous preset number of data from the first data in the processed historical accessed behavior data as a group of characteristic data, and taking the next data connected with the last data in the current group of characteristic data as label data corresponding to the current group of characteristic data until the processed historical accessed behavior data is divided.
Optionally, the determining, according to the predicted visited behavior data and the actual visited behavior data of the time to be detected, whether an abnormal user visiting behavior exists in the system to be detected at the time to be detected includes:
determining a ratio between the predicted visited behavior data and the actual visited behavior data;
judging whether the ratio is greater than or equal to a preset ratio threshold value or not;
and if so, judging whether abnormal user access behaviors exist in the system to be detected under the time to be detected.
Optionally, after the obtaining of the historical user access behavior data of the system to be detected, the method further includes:
if the historical user access behavior data is historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is smaller than the first preset value, determining a historical access baseline of the time to be detected based on the historical access behavior data and a first preset Z score threshold value;
and determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the historical access baseline and the actual access behavior data of the time to be detected.
Optionally, the determining the historical visited baseline of the time to be detected based on the historical visited behavior data and a first preset Z-score threshold includes:
determining an average value and a standard deviation corresponding to the historical accessed behavior data;
and taking the product of the standard deviation corresponding to the historical visited behavior data and the first preset Z score threshold value and the average value corresponding to the historical visited behavior data as the historical visited baseline of the time to be detected.
Optionally, the determining, according to the historical visited baseline and the actual visited behavior data of the time to be detected, whether an abnormal user visiting behavior exists in the system to be detected at the time to be detected includes:
judging whether the actual accessed behavior data is larger than the historical accessed baseline or not;
and if so, judging that abnormal user access behaviors exist in the system to be detected under the time to be detected.
Optionally, after acquiring the historical user access behavior data of the system to be detected, the method further includes:
if the historical user access behavior data are the personal historical access behavior data of a target user in the system to be detected and the group historical access behavior data of a user group to which the target user belongs, and the number of data in the personal historical access behavior data is not smaller than a second preset value, predicting the personal access behavior data of the target user at the time to be detected based on the personal historical access behavior data to obtain predicted personal access behavior data of the target user at the time to be detected;
and determining whether the access behavior of the target user at the time to be detected is abnormal user access behavior according to the predicted personal access behavior data and the actual personal access behavior data of the target user at the time to be detected, and obtaining a first judgment result.
Optionally, after the obtaining of the historical user access behavior data of the system to be detected, the method further includes:
if the historical user access behavior data is the individual historical access behavior data of a target user in the system to be detected and the group historical access behavior data of a user group to which the target user belongs, and the number of data in the individual historical access behavior data is smaller than the second preset value, determining an individual historical baseline of the target user at the time to be detected based on the individual historical access behavior data and a second preset Z score threshold value;
and determining whether the access behavior of the target user at the time to be detected is abnormal user access behavior according to the personal historical baseline and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a first judgment result.
Optionally, after determining whether the access behavior of the target user at the time to be detected is an abnormal user access behavior according to the predicted personal access behavior data and the actual personal access behavior data of the target user at the time to be detected, the method further includes:
determining a corresponding group baseline according to the group historical access behavior data and a third preset Z-score threshold, wherein the group historical access behavior data is the access behavior data of each user in the user group to which the target user belongs at the time to be detected;
determining whether the access behavior of the target user at the time to be detected is an abnormal user access behavior according to the group baseline and the actual personal access behavior data of the target user at the time to be detected, and obtaining a second determination result;
and determining whether the access behavior of the target user in the time to be detected is abnormal user access behavior according to the first judgment result and the second judgment result.
Optionally, the determining, according to the first determination result and the second determination result, whether the access behavior of the target user in the time to be detected is an abnormal user access behavior includes:
when the first determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, and the second determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, determining that the access behavior of the target user at the time to be detected is an abnormal user access behavior;
or, when the first determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, or the second determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, determining that the access behavior of the target user at the time to be detected is an abnormal user access behavior.
In a second aspect, the present application discloses a behavior recognition apparatus, comprising:
the data acquisition module is used for acquiring historical user access behavior data of a system to be detected, wherein the historical user access behavior data is user access behavior data within a preset time before the time to be detected;
the prediction module is used for predicting the accessed behavior data of the time to be detected based on the historical accessed behavior data to obtain the predicted accessed behavior data of the time to be detected when the historical user access behavior data is the historical accessed behavior data of the system to be detected and the number of data in the historical accessed behavior data is not less than a first preset value;
and the abnormal user access behavior determining module is used for determining whether the abnormal user access behavior exists in the system to be detected under the time to be detected according to the predicted access behavior data and the actual access behavior data of the time to be detected.
In a third aspect, the present application discloses an electronic device, comprising:
a memory and a processor;
wherein the memory is to store a computer program;
the processor is configured to execute the computer program to implement the behavior recognition method disclosed in the foregoing.
In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the behavior recognition method disclosed in the foregoing.
Therefore, historical user access behavior data of the system to be detected are obtained first, wherein the historical user access behavior data are user access behavior data within a preset time before the time to be detected. If the historical user access behavior data is historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is not smaller than a first preset value, predicting the access behavior data of the time to be detected based on the historical access behavior data, and obtaining predicted access behavior data of the time to be detected. And determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the predicted accessed behavior data and the actual accessed behavior data of the time to be detected. Therefore, when it is required to determine whether an abnormal user access behavior exists in the system to be detected within the time to be detected, the predicted access behavior data of the time to be detected can be predicted based on the historical access behavior data, and then the predicted access behavior data is used as a judgment baseline to be compared with the actual access behavior data, so that whether the abnormal user access behavior exists in the system to be detected within the time to be detected is judged. Because the historical accessed behavior data are different due to different time to be detected, the predicted accessed behavior data obtained by prediction according to the historical accessed behavior data are different, and a changed judgment baseline is obtained, so that the calculated judgment baseline is more accurate, and the recognition rate and the recognition accuracy are improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a behavior recognition method disclosed herein;
FIG. 2 is a flow chart of a particular behavior recognition method disclosed herein;
FIG. 3 is a flow chart of a particular behavior recognition method disclosed herein;
FIG. 4 is a flow chart of a particular behavior recognition method disclosed herein;
fig. 5 is a schematic structural diagram of a behavior recognition device disclosed in the present application;
fig. 6 is a schematic structural diagram of an electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, an embodiment of the present application discloses a behavior identification method, including:
step S11: the method comprises the steps of obtaining historical user access behavior data of a system to be detected, wherein the historical user access behavior data are user access behavior data within a preset time length before time to be detected.
In practical application, historical user access behavior data of a system to be detected needs to be acquired first, wherein the historical user access behavior data is user access behavior data within a preset time period before the time to be detected, the time to be detected can be the previous day of the current day, for example, whether abnormal user access behaviors exist in the system to be detected every day at 8 am, the time to be detected when the system to be detected is detected at 8 am today is the previous day, the time to be detected can also be the current day, for example, whether abnormal user access behaviors exist in the system to be detected every day at 11 pm 50, the time to be detected when the system to be detected at 11 pm 50 is the current day, the preset time period can be user access behavior data every day within 30 past before the time to be detected, the system to be detected needs to detect whether abnormal user access behaviors exist, the historical user access behavior data can be historical access behavior data of the system to be detected, and the historical access behavior data can be historical access behavior data of the system to be detected, and the overall historical access behavior data received by the system to be detected. For example, the historical visited behavior data is collected once a day within 30 days from the time to be detected.
The historical user access behavior data may also be individual historical access behavior data of a target user in the system to be detected, the target user may be any user in the system to be detected, the historical user access behavior data may also be group historical access behavior data of a user group to which the target user belongs, and the group historical access behavior data is access behavior data of each user in the user group to which the target user belongs at the time to be detected. The historical user access behavior data is data corresponding to the quantitative user access behavior, such as download quantity, download flow, burst access quantity and the like.
Specifically, the historical user access behavior data of the system to be detected can be obtained by obtaining a user behavior log in the system to be detected and counting corresponding data in the user behavior log. The historical user access behavior data may be a time sequence, and includes a time value column and historical user access behavior data corresponding to each time value in the time value column.
Step S12: if the historical user access behavior data is the historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is not smaller than a first preset value, predicting the access behavior data of the time to be detected based on the historical access behavior data to obtain the predicted access behavior data of the time to be detected.
In a specific implementation process, if the historical user access behavior data is the historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is not less than a first preset value, the access behavior data of the time to be detected is predicted based on the historical access behavior data, and the predicted access behavior data of the time to be detected is obtained. When the number of the data in the historical accessed behavior data is not less than a first preset value, the data in the historical accessed behavior data is more, time sequence analysis can be adopted to determine whether abnormal user access behaviors exist in the system to be detected under the time to be detected, and therefore the obtained result is more accurate.
Specifically, the predicting the visited behavior data of the time to be detected based on the historical visited behavior data to obtain the predicted visited behavior data of the time to be detected includes: constructing a regression tree by utilizing the historical accessed behavior data; and presetting the visited behavior data of the time to be detected by using the regression tree to obtain the predicted visited behavior data of the time to be detected.
That is, a regression tree needs to be constructed by using the historical visited behavior data, and then the visited behavior data of the time to be detected is preset by using the regression tree, so as to obtain the predicted visited behavior data of the time to be detected. In addition, the regression tree may be replaced by LSTM (Long Short-Term Memory), ARIMA (automated Integrated Moving Average model), etc.
Wherein the building a regression tree by using the historical accessed behavior data comprises: smoothing abnormal values in the historical accessed behavior data; and dividing the processed historical accessed behavior data into feature data and label data, and generating a regression tree by using the feature data and the label data.
Specifically, since the historical visited behavior data may have an abnormal value, smoothing processing needs to be performed on the historical visited behavior data first to smooth the abnormal value in the historical visited behavior data, then dividing the processed historical visited behavior data into feature data and label data, and generating a regression tree by using the feature data and the label data.
The smoothing processing of the abnormal value in the historical visited behavior data specifically includes: determining abnormal values in the historical visited behavior data by using a box plot; and processing the abnormal value by using an exponential weighted moving average method to obtain processed historical accessed data.
Wherein, the dividing the processed historical accessed behavior data into feature data and label data comprises: and taking every continuous preset number of data from the first data in the processed historical accessed behavior data as a group of characteristic data, and taking the next data connected with the last data in the current group of characteristic data as label data corresponding to the current group of characteristic data until the processed historical accessed behavior data is divided. The preset number may be determined according to actual conditions, and is not specifically limited herein. For example, every adjacent 4 values of the processed historical visited behavior data including 30 data from the first data are used as feature data, the 5 th data are used as tag data, and so on, and the division result may refer to specific contents in the following table one, where f1 to f30 respectively represent user visited behavior data of the past 30 days before the time to be detected, and f30 represents user visited behavior data of 1 day before the time to be detected. Thus, 26 pieces of feature data and 26 pieces of label data are obtained, a regression tree is generated by using the 26 pieces of feature data and the 26 pieces of label data, and the visited behavior data of the time to be detected is predicted according to f27, f28, f29 and f30 by using the generated regression tree, so that predicted visited behavior data f31 of the time to be detected is obtained.
Watch 1
Characteristic data Tag data
f1,f2,f3,f4 f5
f2,f3,f4,f5 f6
... ...
f26,f27,f28,f29 f30
Step S13: and determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the predicted accessed behavior data and the actual accessed behavior data of the time to be detected.
After the predicted accessed behavior data is obtained, whether abnormal user access behaviors exist in the system to be detected under the time to be detected is determined according to the predicted accessed behavior data and the actual accessed behavior data of the time to be detected.
Specifically, a ratio between the predicted accessed behavior data and the actual accessed behavior data may be determined, and then it is determined whether the ratio is greater than or equal to a preset ratio threshold, and if so, it is determined that an abnormal user access behavior exists in the system to be detected within the time to be detected. And if not, judging that abnormal user access behaviors do not exist in the system to be detected within the time to be detected.
In addition, whether abnormal user access behaviors exist in the system to be detected under the time to be detected can be determined by judging whether the actual accessed behavior data are larger than the predicted accessed behavior data or not. And if so, judging that abnormal user access behaviors exist in the system to be detected under the time to be detected. And if not, judging that abnormal user access behaviors do not exist in the system to be detected under the time to be detected.
In practical implementation, the historical user access behavior data can be changed, for example, data 30 days before the time to be detected is counted each day, data of adjacent 4 days is used as characteristic data, and the 5 th data is tag data. Data 45 days before the time to be detected can also be adopted, a value is counted every half day, 6 adjacent characteristic data are taken as one characteristic, and the 7 th value is taken as label data for prediction.
Therefore, historical user access behavior data of the system to be detected are obtained first, wherein the historical user access behavior data are user access behavior data within a preset time length before the time to be detected. If the historical user access behavior data is the historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is not smaller than a first preset value, predicting the access behavior data of the time to be detected based on the historical access behavior data to obtain the predicted access behavior data of the time to be detected. And determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the predicted accessed behavior data and the actual accessed behavior data of the time to be detected. Therefore, when it is required to determine whether an abnormal user access behavior exists in the system to be detected at the time to be detected, the predicted access behavior data of the time to be detected can be predicted based on the historical access behavior data, and then the predicted access behavior data is used as a judgment baseline to be compared with the actual access behavior data, so that whether an abnormal user access behavior exists in the system to be detected at the time to be detected is judged. Because the historical accessed behavior data are different due to different time to be detected, the preset accessed behavior data obtained by predicting according to the historical accessed behavior data are different, and a changed judgment baseline is obtained, so that the calculated judgment baseline is more accurate, and the identification rate and the identification accuracy are improved.
Referring to fig. 2, the embodiment of the present application discloses a specific behavior identification method, which includes:
step S21: the method comprises the steps of obtaining historical user access behavior data of a system to be detected, wherein the historical user access behavior data are user access behavior data within a preset time before the time to be detected.
Step S22: and if the historical user access behavior data is the historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is smaller than the first preset value, determining the historical access baseline of the time to be detected based on the historical access behavior data and a first preset Z score threshold value.
After the historical user access behavior data is acquired, if the historical user access behavior data is the historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is smaller than the first preset value, it indicates that the number of data in the historical access behavior data is small, and if the prediction method in the foregoing embodiment is adopted, there is a problem that a prediction result is inaccurate, so it is necessary to determine the historical access baseline of the time to be detected based on the historical access behavior data and a first preset Z score threshold. Wherein Z score (Z-score), also called standard score (standard score), is the process of dividing the difference between a number and a mean by the standard deviation. The Z-score represents the number of standard deviations from the mean for a given value, with scores above the mean yielding a positive standard score and scores below the mean yielding a negative standard score. Z-score is a way to see the relative position of a certain score in a distribution. The first preset Z-score threshold may be determined based on actual conditions, and is not specifically limited herein.
In a specific implementation process, determining a historical visited baseline of the time to be detected based on the historical visited behavior data and a first preset Z-score threshold, including: determining an average value and a standard deviation corresponding to the historical accessed behavior data; and taking the product of the standard deviation corresponding to the historical visited behavior data and the first preset Z score threshold value and the average value corresponding to the historical visited behavior data as the historical visited baseline of the time to be detected. To eliminate the effect of outliers in the historical visited data, the average may be replaced with a median in the historical visited behavior data.
Formulating the above process can be as follows
Figure BDA0003137109160000111
Wherein Z represents the first preset Z score threshold value, s represents the standard deviation corresponding to the historical visited behavior data,
Figure BDA0003137109160000112
representing said calendarAnd b represents the historical accessed baseline of the time to be detected.
Step S23: and determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the historical access baseline and the actual access behavior data of the time to be detected.
After the historical visited baseline is determined, whether abnormal user access behaviors exist in the system to be detected under the time to be detected is determined according to the historical visited baseline and actual visited behavior data of the time to be detected.
Specifically, it may be determined whether the actual accessed behavior data is greater than the historical accessed baseline. And if so, judging that abnormal user access behaviors exist in the system to be detected under the time to be detected. And if not, judging that abnormal user access behaviors do not exist in the system to be detected under the time to be detected.
Referring to fig. 3, the embodiment of the present application discloses a specific behavior identification method, which includes:
step S31: the method comprises the steps of obtaining historical user access behavior data of a system to be detected, wherein the historical user access behavior data are user access behavior data within a preset time before the time to be detected.
Step S32: if the historical user access behavior data are the personal historical access behavior data of the target user in the system to be detected and the group historical access behavior data of the user group to which the target user belongs, and the number of data in the personal historical access behavior data is not smaller than a second preset value, predicting the personal access behavior data of the target user at the time to be detected based on the personal historical access behavior data to obtain predicted personal access behavior data of the target user at the time to be detected.
In the foregoing embodiment, when the historical user access behavior data is historical access behavior data of a system to be detected, it may be determined whether an abnormal user access behavior exists in the system to be detected at the time to be detected, but it cannot be determined which user has an abnormal access behavior, so the historical user access behavior data may be individual historical access behavior data of a target user in the system to be detected and group historical access behavior data of a user group to which the target user belongs, so that it may be determined which user has an abnormal access behavior.
Correspondingly, when the historical user access behavior data is the personal historical access behavior data of the target user in the system to be detected and the group historical access behavior data of the user group to which the target user belongs, and the number of data in the personal historical access behavior data is not less than a second preset value, the personal access behavior data of the target user at the time to be detected is predicted based on the personal historical access behavior data, and the predicted personal access behavior data of the target user at the time to be detected is obtained.
The specific process of predicting the personal access behavior data of the target user at the time to be detected based on the personal historical access behavior data to obtain the predicted personal access behavior data of the target user at the time to be detected is the same as the specific process of predicting the accessed behavior data of the target user at the time to be detected based on the historical accessed behavior data to obtain the predicted accessed behavior data of the time to be detected disclosed in the foregoing embodiment, and reference may be made to the content disclosed in the foregoing embodiment, which is not described herein again.
Step S33: and determining whether the access behavior of the target user at the time to be detected is abnormal user access behavior according to the predicted personal access behavior data and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a first judgment result.
After the predicted personal access behavior data is obtained, whether the access behavior of the target user at the time to be detected is an abnormal user access behavior is determined according to the predicted personal access behavior data and the actual personal access behavior data of the target user at the time to be detected, and a first judgment result is obtained.
Specifically, it may be determined whether the actual personal access behavior data is greater than the predicted personal access behavior data, and if yes, it is determined that the access behavior of the target user at the time to be detected is an abnormal user access behavior, so as to obtain a first determination result, and if not, it is determined that the access behavior of the target user at the time to be detected is not an abnormal user access behavior, so as to obtain a first determination result.
Or, a difference between the actual personal access behavior data and the predicted personal access behavior data may be determined, whether the difference is greater than or equal to a preset difference threshold is determined, if yes, it is determined that the access behavior of the target user at the time to be detected is an abnormal user access behavior, and a first determination result is obtained, and if not, it is determined that the access behavior of the target user at the time to be detected is not an abnormal user access behavior, and a first determination result is obtained. In addition, the determination may be performed by other methods, which are not specifically limited herein.
Step S34: and if the historical user access behavior data is the individual historical access behavior data of the target user in the system to be detected and the group historical access behavior data of the user group to which the target user belongs, and the number of data in the individual historical access behavior data is smaller than the second preset value, determining the individual historical baseline of the target user at the time to be detected based on the individual historical access behavior data and a second preset Z score threshold value.
And if the historical user access behavior data are the personal historical access behavior data of the target user in the system to be detected and the group historical access behavior data of the user group to which the target user belongs, and the number of data in the personal historical access behavior data is smaller than the second preset value, the number of data in the personal historical access behavior data is smaller. Therefore, the personal historical baseline of the target user at the time to be detected needs to be determined based on the personal historical access behavior data and a second preset Z-score threshold. When the number of data in the personal historical access behavior data is small, the personal historical baseline of the target user at the time to be detected, which is determined based on the personal historical access behavior data and a second preset Z score threshold value, is more accurate, so that the subsequent judgment result is more accurate, and the recognition rate and the recognition accuracy are improved.
The determining of the personal historical baseline of the target user at the time to be detected based on the personal historical access behavior data and a second preset Z-score threshold may specifically include: determining an average value and a standard deviation corresponding to the personal historical behavior data; and taking the product of the standard deviation corresponding to the personal historical access behavior data and the second preset Z score threshold value and the average value corresponding to the personal historical access behavior data as the personal historical baseline of the target user at the time to be detected. Wherein the second preset Z-score threshold is also a value set based on actual conditions.
Step S35: and determining whether the access behavior of the target user at the time to be detected is abnormal user access behavior according to the personal historical baseline and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a first judgment result.
After the personal history baseline is determined, whether the access behavior of the target user at the time to be detected is an abnormal user access behavior is determined according to the personal history baseline and the actual personal access behavior data of the target user at the time to be detected, so that a first determination result is obtained.
Specifically, it may be determined whether the actual personal access behavior data is greater than the personal historical baseline, and if yes, it is determined that the access behavior of the target user at the time to be detected is an abnormal user access behavior, to obtain a first determination result, and if not, it is determined that the access behavior of the target user at the time to be detected is not an abnormal user access behavior, to obtain a first determination result.
The first preset value and the second preset value are determined according to an actual implementation process, and are not specifically limited herein.
Referring to fig. 4, the embodiment of the present application discloses a specific behavior identification method, which includes:
step S41: the method comprises the steps of obtaining historical user access behavior data of a system to be detected, wherein the historical user access behavior data are user access behavior data within a preset time before the time to be detected.
Step S42: if the historical user access behavior data are the personal historical access behavior data of the target user in the system to be detected and the group historical access behavior data of the user group to which the target user belongs, and the number of data in the personal historical access behavior data is not smaller than a second preset value, predicting the personal access behavior data of the target user at the time to be detected based on the personal historical access behavior data to obtain predicted personal access behavior data of the target user at the time to be detected.
Step S43: and determining whether the access behavior of the target user at the time to be detected is abnormal user access behavior according to the predicted personal access behavior data and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a first judgment result.
Step S44: and if the historical user access behavior data is the individual historical access behavior data of the target user in the system to be detected and the group historical access behavior data of the user group to which the target user belongs, and the number of data in the individual historical access behavior data is smaller than the second preset value, determining the individual historical baseline of the target user at the time to be detected based on the individual historical access behavior data and a second preset Z score threshold value.
Step S45: and determining whether the access behavior of the target user at the time to be detected is an abnormal user access behavior according to the personal history baseline and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a first judgment result.
The specific embodiment process of step S41 to step S45 may refer to the content disclosed in the foregoing embodiment, and is not described in detail herein.
Step S46: and determining a corresponding group baseline according to the group historical access behavior data and a third preset Z-score threshold, wherein the group historical access behavior data is the access behavior data of each user in the user group to which the target user belongs at the time to be detected.
In practical application, a corresponding group baseline needs to be determined according to the group historical access behavior data and a third preset Z-score threshold, where the group historical access behavior data is access behavior data of each user in the user group to which the target user belongs at the time to be detected.
And the group historical access behavior data is the user access behavior data of each user in the user group to which the target user belongs in the previous day. The set of historical access behavior data is x 1c ,x 2c ,x 3c ......x nc C represents the time to be detected, e.g. the day before the current time, n represents the number of users in the user group to which the target user belongs, x 1c And the access behavior data represents the access behavior data of the first user in the user group to which the target user belongs in the time to be detected.
The determining a corresponding group baseline according to the group historical access behavior data and a third preset Z-score threshold may specifically include: determining an average value and a standard deviation corresponding to the group of historical access behavior data; and taking the product of the standard deviation corresponding to the group of historical access behavior data and the third preset Z score threshold value and the average value corresponding to the group of historical access behavior data as a group baseline corresponding to the time to be detected of the target user. Wherein the third preset Z-score threshold is also a value set based on actual conditions.
Step S47: and determining whether the access behavior of the target user at the time to be detected is an abnormal user access behavior according to the group baseline and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a second determination result.
After the group baseline is obtained, whether the access behavior of the target user at the time to be detected is an abnormal user access behavior is determined according to the group baseline and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a second determination result.
Specifically, it may be determined whether the actual personal access behavior data is greater than the group baseline, and if yes, it is determined that the access behavior of the target user at the time to be detected is an abnormal user access behavior, and a second determination result is obtained. If not, judging that the access behavior of the target user in the time to be detected is not the abnormal user access behavior, and obtaining a second judgment result.
Step S48: and determining whether the access behavior of the target user in the time to be detected is an abnormal user access behavior according to the first judgment result and the second judgment result.
After the first determination result and the second determination result are obtained, it is further required to determine whether the access behavior of the target user at the time to be detected is an abnormal user access behavior according to the first determination result and the second determination result.
Specifically, when the first determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, and the second determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, it may be determined that the access behavior of the target user at the time to be detected is an abnormal user access behavior. In this way, when both the first determination result and the second determination result indicate that the access behavior of the target user at the time to be detected is the abnormal user access behavior, it is determined that the access behavior of the target user at the time to be detected is the abnormal user access behavior, and the accuracy of identifying the abnormal user access behavior can be provided.
Or when the first determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, or the second determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, determining that the access behavior of the target user at the time to be detected is an abnormal user access behavior. That is, as long as any one of the first determination result or the second determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, it is determined that the access behavior of the target user at the time to be detected is an abnormal user access behavior.
In the actual implementation process, when the historical accessed baseline, the individual historical baseline and the group baseline are determined, the corresponding average value and standard deviation are obtained by using a mathematical statistics means, and then the final baseline is obtained by combining the preset Z score threshold, so that the mathematical statistics and the threshold can be combined to obtain a dynamic baseline, the obtained baseline is more in line with the actual condition and more accurate, and the identification rate and the identification accuracy are improved.
Whether the historical user access behavior data is historical access behavior data of the system to be detected or personal historical access behavior data, when the number of the data is small, a fixed threshold value can be set in the prior art to perform auxiliary judgment.
Because the historical user access behavior data are different due to different detection time and different users, the determined base line is different, so that dynamic base line calculation can be performed, the determined base line is more accurate, and the identification rate and the identification accuracy rate of the abnormal user access behavior are improved.
Referring to fig. 5, an embodiment of the present application discloses a behavior recognition apparatus, including:
the data acquisition module 11 is configured to acquire historical user access behavior data of a system to be detected, where the historical user access behavior data is user access behavior data within a preset time before a time to be detected;
the prediction module 12 is configured to predict the visited behavior data of the time to be detected based on the historical visited behavior data to obtain predicted visited behavior data of the time to be detected when the historical user visited behavior data is historical visited behavior data of the system to be detected and the number of data in the historical visited behavior data is not less than a first preset value;
and the abnormal user access behavior determining module 13 is configured to determine whether an abnormal user access behavior exists in the system to be detected at the time to be detected according to the predicted access behavior data and the actual access behavior data of the time to be detected.
Therefore, historical user access behavior data of the system to be detected are obtained first, wherein the historical user access behavior data are user access behavior data within a preset time length before the time to be detected. If the historical user access behavior data is historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is not smaller than a first preset value, predicting the access behavior data of the time to be detected based on the historical access behavior data, and obtaining predicted access behavior data of the time to be detected. And determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the predicted accessed behavior data and the actual accessed behavior data of the time to be detected. Therefore, when it is required to determine whether an abnormal user access behavior exists in the system to be detected within the time to be detected, the predicted access behavior data of the time to be detected can be predicted based on the historical access behavior data, and then the predicted access behavior data is used as a judgment baseline to be compared with the actual access behavior data, so that whether the abnormal user access behavior exists in the system to be detected within the time to be detected is judged. Because the historical accessed behavior data are different due to different time to be detected, the preset accessed behavior data obtained by predicting according to the historical accessed behavior data are different, and a changed judgment baseline is obtained, so that the calculated judgment baseline is more accurate, and the identification rate and the identification accuracy are improved.
In some specific implementations, the prediction module 12 is configured to:
constructing a regression tree by using the historical accessed behavior data;
and presetting the accessed behavior data of the time to be detected by using the regression tree to obtain the predicted accessed behavior data of the time to be detected.
In some specific implementations, the prediction module 12 is configured to:
smoothing abnormal values in the historical accessed behavior data;
and dividing the processed historical accessed behavior data into feature data and label data, and generating a regression tree by using the feature data and the label data.
In some specific implementations, the prediction module 12 is configured to:
determining an abnormal value in the historical visited behavior data by using a box plot;
and processing the abnormal value by using an exponential weighted moving average method to obtain processed historical accessed behavior data.
In some specific implementations, the prediction module 12 is configured to:
and taking every continuous preset number of data from the first data in the processed historical accessed behavior data as a group of characteristic data, and taking the next data connected with the last data in the current group of characteristic data as label data corresponding to the current group of characteristic data until the processed historical accessed behavior data is divided.
In some specific implementation processes, the abnormal user access behavior determining module 13 is configured to:
determining a ratio between the predicted visited behavior data and the actual visited behavior data;
judging whether the ratio is greater than or equal to a preset ratio threshold value or not;
and if so, judging whether abnormal user access behaviors exist in the system to be detected under the time to be detected.
In some specific implementations, the behavior recognition device further includes:
the first baseline determining module is used for determining a historical visited baseline of the time to be detected based on the historical visited behavior data and a first preset Z score threshold when the historical user visited behavior data is the historical visited behavior data of the system to be detected and the number of data in the historical visited behavior data is smaller than the first preset value;
accordingly, the abnormal user access behavior determination module 13 is configured to: and determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the historical access baseline and the actual access behavior data of the time to be detected.
In some specific implementations, the first baseline determination module is to:
determining an average value and a standard deviation corresponding to the historical accessed behavior data;
and taking the product of the standard deviation corresponding to the historical visited behavior data and the first preset Z score threshold value and the average value corresponding to the historical visited behavior data as the historical visited baseline of the time to be detected.
In some specific implementations, the abnormal user access behavior determining module 13 is configured to:
judging whether the actual accessed behavior data is larger than the historical accessed baseline or not;
and if so, judging that abnormal user access behaviors exist in the system to be detected under the time to be detected.
In some specific implementations, the prediction module 12 is configured to:
if the historical user access behavior data is the individual historical access behavior data of a target user in the system to be detected and the group historical access behavior data of a user group to which the target user belongs, and the number of data in the individual historical access behavior data is not less than a second preset value, predicting the individual access behavior data of the target user at the time to be detected based on the individual historical access behavior data to obtain predicted individual access behavior data of the target user at the time to be detected;
accordingly, the abnormal user access behavior determination module 13 is configured to: and determining whether the access behavior of the target user at the time to be detected is abnormal user access behavior according to the predicted personal access behavior data and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a first judgment result.
In some specific implementations, the behavior recognition device further includes:
a second baseline determining module, configured to determine, when the historical user access behavior data is individual historical access behavior data of a target user in the system to be detected and group historical access behavior data of a user group to which the target user belongs, and the number of data in the individual historical access behavior data is smaller than a second preset value, an individual historical baseline of the target user at the time to be detected based on the individual historical access behavior data and a second preset Z-score threshold;
accordingly, the abnormal user access behavior determination module 13 is configured to: and determining whether the access behavior of the target user at the time to be detected is an abnormal user access behavior according to the personal history baseline and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a first judgment result.
In some specific implementations, the behavior recognition device further includes:
a third baseline determining module, configured to determine a corresponding group baseline according to the group historical access behavior data and a third preset Z-score threshold, where the group historical access behavior data is access behavior data of each user in a user group to which the target user belongs at the time to be detected;
accordingly, the abnormal user access behavior determination module 13 is configured to: determining whether the access behavior of the target user at the time to be detected is an abnormal user access behavior according to the group baseline and the actual personal access behavior data of the target user at the time to be detected to obtain a second determination result; and determining whether the access behavior of the target user in the time to be detected is an abnormal user access behavior according to the first judgment result and the second judgment result.
In some specific implementation processes, the abnormal user access behavior determining module 13 is configured to:
when the first judgment result shows that the access behavior of the target user at the time to be detected is an abnormal user access behavior, and the second judgment result shows that the access behavior of the target user at the time to be detected is an abnormal user access behavior, judging that the access behavior of the target user at the time to be detected is an abnormal user access behavior;
or, when the first determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, or the second determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, determining that the access behavior of the target user at the time to be detected is an abnormal user access behavior.
Referring to fig. 6, a schematic structural diagram of an electronic device 20 provided in the embodiment of the present application is shown, where the electronic device 20 may specifically implement the steps of the behavior recognition method disclosed in the foregoing embodiment.
Generally, the electronic device 20 in the present embodiment includes: a processor 21 and a memory 22.
The processor 21 may include one or more processing cores, such as a four-core processor, an eight-core processor, and so on. The processor 21 may be implemented by at least one hardware component selected from a DSP (digital signal processing), an FPGA (field-programmable gate array), and a PLA (programmable logic array). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a GPU (graphics processing unit) which is responsible for rendering and drawing images that need to be displayed on the display screen. In some embodiments, the processor 21 may include an AI (artificial intelligence) processor for processing a calculation operation related to machine learning.
Memory 22 may include one or more computer-readable storage media, which may be non-transitory. Memory 22 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 22 is at least used for storing the following computer program 221, wherein after being loaded and executed by the processor 21, the steps of the behavior recognition method disclosed in any of the foregoing embodiments can be implemented.
In some embodiments, the electronic device 20 may further include a display 23, an input/output interface 24, a communication interface 25, a sensor 26, a power supply 27, and a communication bus 28.
Those skilled in the art will appreciate that the configuration shown in FIG. 6 is not limiting of electronic device 20 and may include more or fewer components than those shown.
Further, an embodiment of the present application also discloses a computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the behavior recognition method disclosed in any of the foregoing embodiments.
For the specific process of the behavior recognition method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed in the embodiment corresponds to the method disclosed in the embodiment, so that the description is simple, and the relevant points can be referred to the description of the method part.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of other elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The method, the apparatus, the device, the apparatus, and the medium for behavior recognition provided by the present application are described in detail above, and specific examples are applied herein to explain the principles and embodiments of the present application, and the description of the above embodiments is only used to help understand the method and the core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (16)

1. A method of behavior recognition, comprising:
acquiring historical user access behavior data of a system to be detected, wherein the historical user access behavior data is user access behavior data within a preset time length before the time to be detected;
if the historical user access behavior data is historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is not smaller than a first preset value, predicting the access behavior data of the time to be detected based on the historical access behavior data to obtain predicted access behavior data of the time to be detected;
and determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the predicted accessed behavior data and the actual accessed behavior data of the time to be detected.
2. The behavior recognition method according to claim 1, wherein the predicting the visited behavior data of the time to be detected based on the historical visited behavior data to obtain the predicted visited behavior data of the time to be detected comprises:
constructing a regression tree by utilizing the historical accessed behavior data;
and presetting the visited behavior data of the time to be detected by using the regression tree to obtain the predicted visited behavior data of the time to be detected.
3. The behavior recognition method according to claim 2, wherein the constructing a regression tree using the historical accessed behavior data comprises:
smoothing abnormal values in the historical accessed behavior data;
and dividing the processed historical accessed behavior data into feature data and label data, and generating a regression tree by using the feature data and the label data.
4. The behavior recognition method of claim 3, wherein smoothing the outliers in the historical accessed behavior data comprises:
determining abnormal values in the historical visited behavior data by using a box plot;
and processing the abnormal value by using an exponential weighted moving average method to obtain processed historical accessed behavior data.
5. The behavior recognition method of claim 3, wherein the dividing the processed historical accessed behavior data into feature data and tag data comprises:
and taking every continuous preset quantity of data from the first data in the processed historical accessed behavior data as a group of characteristic data, and taking the next data connected with the last data in the current group of characteristic data as the label data corresponding to the current group of characteristic data until the processed historical accessed behavior data is divided completely.
6. The behavior recognition method according to claim 1, wherein the determining whether an abnormal user access behavior exists in the system to be detected at the time to be detected according to the predicted accessed behavior data and the actual accessed behavior data of the time to be detected comprises:
determining a ratio between the predicted visited behavior data and the actual visited behavior data;
judging whether the ratio is greater than or equal to a preset ratio threshold value or not;
and if so, judging that abnormal user access behaviors exist in the system to be detected under the time to be detected.
7. The behavior recognition method according to any one of claims 1 to 6, wherein after acquiring historical user access behavior data of the system to be detected, the method further comprises:
if the historical user access behavior data is historical access behavior data of the system to be detected, and the number of data in the historical access behavior data is smaller than the first preset value, determining a historical access baseline of the time to be detected based on the historical access behavior data and a first preset Z score threshold value;
and determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the historical access baseline and the actual access behavior data of the time to be detected.
8. The behavior recognition method according to claim 7, wherein the determining the historical visited baseline for the time to be detected based on the historical visited behavior data and a first preset Z-score threshold comprises:
determining an average value and a standard deviation corresponding to the historical accessed behavior data;
and taking the product of the standard deviation corresponding to the historical visited behavior data and the first preset Z score threshold value and the average value corresponding to the historical visited behavior data as the historical visited baseline of the time to be detected.
9. The behavior recognition method according to claim 7, wherein the determining whether the system to be detected has the abnormal user access behavior in the time to be detected according to the historical access baseline and the actual access behavior data of the time to be detected comprises:
determining whether the actual accessed behavior data is greater than the historical accessed baseline;
and if so, judging that abnormal user access behaviors exist in the system to be detected under the time to be detected.
10. The behavior recognition method according to any one of claims 1 to 6, wherein after acquiring historical user access behavior data of the system to be detected, the method further comprises:
if the historical user access behavior data is the personal historical access behavior data of a target user in the system to be detected and the group historical access behavior data of a user group to which the target user belongs, and the number of data in the personal historical access behavior data is not less than a second preset value, predicting the personal access behavior data of the target user at the time to be detected based on the personal historical access behavior data to obtain predicted personal access behavior data of the target user at the time to be detected;
and determining whether the access behavior of the target user at the time to be detected is abnormal user access behavior according to the predicted personal access behavior data and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a first judgment result.
11. The behavior recognition method according to claim 10, wherein after acquiring the historical user access behavior data of the system to be detected, the method further comprises:
if the historical user access behavior data is the individual historical access behavior data of a target user in the system to be detected and the group historical access behavior data of a user group to which the target user belongs, and the number of data in the individual historical access behavior data is smaller than the second preset value, determining an individual historical baseline of the target user at the time to be detected based on the individual historical access behavior data and a second preset Z score threshold value;
and determining whether the access behavior of the target user at the time to be detected is abnormal user access behavior according to the personal historical baseline and the actual personal access behavior data of the target user at the time to be detected, so as to obtain a first judgment result.
12. The behavior recognition method according to claim 10, wherein after determining whether the access behavior of the target user at the time to be detected is an abnormal user access behavior according to the predicted personal access behavior data and the actual personal access behavior data of the target user at the time to be detected, the method further comprises:
determining a corresponding group baseline according to the group historical access behavior data and a third preset Z-score threshold, wherein the group historical access behavior data is the access behavior data of each user in the user group to which the target user belongs at the time to be detected;
determining whether the access behavior of the target user at the time to be detected is an abnormal user access behavior according to the group baseline and the actual personal access behavior data of the target user at the time to be detected, and obtaining a second determination result;
and determining whether the access behavior of the target user in the time to be detected is an abnormal user access behavior according to the first judgment result and the second judgment result.
13. The behavior recognition method according to claim 12, wherein the determining whether the access behavior of the target user in the time to be detected is an abnormal user access behavior according to the first determination result and the second determination result includes:
when the first determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, and the second determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, determining that the access behavior of the target user at the time to be detected is an abnormal user access behavior;
or when the first determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, or the second determination result indicates that the access behavior of the target user at the time to be detected is an abnormal user access behavior, determining that the access behavior of the target user at the time to be detected is an abnormal user access behavior.
14. A behavior recognition apparatus, comprising:
the data acquisition module is used for acquiring historical user access behavior data of the system to be detected, wherein the historical user access behavior data is user access behavior data within a preset time length before the time to be detected;
the prediction module is used for predicting the accessed behavior data of the time to be detected based on the historical accessed behavior data to obtain the predicted accessed behavior data of the time to be detected when the historical user access behavior data is the historical accessed behavior data of the system to be detected and the number of data in the historical accessed behavior data is not less than a first preset value;
and the abnormal user access behavior determining module is used for determining whether abnormal user access behaviors exist in the system to be detected under the time to be detected according to the predicted access behavior data and the actual access behavior data of the time to be detected.
15. An electronic device, comprising:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the behavior recognition method according to any one of claims 1 to 13.
16. A computer-readable storage medium for storing a computer program, wherein the computer program is adapted to implement a behavior recognition method according to any one of claims 1 to 13 when executed by a processor.
CN202110723019.9A 2021-06-28 2021-06-28 Behavior recognition method, device, equipment and medium Pending CN115600191A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110723019.9A CN115600191A (en) 2021-06-28 2021-06-28 Behavior recognition method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110723019.9A CN115600191A (en) 2021-06-28 2021-06-28 Behavior recognition method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN115600191A true CN115600191A (en) 2023-01-13

Family

ID=84841657

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110723019.9A Pending CN115600191A (en) 2021-06-28 2021-06-28 Behavior recognition method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN115600191A (en)

Similar Documents

Publication Publication Date Title
CN109948669B (en) Abnormal data detection method and device
KR101999471B1 (en) Information recommendation methods and devices
EP3168795A1 (en) Method and apparatus for evaluating relevance of keyword to asset price
CN105094708B (en) The Forecasting Methodology and device of a kind of disk size
CN110443350B (en) Model quality detection method, device, terminal and medium based on data analysis
CN106611023B (en) Method and device for detecting website access abnormality
CN110609780B (en) Data monitoring method and device, electronic equipment and storage medium
CN110060087B (en) Abnormal data detection method, device and server
CN108512883B (en) Information pushing method and device and readable medium
CN107330709B (en) Method and device for determining target object
CN111768287A (en) Period identification method, period identification device, server and readable storage medium
CN114219540A (en) Method and device for determining user behavior period, electronic equipment and storage medium
CN108875538B (en) Attribute detection method, device and system and storage medium
CN112182056A (en) Data detection method, device, equipment and storage medium
CN112365156A (en) Data processing method, data processing device, terminal and storage medium
CN116610821A (en) Knowledge graph-based enterprise risk analysis method, system and storage medium
CN115600191A (en) Behavior recognition method, device, equipment and medium
CN116977783A (en) Training method, device, equipment and medium of target detection model
CN110796115A (en) Image detection method and device, electronic equipment and readable storage medium
CN110597807A (en) Data expansion method, device, terminal and medium based on data analysis
CN113296990B (en) Method and device for recognizing abnormity of time sequence data
CN109284354B (en) Script searching method and device, computer equipment and storage medium
CN115982224A (en) Providing interpretability for multi-variable time series data abnormity detection
CN108537654B (en) Rendering method and device of customer relationship network graph, terminal equipment and medium
CN112069909A (en) Real-time sewage discharge monitoring method and device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination