CN115883172A - Anomaly monitoring method and device, computer equipment and storage medium - Google Patents
Anomaly monitoring method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN115883172A CN115883172A CN202211497262.4A CN202211497262A CN115883172A CN 115883172 A CN115883172 A CN 115883172A CN 202211497262 A CN202211497262 A CN 202211497262A CN 115883172 A CN115883172 A CN 115883172A
- Authority
- CN
- China
- Prior art keywords
- behavior
- monitoring
- information
- node
- global
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The present application relates to the field of artificial intelligence technologies, and in particular, to an anomaly monitoring method and apparatus, a computer device, and a storage medium. The method comprises the following steps: acquiring global behavior information of a target user; determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes according to the global behavior information; generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes; determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph; and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information. The method and the device can improve the accuracy of monitoring the user behavior.
Description
Technical Field
The present application relates to the field of artificial intelligence technologies, and in particular, to an anomaly monitoring method and apparatus, a computer device, and a storage medium.
Background
User Behavior Analysis (UBA) is used as an abnormal Behavior analysis method for performing compliance analysis on behaviors made by a User when accessing a system. UBAs focus on the actions that the user is taking place, e.g., application launching, network connection activity, critical file access, etc.
At present, in the conventional technology, when a user behavior is analyzed, a specific baseline policy is mainly issued to control a user access (operation) behavior, where the baseline policy includes a plurality of user behavior baselines, and the user behavior baselines refer to a set of various common attributes counted according to various behaviors of a user in a login and access process, such as a common IP set, a common login address set, a common device set, and the like; and verifying each user operation behavior through the user behavior baseline.
However, abnormal behaviors are complex and changeable, and the current baseline strategy has poor accuracy in identifying the complex abnormal behaviors, so that the system security is low.
Disclosure of Invention
In view of the above, it is necessary to provide an anomaly monitoring method, an anomaly monitoring apparatus, a computer device, and a storage medium, which can improve the accuracy of monitoring user behavior.
In a first aspect, the present application provides an anomaly monitoring method, including:
acquiring global behavior information of a target user;
determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information;
generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph;
and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
In one embodiment, generating a behavior topology graph according to at least one monitoring node associated with global behavior information and a behavior trace between the monitoring nodes includes:
each monitoring node is respectively used as a graph node in the behavior topological graph;
determining point attribute information of the graph nodes corresponding to the monitoring nodes according to the corresponding local behavior information in the monitoring nodes;
according to behavior tracks among different monitoring nodes, connection edges among different graph nodes in a behavior topological graph are constructed, and edge attribute information of each connection edge is determined.
In one embodiment, determining the point attribute information of the graph node corresponding to each monitoring node according to the corresponding local behavior information in each monitoring node includes:
for each monitoring node, determining the credibility of corresponding local behavior information in the monitoring node;
and determining the point attribute information of the graph node corresponding to the monitoring node according to the credibility.
In one embodiment, determining point attribute information of a graph node corresponding to the monitoring node according to the reliability includes:
and converting the credibility into a gray value, and taking the gray value as the point attribute information of the graph node corresponding to the monitoring node.
In one embodiment, determining the target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topology includes:
and selecting a target behavior monitoring model from the candidate behavior monitoring models according to the number of the monitoring nodes corresponding to the global behavior information and the complexity of the corresponding local behavior information in each monitoring node.
In a second aspect, the present application also provides an anomaly monitoring device, comprising:
the acquisition module is used for acquiring the global behavior information of the target user;
the analysis module is used for determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information;
the topology construction module is used for generating a behavior topology graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
the selection module is used for determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph;
and the monitoring module is used for monitoring the abnormity of the behavior topological graph based on the target behavior monitoring model to obtain an abnormity monitoring result of the global behavior information.
In a third aspect, the present application further provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the following steps when executing the computer program:
acquiring global behavior information of a target user;
determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information;
generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph;
and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
In a fourth aspect, the present application also provides a computer readable storage medium having a computer program stored thereon, the computer program when executed by a processor implementing the steps of:
acquiring global behavior information of a target user;
determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information;
generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph;
and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
In a fifth aspect, the present application further provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of:
acquiring global behavior information of a target user;
determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information;
generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph;
and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
According to the anomaly monitoring method, the anomaly monitoring device, the computer equipment and the storage medium, a behavior topological graph is generated according to the global behavior information, and the behavior topological graph comprises all monitoring nodes related to the global behavior information of the target user, corresponding local behavior information in the monitoring nodes and behavior tracks among the monitoring nodes; selecting a corresponding target behavior monitoring model according to the complexity of the behavior topological graph, and realizing grading accurate analysis on global behavior information with different complexities; furthermore, global information is uniformly input into the target behavior monitoring model for analysis, compared with the method that the global information is analyzed one by one based on a baseline detection strategy, the repeated calling times of baseline detection are reduced, and the analysis efficiency and the accuracy of abnormal monitoring are improved; meanwhile, the target behavior monitoring model is used for carrying out abnormity monitoring, so that not only can known abnormal behaviors be identified in time, but also unknown abnormal behaviors can be identified well, the monitoring capability of the abnormal behaviors is improved, and the safety of the system is greatly ensured.
Drawings
FIG. 1 is a diagram of an exemplary application environment for the anomaly monitoring method;
FIG. 2 is a schematic flow chart diagram of an anomaly monitoring method in one embodiment;
FIG. 3 is a schematic flow diagram for generating a behavior topology diagram in one embodiment;
FIG. 4 is a schematic flow chart that illustrates determining point attribute information based on trustworthiness, in one embodiment;
FIG. 5 is a schematic flow chart of an anomaly monitoring system in another embodiment;
FIG. 6 is a block diagram of an anomaly monitoring device in one embodiment;
FIG. 7 is a diagram of the internal structure of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
User Behavior Analysis (UBA) is used as an abnormal Behavior analysis method for performing compliance analysis on behaviors of a User when the User accesses a system. UBA focuses on what actions a user is doing, e.g., application launch, network connection activity, critical file access, etc
At present, in the conventional technology, when a user behavior is analyzed, a specific baseline policy is mainly issued to control a user access (operation) behavior, where the baseline policy includes a plurality of user behavior baselines, and the user behavior baselines refer to a set of various common attributes counted according to various behaviors of a user in a login and access process, such as a common IP set, a common login address set, a common device set, and the like; each user access (operation) behavior is verified against a user behavior baseline.
However, for complex and variable access behaviors of a computer, the current baseline detection only can perform verification analysis on the known abnormal behaviors corresponding to the known baseline rules, and the identification accuracy of the abnormal behaviors outside the known baseline rules is poor, so that the system security is low.
The anomaly monitoring method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104, or may be located on the cloud or other network server. For example, the server 104 obtains global behavior information of the target user; determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information; generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes; determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph; based on the target behavior monitoring model, carrying out anomaly monitoring on the behavior topological graph to obtain an anomaly monitoring result of the global behavior information; further, the server 104 may also send the abnormal monitoring result to the terminal 102 held by the administrator, so that the administrator can view the abnormal monitoring result. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart car-mounted devices, and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. The server 104 may be implemented as a stand-alone server or a server cluster comprised of multiple servers.
In one embodiment, as shown in fig. 2, an anomaly monitoring method is provided, which is described by taking the method as an example applied to the server 104 in fig. 1, and includes the following steps:
s201, acquiring global behavior information of the target user.
The server 104 is connected to each monitoring node as a local monitoring device, and is configured to monitor security risk and an operating state of each monitoring node, and each monitoring node communicates with each other through a network, and is configured to perform data transmission.
In this embodiment, the monitoring node is a monitoring object specified by an administrator, each monitoring node may form a monitoring set, the monitoring node may be a server, a computer group after networking, or a processor, a memory, and the like in the server, and may also be a container, an application program, a database, a field, a record, a file, and the like applied to the server. Specifically, the global behavior information is behavior information generated when the target user operates each monitoring node in the monitoring set, and can be obtained by analyzing log data of the target user; further, the user global behavior information in this embodiment is used to characterize one-time continuous access behavior of the target user in the monitoring set.
For example, time may be used as a condition when determining a continuous access behavior. Specifically, for convenience of explanation, any access behavior of a target user is defined as a child access behavior; after the target user completes the current sub-access behavior, the server 104 starts timing until the next sub-access behavior of the target user appears, calculates an interval duration between two sub-access behaviors, and if the interval duration is less than a preset duration, the two sub-access behaviors are continuous operations, that is, belong to the same global behavior information; otherwise, the behavior information does not belong to the same global behavior information.
S202, according to the global behavior information, at least one monitoring node related to the global behavior information, local behavior information in each monitoring point and a behavior track between different monitoring nodes are determined.
Each monitoring node involved (accessed) in the global behavior information is taken as a monitoring node associated with the global behavior information.
Further, the user global behavior information includes local behavior information in each monitoring point and a behavior track between different monitoring nodes. It can be understood that the local behavior information in any monitoring node is used for representing the access behavior of the target user to the monitoring node; behavior tracks among different monitoring nodes are used for representing the access relation among the monitoring nodes.
Specifically, the local behavior information in the monitoring node may be behavior information of the monitoring node when the monitoring node is used as an access object (accessed). For example, as shown in table 1 below, the local behavior information in any monitoring node (monitoring node a) may include the following attributes: access objects, access times, access behaviors, and accessed objects within the monitoring node.
TABLE 1
Specifically, when the global information is analyzed, a neural network model may be used for analysis, and after the analysis is completed, at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node, and a behavior trajectory between different monitoring nodes may be determined.
S203, generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, the local behavior information in each monitoring node and the behavior track among different monitoring nodes.
Optionally, the analyzed global behavior information is integrated into a graph form, that is, a behavior topology graph. In this embodiment, by generating the behavior topology map, the behavior topology map can hierarchically represent the global behavior information, that is, the hierarchy containing the overall behavior among different monitoring nodes and the hierarchy containing the local behavior within a single monitoring node.
And S204, determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph.
The candidate behavior monitoring model is a model for analyzing the behavior topological graph to determine an abnormal monitoring result; the neural network model can be trained to be constructed by adopting abnormal behavior samples, wherein the abnormal behavior samples comprise historical behavior topological graphs corresponding to abnormal behavior information and labels (corresponding to abnormal monitoring results) corresponding to the historical behavior topological graphs.
Because the convolutional neural network is widely used in the scenes of image recognition, target detection, feature extraction and the like, when the image features are extracted, corresponding logistic regression is performed in each convolutional kernel to calculate the correlation probability to select the optimal features, and therefore, the candidate behavior monitoring model in the embodiment can be obtained by training the convolutional neural network model.
Further, the candidate behavior monitoring model comprises a plurality of neural network models which can be used for analyzing behavior information with different complexities; for example, lightweight models and high precision models; the lightweight model and the high-precision model can analyze the global behavior information, but the recognition precision of the high-precision model is higher than that of the lightweight model; furthermore, the lightweight model can be online in real time and is used for monitoring global behavior information in real time; and when the global behavior information is a complex access behavior, monitoring the global behavior information by adopting a high-precision model.
Since the abnormal behavior is complex and changeable, and the more complex the global behavior information of the user is, the greater the difficulty in identifying whether the abnormal behavior exists, in this embodiment, the complexity according to the behavior topology map is first identified, and then the target behavior monitoring model matched with the complexity is determined from the candidate behavior monitoring models according to the complexity, so as to implement reasonable allocation of the computing resources.
S205, based on the target behavior monitoring model, performing anomaly monitoring on the behavior topological graph to obtain an anomaly monitoring result of the global behavior information.
Specifically, after the behavior topological graph is generated, the behavior topological graph is input to the target behavior monitoring model, and based on the target behavior monitoring model, the behavior topological graph is subjected to anomaly monitoring to obtain an anomaly monitoring result of the global behavior information.
Further, the abnormal monitoring result includes the existence of the abnormal behavior and the absence of the abnormal behavior, and when the abnormal behavior is detected in the global behavior information, the local monitoring device may report the global behavior information to the terminal 102 of the administrator through the built-in communication module, so that the administrator performs corresponding processing.
In the anomaly monitoring method, a behavior topological graph is generated according to the global behavior information, and the behavior topological graph comprises all monitoring nodes related to the global behavior information of a target user, corresponding local behavior information in the monitoring nodes and behavior tracks among the monitoring nodes; selecting a corresponding target behavior monitoring model according to the complexity of the behavior topological graph, and realizing grading accurate analysis on global behavior information with different complexities; furthermore, global information is uniformly input into the target behavior monitoring model for analysis, compared with the method that the global information is analyzed one by one based on a baseline detection strategy, the repeated calling times of baseline detection are reduced, and the analysis efficiency and the accuracy of abnormal monitoring are improved; meanwhile, the target behavior monitoring model is used for carrying out abnormity monitoring, so that not only can known abnormal behaviors be identified in time, but also unknown abnormal behaviors can be identified well, the monitoring capability of the abnormal behaviors is improved, and the safety of the system is greatly ensured.
As shown in fig. 3, this embodiment provides an alternative way of generating a behavior topology according to at least one monitoring node associated with global behavior information, local behavior information in each monitoring node, and a behavior trace between different monitoring nodes, that is, a way of refining S203 is provided. The specific implementation process may include:
s301, each monitoring node is taken as a graph node in the behavior topological graph.
And taking each monitoring node as a graph node, and establishing a one-to-one mapping relation between each graph node and each monitoring node. Further, for each graph node, the label of the graph node corresponds to the unique label of the corresponding monitoring node in the monitoring set.
S302, according to the corresponding local behavior information in each monitoring node, point attribute information of the graph node corresponding to each monitoring node is determined.
The monitoring node may perform a heterogeneous behavior analysis on the local behavior information corresponding to the monitoring node to determine point attribute information corresponding to the graph node. Optionally, the point attribute information may be described in a text and numerical manner, or may be described in a graphic element manner.
Specifically, when the description is performed by using a graph element, as shown in table 1, in the case that an accessed monitoring node includes a plurality of access objects, the monitoring node is taken as a computer for example to explain, unique image elements may be configured for each application program, file, and database in the computer, after the configuration is completed, a subgraph formed by each graph element may be used as point attribute information of the graph node, and access behaviors at different access times (e.g., t1 and t2 in table 1) may be distinguished and represented in the point attribute information; in order to simplify the behavior topology, the reliability of each local behavior information in the graph node may be calculated first, and the reliability may be used as the point attribute information.
S303, according to behavior tracks among different monitoring nodes, connection edges among different graph nodes in the behavior topological graph are constructed, and edge attribute information of each connection edge is determined.
The edge attribute information is used for describing the relationship between an access subject and an access object (accessed) between different global behavior information, and the connecting edge can be a directed edge, and the access subject points to the access object to represent the relationship between access (call).
Specifically, after the graph nodes are constructed, the connection edges between the graph nodes and the directions of the connection edges are constructed according to the access relations between the graph nodes. Therefore, the generated graph nodes and the directed connecting edges among the graph nodes jointly form the behavior topological graph.
In this embodiment, an optional data structure support is provided for the target behavior monitoring model through the behavior topological graph.
In order to simplify the behavior topology map and improve the analysis efficiency of the target behavior monitoring model, in an embodiment, as shown in fig. 4, this embodiment provides an optional manner for determining point attribute information of a graph node corresponding to each monitoring node according to corresponding local behavior information in each monitoring node, which may specifically include the following:
s401, aiming at each monitoring node, determining the credibility of the corresponding local behavior information in the monitoring node.
The local monitoring device stores therein a reliability weight (subject weight) of each user, a reliability weight of each monitoring node, a reliability weight of each access behavior, a reliability weight of each accessed object (program, file, application, etc.) in each monitoring node, and the like. Correspondingly, when the reliability of the local behavior information of any monitoring node is calculated, taking the monitoring node 1 as an example, the following table-table 2 may be shown:
TABLE 2
Specifically, the credibility of the local behavior information S1 may be summarized from the credibility of each access time (access time t1 and access time t 2), and if the target user does not have the right to access the monitoring node, the credibility may be configured as a negative number or 0, and so on (a direction of decreasing the credibility).
It can be understood that the identity credibility weight (authority) of each user is different, and the credibility weight of each user based on the same access behavior is also different, so that the corresponding local behavior information in various monitoring nodes and the credibility of the corresponding local behavior information can be derived on the basis of the baseline rule through different weight configurations. Furthermore, various different access behaviors (corresponding behavior topological graphs) can be derived by using the credibility of the corresponding local behavior information, and the target behavior monitoring model is trained by using the different behavior topological graphs, so that compared with the method using fixed baseline detection, the flexibility of a training sample is increased, and the analysis capability of the target behavior monitoring model is improved.
S402, according to the credibility, determining the point attribute information of the graph node corresponding to the monitoring node.
The reliability may be represented in the form of a numerical value, or may be represented by an attribute such as a gray value.
Specifically, the reliability is converted or directly determined as point attribute information of a graph node corresponding to the monitoring node, and the point attribute information is displayed on the behavior topology graph.
In the embodiment, the credibility information is used as the point attribute information, so that the credibility of the access behavior in each monitoring node does not need to be identified complicatedly by the target behavior monitoring model, the expression form of the behavior topological graph is simplified, and the processing difficulty of the target behavior monitoring model in identifying the behavior topological graph is reduced.
In one embodiment, the reliability is further converted into a gray value, and the gray value is used as the point attribute information of the graph node corresponding to the monitoring node. For example, the higher the confidence, the larger the gradation value.
In the embodiment, the credibility of each topological point (graph node) is calculated, that is, the credibility of the topology of the whole behavior topological graph is preliminarily calculated, so that when the target behavior monitoring model identifies the behavior topological graph, abnormal behaviors can be comprehensively detected in two dimensions, namely, a single graph node access behavior and a global graph node access behavior, and the detection precision of the abnormal behaviors with higher complexity is improved.
Since the abnormal behavior is complex and changeable, and the more complex the access behavior is, the greater the difficulty in identifying the reliability thereof is, in an embodiment, the present embodiment provides an optional way for determining a target behavior monitoring model from candidate behavior monitoring models according to the complexity of a behavior topology, which may specifically include the following processes: and selecting a target behavior monitoring model from the candidate behavior monitoring models according to the number of the monitoring nodes corresponding to the global behavior information and the complexity of the corresponding local behavior information in each monitoring node.
The number of the monitoring nodes corresponding to the global behavior information refers to the number of graph nodes in the behavior topological graph; the complexity of the corresponding local behavior information in any monitoring node can be determined by the number of accessed objects in the monitoring node.
Specifically, the complexity of the global behavior information may be classified according to a level, and may include, for example, a low-complexity behavior and a high-complexity behavior. Exemplarily, if the number of the monitoring nodes corresponding to the global behavior information is greater than or equal to 5, the global behavior information is a high-complexity behavior; or, if the number of accessed objects in any monitoring node is greater than or equal to 5, the global behavior information is a high-complexity behavior; conversely, if there is no high-complexity behavior, the global behavior information is a low-complexity behavior.
Further, the candidate models in the above example may specifically include a single-point analysis model, a lightweight model, and a high-precision model.
The access behaviors corresponding to the single-point analysis model are as follows: the target user only accesses one monitoring node, namely, the cross-node access behavior is not contained. Specifically, the single-point analysis model may employ a K-Means model. The process of single point analysis model analysis is as follows: in the global behavior information, the target user accesses the monitoring node A, and a series of access operations are performed in the monitoring node A. In addition, for the monitoring node a, the acquired historical single-point behaviors include: the user C accesses the monitoring node A, and the user D accesses the monitoring node A. At this time, it is only necessary to identify the credibility of the monitoring node a corresponding to the behavior topological graph corresponding to the target user, the behavior topological graph corresponding to the C user, and the behavior topological graph corresponding to the D user by using the K-Means model, perform cluster analysis on the credibility of the monitoring node a, screen the abnormal point according to the cluster analysis, and determine that the abnormal monitoring result of the global behavior information is an abnormal behavior if the credibility of the target user obtained by the screening is low (the abnormal point).
Optionally, the lightweight model is based on a structure of an AlexNet network model, and adjusts the network structure according to an actual usage scenario, and specifically includes: the behavior topological graph comprises a convolution layer, a pooling layer and a full-connection layer, wherein the convolution layer is used for extracting extraction features in the behavior topological graph, the pooling layer is used for down-sampling and does not damage an identification result, and the full-connection layer is used for classification;
for example, the lightweight model may have a structure of: input layer (200 x200x 20) - > convolutional layer (20 x 20) - > pooling layer (12 x 12) - > convolutional layer (10 x 10) - > pooling layer (7 x 7) - > convolutional layer x3 (5 x 5) - > pooling layer (3 x 3) - > full-link layer (assume 4096) - > full-link layer (1024) - > result mapping (10).
Optionally, the high-precision model is based on the structure of the VGG-16 network, and adjusts the network structure according to the actual usage scenario, which specifically includes: an input layer (input), a convolutional layer (conv), a pooling layer (max-pool), a full-link layer (full-conn) and a result layer (result);
for example, the structure of the high-precision model may be:
Input(200x200x20)->[conv(10x10)->conv(10x10)->conv(3x3)->max-pool(1x1)]x3->[conv(5x5)->conv(3x3)->max-pool(2x2)->conv(3x3)->conv(2x2)->max-pool(1x1)]x3->full-conn(4096)->full-conn(1024)->result(10)。
if further improvement of the calculation accuracy is required, a single or double convolution unit, i.e., [ conv (10 x 10) - > conv (10 x 10) - > conv (3 x 3) - > max-pool (1 x 1) ] or [ conv (5 x 5) - > conv (3 x 3) - > max-pool (2 x 2) - > conv (3 x 3) - > conv (2 x 2) - > max-pool (1 x 1) ], may be added.
In this embodiment, both the lightweight model and the high-precision model may identify a behavior topology containing a plurality of graph nodes, and specifically, when the lightweight model and the high-precision model are used to analyze a current behavior topology corresponding to the global behavior information, the lightweight model and the high-precision model identify access route features (angles formed between graph nodes, connecting edges, and adjacent connecting edges) of the behavior topology and gray values of graph nodes, extract features of the current behavior topology, and perform similarity calculation on the features and features of abnormal behavior topologies extracted from a training sample, if the similarity is higher than a preset threshold, it is indicated that an abnormal behavior exists in the current behavior topology, and if the similarity is lower than the preset threshold, it is indicated that an abnormal behavior does not exist in the current behavior topology.
In summary, when the global behavior information only includes the access behavior of a single monitoring node, the single-point analysis model may be selected as the target behavior monitoring model; when the global behavior information only includes access behaviors of at least two monitoring nodes, a lightweight model and/or a high-precision model may be selected, for example, as shown in table 3 below:
TABLE 3
Further, if the global behavior information corresponds to a low-complexity behavior, a lightweight analysis model may be selected as the target behavior monitoring model, and then, when the complexity of the global behavior information gradually increases and is recognized as a high-complexity behavior, a high-precision model may be used as the target behavior monitoring model, in which case, the global behavior information may correspond to two target behavior monitoring models.
When the behavior topological graph is input into the target behavior monitoring model and the abnormal monitoring result of the global behavior information is determined: in an implementation manner, when the number of the target behavior monitoring models is at least two, the behavior topological graphs are respectively input to the two target behavior monitoring models, and an output result of the target behavior monitoring model with higher precision (higher complexity of the corresponding access behavior) is determined to be an abnormal monitoring result.
In another implementation manner, when the number of the target behavior monitoring models is at least two, the behavior topological graphs are respectively input to the two target behavior monitoring models, and the respective monitoring results of the two target behavior monitoring models are integrated to determine the abnormal monitoring result.
It should be noted that, in the monitoring process, a target behavior monitoring model for analyzing low-complexity global behavior information is first called to analyze a behavior topology map generated in real time, and when it is detected that the global behavior information reaches a corresponding high complexity, the target behavior monitoring model for analyzing high-complexity global behavior information is started to be adopted; meanwhile, the target behavior monitoring model can analyze the high-complexity global behavior information in time, and the safety of abnormal monitoring is improved.
In the embodiment, the number of the monitoring nodes corresponding to the global behavior information and the complexity of the corresponding local behavior information in each monitoring node are analyzed, the behavior complexity corresponding to the global behavior information is determined, and corresponding target behavior monitoring models are matched for operations with different complexities, so that the pertinence analysis is realized, the accuracy of abnormality monitoring is improved, and the effect of reasonably distributing computing resources is realized.
Furthermore, the local monitoring device communicates with each monitoring node through the network to monitor the security risk and the operating state of each monitoring node, that is, when the local monitoring device calls the target behavior monitoring model to analyze the behavior topology map, the local monitoring device obtains the global behavior information of each monitoring node through the communication network, and simultaneously, the local monitoring device is also used for calling the corresponding target behavior monitoring model to analyze the global behavior information, so that the network communication condition of the local monitoring device has corresponding influence on the process of the behavior analysis process. Therefore, in the process of calling the target behavior monitoring model to analyze the behavior topology map, the network communication condition of the local monitoring device is detected first, and if the network communication condition is detected to have delay, the network delay condition can be sent to the remote decision platform, or the currently called target behavior monitoring model is further adjusted according to the network communication condition.
Illustratively, compared with a high-precision model, the lightweight model occupies fewer computing resources and has a lower data transmission amount by using a communication network; compared with a lightweight model, the single-point analysis model needs less data to be called, and the data transmission quantity by using a communication network is lower. If the target behavior monitoring model to which the global behavior information is assigned is the high-precision model and there is a delay in the network communication condition of the local monitoring device, a lightweight model may be selected to replace the high-precision model, that is, the lightweight model is used as the target behavior monitoring model corresponding to the global behavior information. In this embodiment, the efficiency of analyzing the behavior topology map is preferentially ensured by analyzing the network communication condition of the local monitoring device, so as to realize the preliminary screening of abnormal behaviors.
Since the abnormal behavior data is less and the abnormal behavior change is difficult to determine, the number of training samples which can be used as the candidate behavior monitoring model is less, so in order to enlarge the training samples and enhance the analysis capability of the behavior monitoring model on the abnormal behavior, in one embodiment, the abnormal behavior monitoring method further comprises the following steps: and if the abnormal behavior exists in the global behavior information according to the abnormal monitoring result, taking the abnormal monitoring result and the behavior topological graph as new training samples, and updating the candidate behavior monitoring model through the training submodule when the updating condition is met.
The condition that satisfies the update condition may be a condition set manually, for example, when the behavior monitoring model determines that there is an abnormal behavior in the global behavior information, the administrator verifies the result, determines whether there is an abnormality, and if so, updates each candidate behavior monitoring model if the number of the behavior topological graphs corresponding to the similar abnormal behavior reaches the corresponding number.
In the embodiment, the anomaly monitoring result is further identified, and the behavior topological graph and the anomaly monitoring result which meet the updating condition are sent back to the training submodule to update the candidate behavior monitoring model as a means for reinforcing the candidate behavior monitoring model, so that compared with the traditional mode of issuing a baseline file, the self-learning capability is improved.
The present application further provides an anomaly monitoring system, which is configured in a local monitoring device, as shown in fig. 5, and includes a topological diagram generation module 1, a deployment module 2, a behavior detection module 3, and an update judgment module 4; the topological graph generation module 1 responds to the detection request and is used for acquiring global behavior information of a target user; determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information; generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
the method for generating the behavior topological graph according to at least one monitoring node associated with the global behavior information and the behavior track among all the monitoring nodes comprises the following steps: each monitoring node is respectively used as a graph node in the behavior topological graph; for each monitoring node, determining the credibility of corresponding local behavior information in the monitoring node; according to the credibility, determining point attribute information of the graph node corresponding to the monitoring node; according to behavior tracks among different monitoring nodes, constructing connecting edges among different graph nodes in a behavior topological graph, and determining edge attribute information of each connecting edge;
specifically, for each monitoring node, the reliability of corresponding local behavior information in the monitoring node is determined; and determining the point attribute information of the graph node corresponding to the monitoring node according to the credibility.
The deployment module 2 is used for deploying each trained candidate behavior monitoring model to the behavior detection module 3 according to the deployment request;
the behavior detection module 3 is used for determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph; and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
Determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph, wherein the method comprises the following steps: selecting a behavior monitoring model to be selected from the candidate behavior monitoring models according to the network communication condition between the local monitoring equipment and the monitoring node; and determining a target behavior monitoring model from the behavior monitoring models to be selected according to the number of the monitoring nodes corresponding to the global behavior information and the complexity of the corresponding local behavior information in each monitoring node.
The updating judgment module 4 is used for inputting the abnormal monitoring result and the behavior topological graph into a training submodule of the deployment module 2 as a new training sample, and updating the candidate behavior monitoring model when the updating condition is met.
For the above specific process, reference may be made to the description of the method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
It should be understood that, although the steps in the flowcharts related to the embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the application also provides an abnormality monitoring device for realizing the above-mentioned abnormality monitoring method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme recorded in the method, so the specific limitations in one or more embodiments of the anomaly monitoring device provided below can be referred to the limitations of the anomaly monitoring method in the above, and are not described herein again.
In one embodiment, as shown in fig. 6, there is provided an anomaly monitoring device 100 comprising: the system comprises an acquisition module 110, an analysis module 120, a topology construction module 130, a selection module 140 and a monitoring module 150, wherein:
an obtaining module 110, configured to obtain global behavior information of a target user;
the analysis module 120 is configured to determine, according to the global behavior information, at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node, and a behavior trajectory between different monitoring nodes;
the topology construction module 130 is configured to generate a behavior topology map according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node, and a behavior trajectory between different monitoring nodes;
a selecting module 140, configured to determine a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topology;
and the monitoring module 150 is configured to perform anomaly monitoring on the behavior topology map based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
In one embodiment, the topology building module 130 includes:
the monitoring node constructing submodule is used for taking each monitoring node as a graph node in the behavior topological graph;
the attribute construction submodule is used for determining point attribute information of the graph nodes corresponding to the monitoring nodes according to the corresponding local behavior information in the monitoring nodes;
and the edge construction submodule is used for constructing connection edges among different graph nodes in the behavior topological graph according to behavior tracks among different monitoring nodes and determining edge attribute information of each connection edge.
In one embodiment, the attribute building submodule includes:
the calculation slave module is used for determining the credibility of corresponding local behavior information in each monitoring node;
and constructing a slave module for determining the point attribute information of the graph node corresponding to the monitoring node according to the credibility.
In one embodiment, the build slave is further configured to: and converting the credibility into a gray value, and taking the gray value as the point attribute information of the graph node corresponding to the monitoring node.
In one embodiment, the selection module 140 is configured to: and selecting a target behavior monitoring model from the candidate behavior monitoring models according to the number of the monitoring nodes corresponding to the global behavior information and the complexity of the corresponding local behavior information in each monitoring node.
In one embodiment, the anomaly detection apparatus further comprises an update module for: and if the abnormal behavior exists in the global behavior information according to the abnormal monitoring result, taking the abnormal monitoring result and the behavior topological graph as new training samples, and updating the candidate behavior monitoring model when the updating condition is met.
The modules in the abnormality monitoring device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent of a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 7. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing anomaly monitoring data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement an anomaly monitoring method.
Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory having a computer program stored therein and a processor that when executing the computer program performs the steps of:
acquiring global behavior information of a target user;
determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information;
generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph;
and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
In one embodiment, when the processor executes the logic of the behavior topology map generated by the computer program according to at least one monitoring node associated with the global behavior information and the behavior trace between the monitoring nodes, the following steps are specifically implemented: each monitoring node is respectively used as a graph node in the behavior topological graph; determining point attribute information of the graph nodes corresponding to the monitoring nodes according to the corresponding local behavior information in the monitoring nodes; according to behavior tracks among different monitoring nodes, connection edges among different graph nodes in a behavior topological graph are constructed, and edge attribute information of each connection edge is determined.
In one embodiment, when the processor executes the computer program to determine the logic of the point attribute information of the graph node corresponding to each monitoring node according to the corresponding local behavior information in each monitoring node, the following steps are specifically implemented: for each monitoring node, determining the credibility of corresponding local behavior information in the monitoring node; and determining the point attribute information of the graph node corresponding to the monitoring node according to the credibility.
In one embodiment, when the processor executes the computer program to determine the logic of the point attribute information of the graph node corresponding to the monitoring node according to the reliability, the following steps are specifically implemented: and converting the credibility into a gray value, and taking the gray value as the point attribute information of the graph node corresponding to the monitoring node.
In one embodiment, when the processor executes the logic of the computer program to determine the target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topology, the following steps are specifically implemented: and selecting a target behavior monitoring model from the candidate behavior monitoring models according to the number of the monitoring nodes corresponding to the global behavior information and the complexity of the corresponding local behavior information in each monitoring node.
In one embodiment, the processor, when executing the computer program, further performs the steps of: and if the abnormal behavior exists in the global behavior information according to the abnormal monitoring result, taking the abnormal monitoring result and the behavior topological graph as new training samples, and updating the candidate behavior monitoring model when the updating condition is met.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring global behavior information of a target user;
determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information;
generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph;
and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
In one embodiment, when the logic of the computer program generating the behavior topology map according to at least one monitoring node associated with the global behavior information and the behavior trace between the monitoring nodes is executed by the processor, the following steps are specifically implemented: each monitoring node is respectively used as a graph node in the behavior topological graph; determining point attribute information of the graph nodes corresponding to the monitoring nodes according to the corresponding local behavior information in the monitoring nodes; according to behavior tracks among different monitoring nodes, connection edges among different graph nodes in a behavior topological graph are constructed, and edge attribute information of each connection edge is determined.
In one embodiment, when the logic that determines the point attribute information of the graph node corresponding to each monitoring node is executed by the processor according to the corresponding local behavior information in each monitoring node, the following steps are specifically implemented: for each monitoring node, determining the credibility of corresponding local behavior information in the monitoring node; and determining the point attribute information of the graph node corresponding to the monitoring node according to the credibility.
In one embodiment, when the logic of the computer program determining the point attribute information of the graph node corresponding to the monitoring node is executed by the processor according to the reliability, the following steps are specifically implemented: and converting the credibility into a gray value, and taking the gray value as the point attribute information of the graph node corresponding to the monitoring node.
In one embodiment, the computer program implements the following steps when the logic for determining the target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topology is executed by the processor: and selecting a target behavior monitoring model from the candidate behavior monitoring models according to the number of the monitoring nodes corresponding to the global behavior information and the complexity of the corresponding local behavior information in each monitoring node.
In one embodiment, the computer program when executed by the processor further performs the steps of: and if the abnormal behavior exists in the global behavior information according to the abnormal monitoring result, taking the abnormal monitoring result and the behavior topological graph as new training samples, and updating the candidate behavior monitoring model when the updating condition is met.
In one embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the steps of:
acquiring global behavior information of a target user;
determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information;
generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph;
and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
In one embodiment, when the logic of the computer program generating the behavior topology map according to at least one monitoring node associated with the global behavior information and the behavior trace between the monitoring nodes is executed by the processor, the following steps are specifically implemented: each monitoring node is respectively used as a graph node in the behavior topological graph; determining point attribute information of the graph nodes corresponding to the monitoring nodes according to the corresponding local behavior information in the monitoring nodes; according to behavior tracks among different monitoring nodes, connection edges among different graph nodes in a behavior topological graph are constructed, and edge attribute information of each connection edge is determined.
In one embodiment, when the logic that determines the point attribute information of the graph node corresponding to each monitoring node is executed by the processor according to the corresponding local behavior information in each monitoring node, the following steps are specifically implemented: for each monitoring node, determining the credibility of corresponding local behavior information in the monitoring node; and determining the point attribute information of the graph node corresponding to the monitoring node according to the credibility.
In one embodiment, when the logic of the computer program determining the point attribute information of the graph node corresponding to the monitoring node is executed by the processor according to the reliability, the following steps are specifically implemented: and converting the credibility into a gray value, and taking the gray value as the point attribute information of the graph node corresponding to the monitoring node.
In one embodiment, the computer program implements the following steps when the logic for determining the target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topology is executed by the processor: and selecting a target behavior monitoring model from the candidate behavior monitoring models according to the number of the monitoring nodes corresponding to the global behavior information and the complexity of the corresponding local behavior information in each monitoring node.
In one embodiment, the computer program when executed by the processor further performs the steps of: and if the abnormal behavior exists in the global behavior information according to the abnormal monitoring result, taking the abnormal monitoring result and the behavior topological graph as new training samples, and updating the candidate behavior monitoring model when the updating condition is met.
It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), magnetic Random Access Memory (MRAM), ferroelectric Random Access Memory (FRAM), phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. An anomaly monitoring method, the method comprising:
acquiring global behavior information of a target user;
determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track between different monitoring nodes according to the global behavior information;
generating a behavior topological graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
determining a target behavior monitoring model from candidate behavior monitoring models according to the complexity of the behavior topological graph;
and carrying out anomaly monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an anomaly monitoring result of the global behavior information.
2. The method according to claim 1, wherein generating a behavior topology map according to at least one monitoring node associated with the global behavior information and a behavior trace between the monitoring nodes comprises:
each monitoring node is respectively used as a graph node in the behavior topological graph;
determining point attribute information of the graph nodes corresponding to the monitoring nodes according to the corresponding local behavior information in the monitoring nodes;
and according to the behavior track among different monitoring nodes, constructing connection edges among different graph nodes in the behavior topological graph, and determining edge attribute information of each connection edge.
3. The method according to claim 2, wherein the determining point attribute information of the graph node corresponding to each monitoring node according to the corresponding local behavior information in each monitoring node comprises:
for each monitoring node, determining the reliability of corresponding local behavior information in the monitoring node;
and determining the point attribute information of the graph node corresponding to the monitoring node according to the credibility.
4. The method of claim 3, wherein determining point attribute information of the graph node corresponding to the monitoring node according to the credibility comprises:
and converting the credibility into a gray value, and taking the gray value as the point attribute information of the graph node corresponding to the monitoring node.
5. The method according to any one of claims 1-4, wherein the determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topology map comprises:
and selecting the target behavior monitoring model from candidate behavior monitoring models according to the number of the monitoring nodes corresponding to the global behavior information and the complexity of the corresponding local behavior information in each monitoring node.
6. The method of claim 5, further comprising:
and if the global behavior information is determined to have abnormal behaviors according to the abnormal monitoring result, taking the abnormal monitoring result and the behavior topological graph as new training samples, and updating the candidate behavior monitoring model when an updating condition is met.
7. An anomaly monitoring device, said device comprising:
the acquisition module is used for acquiring the global behavior information of the target user;
the analysis module is used for determining at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and a behavior track among different monitoring nodes according to the global behavior information;
the topology construction module is used for generating a behavior topology graph according to at least one monitoring node associated with the global behavior information, local behavior information in each monitoring node and behavior tracks among different monitoring nodes;
the selection module is used for determining a target behavior monitoring model from the candidate behavior monitoring models according to the complexity of the behavior topological graph;
and the monitoring module is used for carrying out abnormity monitoring on the behavior topological graph based on the target behavior monitoring model to obtain an abnormity monitoring result of the global behavior information.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 6.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 6 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211497262.4A CN115883172A (en) | 2022-11-25 | 2022-11-25 | Anomaly monitoring method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211497262.4A CN115883172A (en) | 2022-11-25 | 2022-11-25 | Anomaly monitoring method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115883172A true CN115883172A (en) | 2023-03-31 |
Family
ID=85764176
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211497262.4A Pending CN115883172A (en) | 2022-11-25 | 2022-11-25 | Anomaly monitoring method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115883172A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116248412A (en) * | 2023-04-27 | 2023-06-09 | 中国人民解放军总医院 | Shared data resource abnormality detection method, system, equipment, memory and product |
-
2022
- 2022-11-25 CN CN202211497262.4A patent/CN115883172A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116248412A (en) * | 2023-04-27 | 2023-06-09 | 中国人民解放军总医院 | Shared data resource abnormality detection method, system, equipment, memory and product |
| CN116248412B (en) * | 2023-04-27 | 2023-08-22 | 中国人民解放军总医院 | Shared data resource abnormality detection method, system, equipment, memory and product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210027040A1 (en) | System for simplified generation of systems for broad area geospatial object detection | |
| US10423647B2 (en) | Descriptive datacenter state comparison | |
| US11595415B2 (en) | Root cause analysis in multivariate unsupervised anomaly detection | |
| US20210042628A1 (en) | Building a federated learning framework | |
| US11093774B2 (en) | Optical character recognition error correction model | |
| CA3148760C (en) | Automated image retrieval with graph neural network | |
| US20160350673A1 (en) | System and method providing automatic completion of task structures in a project plan | |
| CN114693192A (en) | Wind control decision method and device, computer equipment and storage medium | |
| CN115883172A (en) | Anomaly monitoring method and device, computer equipment and storage medium | |
| US11620550B2 (en) | Automated data table discovery for automated machine learning | |
| Xiao et al. | ORHRC: Optimized recommendations of heterogeneous resource configurations in cloud-fog orchestrated computing environments | |
| US20180341855A1 (en) | Location tagging for visual data of places using deep learning | |
| Valliyammai et al. | Distributed and scalable Sybil identification based on nearest neighbour approximation using big data analysis techniques | |
| JP5206268B2 (en) | Rule creation program, rule creation method and rule creation device | |
| CN109800147A (en) | A kind of test cases generation method and terminal device | |
| CN115758271A (en) | Data processing method, data processing device, computer equipment and storage medium | |
| CN111949530B (en) | Test result prediction method and device, computer equipment and storage medium | |
| CN111340237B (en) | Data processing and model running method, device and computer equipment | |
| CN116541454B (en) | Event configuration method, device, computer equipment and storage medium | |
| US11740726B2 (en) | Touch sensitivity management | |
| US20220277209A1 (en) | Provider performance scoring using supervised and unsupervised learning | |
| US20230386213A1 (en) | Video analysis system using edge computing | |
| CN117435279A (en) | Personal resource management method, device, computer equipment and storage medium | |
| CN117435910A (en) | Abnormal data detection method and device and computer equipment | |
| CN115994250A (en) | User behavior visualization method, system, computer equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |