CN116956250A - Abnormality detection method, device, equipment and medium for user behavior - Google Patents

Abnormality detection method, device, equipment and medium for user behavior Download PDF

Info

Publication number
CN116956250A
CN116956250A CN202310861236.3A CN202310861236A CN116956250A CN 116956250 A CN116956250 A CN 116956250A CN 202310861236 A CN202310861236 A CN 202310861236A CN 116956250 A CN116956250 A CN 116956250A
Authority
CN
China
Prior art keywords
access
information
user
historical
score
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310861236.3A
Other languages
Chinese (zh)
Inventor
左姣姣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202310861236.3A priority Critical patent/CN116956250A/en
Publication of CN116956250A publication Critical patent/CN116956250A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/254Fusion techniques of classification results, e.g. of results related to same input data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Security & Cryptography (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application discloses a method, a device, equipment and a medium for detecting abnormality of user behavior, which can be applied to the financial field or other fields and comprises the following steps: and acquiring access resource information, access time information and login address information of the user in the target time period. And acquiring historical access resource information, historical access time information and historical login address information of the user in the historical time period. Determining a first anomaly score based on the access resource information and the historical access resource information; determining a second anomaly score based on the access time information and the historical access time information; a third anomaly score is determined based on the login address information and the historical login address information. Detecting whether the behavior is abnormal or not according to the first abnormal score, the second abnormal score, the third abnormal score and the preset abnormal score. According to the historical access information and the current access information, the anomaly score is determined, the anomaly detection is carried out on the user behaviors, the manual detection of behavior data is not needed, and the anomaly detection efficiency and accuracy are improved.

Description

Abnormality detection method, device, equipment and medium for user behavior
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for detecting anomalies in user behavior.
Background
The banking applet covers the functions of reservation number taking, credit card handling, inquiry and the like in terms of specific business and use functions. The applet avoids the tedious process of installing a client on the mobile phone by a bank and occupies little memory of the mobile phone. But the current small program of the bank is in a starting stage, and the security of the small program is questioned by clients. Through internal threat investigation reports, 40% of the investigators consider that internal personnel are maliciously operating as the greatest threat they face, and 36% of the investigators consider accidental or inattentive internal personnel to be more destructive.
The internal personnel of the bank have legal identity and are familiar with the business environment of the bank, and because the internal threat behaviors are mingled in a large number of normal user behaviors, if the user behaviors are analyzed by the security personnel to be abnormal, a large amount of time and energy are required. Moreover, manual detection can only analyze single user behavior characteristics, so that the accuracy of detecting abnormal behaviors of personnel in banks is not high.
Disclosure of Invention
In view of the above, the present application provides a method, apparatus, device and medium for detecting abnormal behavior of a user, so as to improve accuracy of detecting abnormal behavior of an internal person and improve efficiency of detecting abnormal behavior.
In a first aspect, the present application provides a method for detecting anomalies in user behavior, the method comprising:
responding to the monitored access operation of a user in a target time period, and acquiring access resource information, access time information and login address information of the user in the target time period;
acquiring historical access resource information, historical access time information and historical login address information of the user in a historical time period;
determining a first anomaly score based on the access resource information and the historical access resource information; determining a second anomaly score based on the access time information and the historical access time information; determining a third anomaly score based on the login address information and the historical login address information;
and carrying out abnormality detection on the user based on the first abnormality score, the second abnormality score, the third abnormality score and a preset abnormality score.
In one possible implementation, the accessing the resource information includes: accessing a resource and the access times of the access resource, wherein the historical access resource information comprises: a historical access resource and a number of accesses to the historical access resource, the determining a first anomaly score based on the access resource information and the historical access resource information, comprising:
determining an access information matrix according to the access resource, the access times of the access resource, the historical access resource and the access times of the historical access resource;
acquiring behavior evaluation indexes of the user according to the access information matrix and the trained neural network model;
the first anomaly score is determined based on the behavioral assessment indicator.
In one possible implementation manner, the obtaining, according to the access information matrix and the trained neural network model, the behavior evaluation index of the user includes:
performing dimension reduction processing on the access information matrix by using Principal Component Analysis (PCA) to obtain a dimension reduction matrix;
and inputting the dimension reduction matrix into the neural network model to obtain the behavior evaluation index.
In one possible implementation, the training process of the neural network model includes:
acquiring training sample data, wherein the training sample data is generated based on a historical access information matrix of a user, and the training sample data comprises a normal sample label or an abnormal sample label;
inputting the training sample data into an initial neural network model, and obtaining a prediction label of the training sample data;
determining a loss function based on the actual tag and the predicted tag of the training sample data;
and when the loss function is larger than or equal to a preset value, adjusting parameters of the initial neural network model, and re-executing the training sample data input into the initial neural network model and the subsequent training process until the loss function is smaller than the preset value, so as to obtain the trained neural network model.
In one possible implementation manner, the process of obtaining the sample label of the training sample data includes:
performing two-classification on a plurality of history access information matrixes by using an unsupervised learning algorithm, wherein the plurality of history access information matrixes are determined based on history access resources and the access times of the history access resources;
and determining a sample label corresponding to each classification based on the result of the two classifications.
In one possible implementation manner, the detecting the abnormality of the user based on the first abnormality score, the second abnormality score, the third abnormality score, and a preset abnormality score includes:
determining a sum of the first anomaly score, the second anomaly score, and the third anomaly score;
and when the sum is greater than or equal to the preset abnormal score, determining that the user generates abnormal behaviors.
In one possible implementation, the determining the second anomaly score based on the access time information and the historical access time information includes:
the second anomaly score is determined based on a similarity between the access time information and the historical access time information.
In a second aspect, the present application provides an abnormality detection apparatus for user behavior, the apparatus comprising:
the first acquisition unit is used for responding to the monitored access operation of the user in the target time period and acquiring access resource information, access time information and login address information of the user in the target time period;
the second acquisition unit is used for acquiring historical access resource information, historical access time information and historical login address information of the user in a historical time period;
a determining unit configured to determine a first anomaly score based on the access resource information and the history access resource information; determining a second anomaly score based on the access time information and the historical access time information; determining a third anomaly score based on the login address information and the historical login address information;
and the abnormality detection unit is used for detecting the abnormality of the user based on the first abnormality score, the second abnormality score, the third abnormality score and a preset abnormality score.
In one possible implementation, the accessing the resource information includes: accessing a resource and the access times of the access resource, wherein the historical access resource information comprises: the determining unit is specifically configured to determine an access information matrix according to the access resource, the access frequency of the access resource, the history access resource and the access frequency of the history access resource; acquiring behavior evaluation indexes of the user according to the access information matrix and the trained neural network model; the first anomaly score is determined based on the behavioral assessment indicator.
In one possible implementation manner, the determining unit is specifically configured to perform a dimension reduction process on the access information matrix by using principal component analysis PCA to obtain a dimension reduction matrix; and inputting the dimension reduction matrix into the neural network model to obtain the behavior evaluation index.
In one possible implementation, the training process of the neural network model includes: acquiring training sample data, wherein the training sample data is generated based on a historical access information matrix of a user, and the training sample data comprises a normal sample label or an abnormal sample label; inputting the training sample data into an initial neural network model, and obtaining a prediction label of the training sample data; determining a loss function based on the actual tag and the predicted tag of the training sample data; and when the loss function is larger than or equal to a preset value, adjusting parameters of the initial neural network model, and re-executing the training sample data input into the initial neural network model and the subsequent training process until the loss function is smaller than the preset value, so as to obtain the trained neural network model.
In one possible implementation manner, the process of obtaining the sample label of the training sample data includes:
performing two-classification on a plurality of history access information matrixes by using an unsupervised learning algorithm, wherein the plurality of history access information matrixes are determined based on history access resources and the access times of the history access resources; and determining a sample label corresponding to each classification based on the result of the two classifications.
In a possible implementation manner, the anomaly detection unit is specifically configured to determine a sum of the first anomaly score, the second anomaly score and the third anomaly score; and when the sum is greater than or equal to the preset abnormal score, determining that the user generates abnormal behaviors.
In a possible implementation manner, the determining unit is specifically configured to determine the second anomaly score based on a similarity between the access time information and the historical access time information.
In a third aspect, the present application provides an abnormality detection apparatus for user behavior, the apparatus comprising: a memory and a processor;
the memory is used for storing related program codes;
the processor is configured to invoke the program code to execute the abnormality detection method for user behavior according to any implementation manner of the first aspect.
In a fourth aspect, the present application provides a computer readable storage medium storing a computer program for executing the abnormality detection method for user behavior according to any one of the implementation manners of the first aspect.
From this, the application has the following beneficial effects:
in the above implementation manner of the present application, in response to monitoring an access operation of a user in a target time period, access resource information, access time information and login address information of the user in the target time period are acquired. Then, acquiring historical access resource information, historical access time information and historical login address information of a user in a historical time period, so that a first abnormal score can be determined based on the access resource information and the historical access resource information; determining a second anomaly score based on the access time information and the historical access time information; a third anomaly score is determined based on the login address information and the historical login address information. And finally, according to the first anomaly score, the second anomaly score, the third anomaly score and preset anomaly scores, anomaly detection can be carried out on the user, namely whether the access operation of the user in the target time period generates abnormal behaviors or not is determined. The method provided by the application can determine the anomaly score of the user according to the historical access information and the current access information of the user, is used for anomaly detection of the user, does not need to manually detect behavior data, and improves the efficiency and accuracy of anomaly detection. And whether the user generates abnormal behaviors can be determined from the behavior characteristics of a plurality of users, so that the accuracy of abnormality detection is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments provided in the present application, and other drawings may be obtained according to these drawings for those of ordinary skill in the art.
FIG. 1 is a flowchart of a method for detecting anomalies in user behavior according to an embodiment of the present application;
fig. 2 is a schematic diagram of an abnormality detection apparatus for user behavior according to an embodiment of the present application;
fig. 3 is a schematic diagram of an abnormality detection device for user behavior according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, where the described embodiments are merely exemplary implementations, but not all implementations of the application. Those skilled in the art can combine embodiments of the application to obtain other embodiments without inventive faculty, and such embodiments are also within the scope of the application.
At present, the small program of the bank is in a starting stage, and the safety of the small program is questioned by clients. Through internal threat investigation reports, 40% of the investigators consider that internal personnel are maliciously operating as the greatest threat they face, and 36% of the investigators consider accidental or inattentive internal personnel to be more destructive.
The internal personnel of the bank have legal identity and are familiar with the business environment of the bank, and because the internal threat behaviors are mingled in a large number of normal user behaviors, if the user behaviors are analyzed by the security personnel to be abnormal, a large amount of time and energy are required. Moreover, manual detection can only analyze single user behavior characteristics, so that the accuracy of detecting abnormal behaviors of personnel in banks is not high.
Based on the above, the embodiment of the application provides an anomaly detection method for user behaviors so as to improve the efficiency and accuracy of detecting the anomaly behaviors of internal personnel. In specific implementation, access resource information, access time information and login address information of a user in a target time period are acquired in response to monitoring of access operation of the user in the target time period. Then, acquiring historical access resource information, historical access time information and historical login address information of a user in a historical time period, so that a first abnormal score can be determined based on the access resource information and the historical access resource information; determining a second anomaly score based on the access time information and the historical access time information; a third anomaly score is determined based on the login address information and the historical login address information. And finally, according to the first anomaly score, the second anomaly score, the third anomaly score and preset anomaly scores, anomaly detection can be carried out on the user, namely whether the access operation of the user in the target time period generates abnormal behaviors or not is determined. The method provided by the application can determine the anomaly score of the user according to the historical access information and the current access information of the user, is used for anomaly detection of the user, does not need to manually detect behavior data, and improves the efficiency and accuracy of anomaly detection. And whether the user generates abnormal behaviors can be determined from the behavior characteristics of a plurality of users, so that the accuracy of abnormality detection is improved.
In order to facilitate understanding of the technical solution provided by the embodiments of the present application, the following description will be given with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a flowchart of a method for detecting anomalies in user behavior according to an embodiment of the present application.
The method can be executed by processing equipment of banking business, and the processing equipment can acquire data information when external personnel and internal personnel access the business.
The method may comprise the steps of:
s101: and responding to the monitoring of the access operation of the user in the target time period, and acquiring access resource information, access time information and login address information of the user in the target time period.
The user instruction is a staff in a bank, and the user can access different contents through a login account number and the like to acquire needed information and the like. When the access operation of the user is monitored, the access information of the user in the target time period can be counted, and the behavior of the user is detected abnormally, for example, access resource information, access time information, login address information and the like of the user in the target time period are obtained. The access resource information may include an access resource of the user and the number of accesses of the access resource, and the access resource may be a link access or the like. The access time information indicates the specific time of the user accessing the resource, the login address information indicates the address of the terminal logged in by the user, the terminal logged in by the user can be a mobile phone, a server and the like, and each terminal device uniquely corresponds to one address. When a user accesses a different resource than the previously accessed resource, it may indicate that the user has abnormal behavior. Or, when the time of the user accessing the resource is different from the historical time, for example, the time of the previous user accessing the resource is in normal working time, and the time of the current access is more in the working time period, the abnormal behavior of the user may be indicated. When the login address of the user is different from the history login address, it may indicate that the user has abnormal behavior.
In one possible implementation, the target time period may be a time of day, that is, statistics of access behavior information of the user during the time of day, so as to detect abnormal behavior of the user.
It should be noted that, the access resource information, the access time information, and the login address information of the user obtained in the above embodiment are only exemplary, and are not limited to detecting the abnormality of the user behavior based on the above information, but may also obtain other information related to the user behavior for analysis, which is not limited in this embodiment.
S102: and acquiring historical access resource information, historical access time information and historical login address information of the user in the historical time period.
In order to detect whether the behavior of the user is abnormal, the access information of the user in the target time period can be compared with the access information in the history time period to judge whether the abnormal behavior exists. That is, the history access resource information, the history access time information, and the history login address information of the user in the history period are acquired. The access information of the user in the historical time period can be obtained according to the account information of the user and other modes. The history access resource information includes a history access resource and the number of accesses of the history access resource, and the history access time information indicates a specific time when the user accesses the history access resource. Specific values of the historical time periods can be set in combination with actual requirements, and the embodiment of the application is not limited to the specific values. For example, the historical time period may be set to be within 10 days from the current day, that is, the historical access resource information, the historical access time information, and the historical login address information of the user in the last 10 days are acquired.
S103: determining a first anomaly score based on the access resource information and the historical access resource information; determining a second anomaly score based on the access time information and the historical access time information; a third anomaly score is determined based on the login address information and the historical login address information.
After the historical access information of the user is obtained, the anomaly score of the user can be determined according to the historical access information and the access information of the target time period, and the anomaly score is used for evaluating the anomaly degree of the user behavior. When the anomaly score is higher, the degree of anomaly of the user behavior is higher; the lower the anomaly score, the lower the degree of anomaly that indicates the user's behavior.
In one possible implementation, the first anomaly score may be determined by determining the access information matrix based on the access resource of the user, the number of accesses to the access resource, the historical access resource, and the number of accesses to the historical access resource. For example, the number of rows of the access information matrix may correspond to the number (days) corresponding to the target period and the historical period, the number of columns of the access information matrix corresponds to the number of access resources and the number of historical access resources, that is, each column corresponds to one access resource or historical access resource, and the elements of the access information matrix are the access times of the access resources and the historical access resources. And then, according to the access information matrix and the trained neural network model, acquiring a behavior evaluation index of the user, wherein the neural network model is used for detecting the abnormal behavior of the user, and the behavior evaluation index can be normal behavior or abnormal behavior. For example, the neural network model may be a convolutional neural network model. The first anomaly score is determined based on the behavioral assessment indicator. The correspondence between the behavior evaluation index and the first anomaly score may be predetermined, for example, when the behavior evaluation index is normal behavior, the corresponding first anomaly score may be 0; when the behavior evaluation index is abnormal behavior, the corresponding first abnormal score may be a preset abnormal score. The embodiment of the present application is not limited to a specific value of the preset anomaly score, and for example, the preset anomaly score may be set to 20 points.
In one possible implementation, to simplify the data processing process, the data may be better characterized, and the access information matrix may be further subjected to dimension reduction processing by using principal component analysis (Principal Component Analysis, PCA) to obtain a dimension reduction matrix. And then inputting the dimension reduction matrix into a neural network model to obtain the behavior evaluation index of the user. The principal component analysis is a multi-element statistical method for examining the correlation among a plurality of variables, and the internal structure among the plurality of variables can be revealed through a few principal components, namely, the few principal components are derived from the original variables, and the information of the original variables is kept as much as possible.
Because the neural network model is trained in advance, the neural network model can be used for carrying out abnormal evaluation on the behaviors of the user, namely classifying the behaviors of the user and determining whether the behaviors of the user are normal behaviors or abnormal behaviors. For ease of understanding, the training process of the neural network model will be described below.
In order to train the initial neural network model, training sample data is first acquired, where the training sample data may be generated based on a historical access information matrix of the user, that is, determined according to the historical access information of the user, and the process may refer to the subsequent embodiments, which are not described herein. The training sample data includes a normal sample tag and an abnormal sample tag, i.e., each training sample data includes a normal sample tag or an abnormal sample tag. And inputting the training sample data into the initial neural network model to obtain a prediction label of the training sample data. A loss function is determined based on the actual tag and the predicted tag of the training sample data. The loss function is used for representing the difference degree between the actual label and the predicted label, and when the loss function is larger, the difference between the actual label and the predicted label is larger, namely the accuracy of the neural network model is lower. And when the loss function is larger than or equal to a preset value, indicating that the initial neural network model does not meet the requirement, and adjusting parameters of the initial neural network model. And executing the initial neural network model after the training sample data are input into the adjustment parameters and the subsequent training process until the redetermined loss function is smaller than a preset value, thereby obtaining the trained neural network model.
Because training sample data with labels is needed when training the neural network model, a process of determining sample labels of the training sample data is described below, historical access resources of different users in different historical time periods and access times of the historical access resources can be obtained, and a plurality of historical access information matrixes are determined. Alternatively, each history period may correspond to a history access information matrix, the number of rows of the history access information matrix corresponds to the number of days of the history period, the number of columns of the history access information matrix corresponds to the number of history access resources in the history period, each column corresponds to a history access resource, and the elements of the history access information matrix are the number of accesses of the history access resources.
And then performing two classifications on the plurality of history access information matrixes by using an unsupervised learning algorithm, namely classifying the plurality of history access information matrixes into two classifications. The non-supervision learning can realize clustering on training samples with unknown categories (without being marked), namely, classifying the samples with similar characteristics into one category. Common unsupervised learning algorithms include support vector machine algorithms, support vector data description algorithms, etc., and the implementation of the algorithms may be found in the prior art, and are not specifically described herein. After the plurality of history access information matrixes are divided into two types by using an unsupervised learning algorithm, the sample label corresponding to each classification can be manually determined, namely, a normal sample label or an abnormal sample label.
Optionally, multiple unsupervised learning algorithms may be used to perform two classifications on multiple history access information matrices, and determine a sample label corresponding to each classification. And then optimizing classification results of various non-supervised learning algorithms, namely determining more than half of non-supervised learning algorithms as history access information matrixes of abnormal sample labels to be the abnormal sample labels, and determining more than half of non-supervised learning algorithms as history access information matrixes of normal sample labels to be the normal sample labels.
In the above embodiments, the implementation manner of determining the first anomaly score is described, and the manner of determining the second anomaly score and the third anomaly score will be described below.
In one possible implementation, after the historical access time information of the historical time period is acquired, a similarity between the access time information of the user in the target time period and the historical access time information may be calculated. For example, a period in which access time information of a user in a target period is located may be determined, a period in which a plurality of pieces of historical access time information are located is determined, and then an overlapping ratio between the two periods is calculated. When the overlapping proportion is greater than or equal to the preset proportion, the second anomaly score may be determined to be 0; and when the overlapping proportion is smaller than the preset proportion, determining the second abnormal score as the preset abnormal score. The predetermined anomaly score corresponding to the second anomaly score and the predetermined anomaly score corresponding to the first anomaly score may be different values. For example, a preset anomaly score corresponding to the second anomaly score may be set to 40 points.
In one possible implementation, when determining the third anomaly score based on the login address information and the historical login address information, the third anomaly score may be set to 0 when the login address information of the user at the target time period is the same as the historical login address information; when the login address information of the user in the target time period is different from the historical login address information, the third anomaly score can be set as a preset anomaly score. The preset anomaly score corresponding to the third anomaly score may be set in combination with an actual requirement, which is not limited in this embodiment. For example, a preset anomaly score corresponding to the third anomaly score may be set to 40 points.
S104: and detecting the abnormality of the user based on the first abnormality score, the second abnormality score, the third abnormality score and the preset abnormality score.
After the first anomaly score, the second anomaly score, and the third anomaly score are obtained, the three anomaly scores may be summed and then compared with a preset anomaly score. The preset abnormal score may be preset according to actual requirements, and is used for determining whether the behavior of the user is abnormal. When the sum of the first anomaly score, the second anomaly score and the third anomaly score is greater than or equal to a preset anomaly score, determining that the access operation of the user in the target time period generates an anomaly behavior; and when the sum of the first anomaly score, the second anomaly score and the third anomaly score is smaller than the preset anomaly score, determining that the access operation of the user in the target time period is normal.
The method provided by the application can determine the anomaly score of the user according to the historical access information and the current access information of the user, is used for anomaly detection of the user, does not need to manually detect behavior data, and improves the efficiency and accuracy of anomaly detection. And whether the user generates abnormal behaviors can be determined from the behavior characteristics of a plurality of users, so that the accuracy of abnormality detection is improved.
Based on the method embodiment, the embodiment of the application also provides an abnormality detection device for the user behavior. Referring to fig. 2, fig. 2 is a schematic diagram of an abnormality detection apparatus for user behavior according to an embodiment of the present application.
The apparatus 200 comprises:
a first obtaining unit 201, configured to obtain access resource information, access time information, and login address information of a user in a target time period in response to monitoring an access operation of the user in the target time period;
a second obtaining unit 202, configured to obtain historical access resource information, historical access time information, and historical login address information of the user in a historical time period;
a determining unit 203, configured to determine a first anomaly score based on the access resource information and the historical access resource information; determining a second anomaly score based on the access time information and the historical access time information; determining a third anomaly score based on the login address information and the historical login address information;
an anomaly detection unit 204, configured to perform anomaly detection on the user based on the first anomaly score, the second anomaly score, the third anomaly score, and a preset anomaly score.
In one possible implementation, the accessing the resource information includes: accessing a resource and the access times of the access resource, wherein the historical access resource information comprises: the determining unit 203 is specifically configured to determine an access information matrix according to the access resource, the access number of the access resource, the history access resource, and the access number of the history access resource; acquiring behavior evaluation indexes of the user according to the access information matrix and the trained neural network model; the first anomaly score is determined based on the behavioral assessment indicator.
In a possible implementation manner, the determining unit 203 is specifically configured to perform a dimension reduction process on the access information matrix by using principal component analysis PCA to obtain a dimension reduction matrix; and inputting the dimension reduction matrix into the neural network model to obtain the behavior evaluation index.
In one possible implementation, the training process of the neural network model includes: acquiring training sample data, wherein the training sample data is generated based on a historical access information matrix of a user, and the training sample data comprises a normal sample label or an abnormal sample label; inputting the training sample data into an initial neural network model, and obtaining a prediction label of the training sample data; determining a loss function based on the actual tag and the predicted tag of the training sample data; and when the loss function is larger than or equal to a preset value, adjusting parameters of the initial neural network model, and re-executing the training sample data input into the initial neural network model and the subsequent training process until the loss function is smaller than the preset value, so as to obtain the trained neural network model.
In one possible implementation manner, the process of obtaining the sample label of the training sample data includes:
performing two-classification on a plurality of history access information matrixes by using an unsupervised learning algorithm, wherein the plurality of history access information matrixes are determined based on history access resources and the access times of the history access resources; and determining a sample label corresponding to each classification based on the result of the two classifications.
In a possible implementation manner, the anomaly detection unit 204 is specifically configured to determine a sum of the first anomaly score, the second anomaly score, and the third anomaly score; and when the sum is greater than or equal to the preset abnormal score, determining that the user generates abnormal behaviors.
In a possible implementation manner, the determining unit 203 is specifically configured to determine the second anomaly score based on a similarity between the access time information and the historical access time information.
Based on the method embodiment and the device embodiment, the embodiment of the application also provides an abnormality detection device for user behavior. The following description will be made with reference to the accompanying drawings.
Referring to fig. 3, fig. 3 is a schematic diagram of an abnormality detection apparatus for user behavior according to an embodiment of the present application.
The apparatus 300 comprises: a memory 301 and a processor 302;
the memory 301 is used for storing relevant program codes;
the processor 302 is configured to invoke the program code and execute the anomaly detection method for user behavior according to the above-described method embodiment.
In addition, the embodiment of the application also provides a computer readable storage medium for storing a computer program for executing the abnormality detection method of the user behavior described in the above embodiment of the method.
It should be noted that the method, the device, the equipment and the medium for detecting the abnormality of the user behavior provided by the application can be used in the financial field or other fields. Other fields are any field other than the financial field, for example, the computer technology field. The foregoing is merely an example, and the application fields of the abnormality detection method, the device, the equipment and the medium for user behavior provided by the present application are not limited.
It should be noted that, in the present description, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different manner from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. In particular, for system or apparatus embodiments, since they are substantially similar to method embodiments, the description is relatively simple, with relevant portions being referred to in the description of the method embodiments. The above-described apparatus embodiments are merely illustrative, in which units or modules illustrated as separate components may or may not be physically separate, and components shown as units or modules may or may not be physical modules, i.e. may be located in one place, or may be distributed over multiple network units, where some or all of the units or modules may be selected according to actual needs to achieve the purposes of the embodiment. Those of ordinary skill in the art will understand and implement the present application without undue burden.
It should be understood that in the present application, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method for detecting anomalies in user behavior, the method comprising:
responding to the monitored access operation of a user in a target time period, and acquiring access resource information, access time information and login address information of the user in the target time period;
acquiring historical access resource information, historical access time information and historical login address information of the user in a historical time period;
determining a first anomaly score based on the access resource information and the historical access resource information; determining a second anomaly score based on the access time information and the historical access time information; determining a third anomaly score based on the login address information and the historical login address information;
and carrying out abnormality detection on the user based on the first abnormality score, the second abnormality score, the third abnormality score and a preset abnormality score.
2. The method of claim 1, wherein accessing the resource information comprises: accessing a resource and the access times of the access resource, wherein the historical access resource information comprises: a historical access resource and a number of accesses to the historical access resource, the determining a first anomaly score based on the access resource information and the historical access resource information, comprising:
determining an access information matrix according to the access resource, the access times of the access resource, the historical access resource and the access times of the historical access resource;
acquiring behavior evaluation indexes of the user according to the access information matrix and the trained neural network model;
the first anomaly score is determined based on the behavioral assessment indicator.
3. The method according to claim 2, wherein the obtaining the behavior evaluation index of the user according to the access information matrix and the trained neural network model includes:
performing dimension reduction processing on the access information matrix by using Principal Component Analysis (PCA) to obtain a dimension reduction matrix;
and inputting the dimension reduction matrix into the neural network model to obtain the behavior evaluation index.
4. A method according to claim 2 or 3, wherein the training process of the neural network model comprises:
acquiring training sample data, wherein the training sample data is generated based on a historical access information matrix of a user, and the training sample data comprises a normal sample label or an abnormal sample label;
inputting the training sample data into an initial neural network model, and obtaining a prediction label of the training sample data;
determining a loss function based on the actual tag and the predicted tag of the training sample data;
and when the loss function is larger than or equal to a preset value, adjusting parameters of the initial neural network model, and re-executing the training sample data input into the initial neural network model and the subsequent training process until the loss function is smaller than the preset value, so as to obtain the trained neural network model.
5. The method of claim 4, wherein the process of obtaining the sample tag of the training sample data comprises:
performing two-classification on a plurality of history access information matrixes by using an unsupervised learning algorithm, wherein the plurality of history access information matrixes are determined based on history access resources and the access times of the history access resources;
and determining a sample label corresponding to each classification based on the result of the two classifications.
6. The method of claim 1, wherein the anomaly detection of the user based on the first anomaly score, the second anomaly score, the third anomaly score, and a preset anomaly score comprises:
determining a sum of the first anomaly score, the second anomaly score, and the third anomaly score;
and when the sum is greater than or equal to the preset abnormal score, determining that the user generates abnormal behaviors.
7. The method of claim 1, wherein the determining a second anomaly score based on access time information and the historical access time information comprises:
the second anomaly score is determined based on a similarity between the access time information and the historical access time information.
8. An abnormality detection apparatus for a user's behavior, the apparatus comprising:
the first acquisition unit is used for responding to the monitored access operation of the user in the target time period and acquiring access resource information, access time information and login address information of the user in the target time period;
the second acquisition unit is used for acquiring historical access resource information, historical access time information and historical login address information of the user in a historical time period;
a determining unit configured to determine a first anomaly score based on the access resource information and the history access resource information; determining a second anomaly score based on the access time information and the historical access time information; determining a third anomaly score based on the login address information and the historical login address information;
and the abnormality detection unit is used for detecting the abnormality of the user based on the first abnormality score, the second abnormality score, the third abnormality score and a preset abnormality score.
9. An abnormality detection apparatus for a user's behavior, the apparatus comprising: a memory and a processor;
the memory is used for storing related program codes;
the processor is configured to invoke the program code to perform the anomaly detection method of user behavior of any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program for executing the abnormality detection method of user behavior according to any one of claims 1 to 7.
CN202310861236.3A 2023-07-13 2023-07-13 Abnormality detection method, device, equipment and medium for user behavior Pending CN116956250A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310861236.3A CN116956250A (en) 2023-07-13 2023-07-13 Abnormality detection method, device, equipment and medium for user behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310861236.3A CN116956250A (en) 2023-07-13 2023-07-13 Abnormality detection method, device, equipment and medium for user behavior

Publications (1)

Publication Number Publication Date
CN116956250A true CN116956250A (en) 2023-10-27

Family

ID=88443807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310861236.3A Pending CN116956250A (en) 2023-07-13 2023-07-13 Abnormality detection method, device, equipment and medium for user behavior

Country Status (1)

Country Link
CN (1) CN116956250A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117745080A (en) * 2024-02-19 2024-03-22 北京北科融智云计算科技有限公司 Multi-factor authentication-based data access control and security supervision method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117745080A (en) * 2024-02-19 2024-03-22 北京北科融智云计算科技有限公司 Multi-factor authentication-based data access control and security supervision method and system
CN117745080B (en) * 2024-02-19 2024-04-26 北京北科融智云计算科技有限公司 Multi-factor authentication-based data access control and security supervision method and system

Similar Documents

Publication Publication Date Title
US20200394661A1 (en) Business action based fraud detection system and method
CN108876133B (en) Risk assessment processing method, device, server and medium based on business information
CN111177714B (en) Abnormal behavior detection method and device, computer equipment and storage medium
Cavagnaro et al. Discriminating among probability weighting functions using adaptive design optimization
CN111614690B (en) Abnormal behavior detection method and device
US10031829B2 (en) Method and system for it resources performance analysis
US20230328087A1 (en) Method for training credit threshold, method for detecting ip address, computer device and storage medium
US20070071081A1 (en) Communication analysis apparatus and method and storage medium storing communication analysis program, and organization rigidification analysis apparatus and method and storage medium storing organization rigidification analysis program
WO2017220140A1 (en) Life insurance system with fully automated underwriting process for real-time underwriting and risk adjustment, and corresponding method thereof
CN109801151B (en) Financial falsification risk monitoring method, device, computer equipment and storage medium
CN112765003B (en) Risk prediction method based on APP behavior log
CN116956250A (en) Abnormality detection method, device, equipment and medium for user behavior
CN116305168A (en) Multi-dimensional information security risk assessment method, system and storage medium
CN112131249A (en) Attack intention identification method and device
CN110335144B (en) Personal electronic bank account security detection method and device
CN116366374A (en) Security assessment method, system and medium for power grid network management based on big data
CN112990989B (en) Value prediction model input data generation method, device, equipment and medium
CN116340934A (en) Terminal abnormal behavior detection method, device, equipment and storage medium
CN107871213B (en) Transaction behavior evaluation method, device, server and storage medium
CN112085281B (en) Method and device for detecting safety of business prediction model
CN116107789A (en) Method for monitoring and analyzing application fault reasons and storage medium
Naidu et al. Analysis of Hadoop log file in an environment for dynamic detection of threats using machine learning
CN112733897A (en) Method and equipment for determining abnormal reason of multi-dimensional sample data
CN116015979B (en) Intelligent security situation awareness method, system and storage medium
CN113691552A (en) Threat intelligence effectiveness evaluation method, device, system and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination