CN116980322A

CN116980322A - Behavior detection method and device based on behavior data and computer equipment

Info

Publication number: CN116980322A
Application number: CN202211404725.8A
Authority: CN
Inventors: 陈�胜; 李伟; 黑岩; 钱业斐; 董志强
Original assignee: Tencent Cloud Computing Changsha Co Ltd
Current assignee: Tencent Cloud Computing Changsha Co Ltd
Priority date: 2022-11-10
Filing date: 2022-11-10
Publication date: 2023-10-31

Abstract

The present application relates to a behavior detection method, apparatus, computer device, storage medium and computer program product based on behavior data. The embodiment of the application can be applied to various scenes such as cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like. The method comprises the following steps: acquiring operation behavior data to be detected of an object to be detected; based on the detection strategy matched with each detection dimension, carrying out abnormal detection on the detection data under each detection dimension to obtain dimension detection results matched with each detection dimension; acquiring a preset corresponding relation of detection weights matched with detection dimensions of each target service identifier, and determining the detection weights matched with the detection dimensions corresponding to the target service identifiers; and carrying out weighting processing based on dimension detection results matched with all the detection dimensions and detection weights matched with all the detection dimensions to obtain behavior detection results matched with the object to be detected. By adopting the method, the efficiency and the accuracy of behavior detection can be improved.

Description

Behavior detection method and device based on behavior data and computer equipment

Technical Field

The present application relates to the field of internet technologies, and in particular, to a behavior detection method, apparatus, and computer device based on behavior data.

Background

With the continuous development of internet technology, more and more people and companies have demands on cloud environments, and a cloud program interface (Application Programming Interface, API) is called through a persistent Access Key/Secret Key (AK/SK) to realize service use and resource operation of public cloud, which belongs to an important mode of service interaction between cloud tenants and cloud. Thus AK/SK becomes a key caller authentication credential, and leakage of AK/SK may cause external malicious attackers to perform various destructive operations by AK/SK calling cloud APIs. At present, the solution to the problem of malicious utilization caused by AK/SK leakage includes a key encryption service, wherein the key encryption service specifically encrypts an AK/SK plaintext by using a specific encryption mode at a console to obtain an encrypted AK/SK ciphertext, and decrypts the ciphertext by using an AK/SK ciphertext and a decryption software development kit (Software Development Kit, SDK) at a caller to perform cloud API call. However, under the scene that an external malicious attacker takes AK/SK plaintext, the attacker can still obtain AK/SK plaintext and attack and utilize the system.

At present, under the scene that an external malicious attacker has taken AK/SK plaintext, specific function analysis can be carried out on each behavior to be detected and each attack behavior in a detection rule base, and the specific function analysis is written into the rule base as rules, so that the detection of abnormal behaviors is completed. However, in actual detection, since the number of detection rules in the detection rule base is large, the efficiency and accuracy of rule detection matching based on this also decrease. Therefore, how to improve the efficiency and accuracy of behavior detection under the scenario that an external malicious attacker takes AK/SK plaintext is a problem to be solved.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a behavior detection method, apparatus, computer device, and storage medium based on behavior data, which can improve efficiency and accuracy of behavior detection.

In a first aspect, the present application provides a behavior detection method based on behavior data. The method comprises the following steps:

acquiring operation behavior data to be detected of an object to be detected, wherein the operation behavior data to be detected comprises detection data of a plurality of detection dimensions and target service identifiers, and the target service identifiers are used for uniquely identifying target services to which the object to be detected belongs;

Based on the detection strategy matched with each detection dimension, carrying out abnormal detection on the detection data under each detection dimension to obtain dimension detection results matched with each detection dimension;

acquiring a preset corresponding relation of detection weights matched with all detection dimensions of each target service identifier, and determining the detection weights matched with all detection dimensions corresponding to the target service identifiers, wherein the detection weights are used for describing the importance degree of the matched detection dimensions in the target service;

and carrying out weighting processing based on dimension detection results matched with all the detection dimensions and detection weights matched with all the detection dimensions to obtain behavior detection results matched with the object to be detected.

In a second aspect, the application further provides a behavior detection device based on the behavior data. The device comprises:

the data acquisition module is used for acquiring operation behavior data to be detected of the object to be detected, wherein the operation behavior data to be detected comprises detection data of a plurality of detection dimensions and target service identifiers, and the target service identifiers are used for uniquely identifying target services to which the object to be detected belongs;

the dimension detection module is used for carrying out abnormal detection on the detection data under each detection dimension based on the detection strategy matched with each detection dimension to obtain dimension detection results matched with each detection dimension;

The detection weight determining module is used for acquiring the corresponding relation of the detection weights matched with the detection dimensions and preconfigured by the service identifiers, determining the detection weights matched with the detection dimensions corresponding to the target service identifiers, and describing the importance degree of the matched detection dimensions in the target service;

and the behavior detection module is used for carrying out weighting processing based on dimension detection results matched with all the detection dimensions and detection weights matched with all the detection dimensions to obtain behavior detection results matched with the object to be detected.

In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor which when executing the computer program performs the steps of:

In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:

In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of:

The behavior detection method, the device, the computer equipment, the storage medium and the computer program product based on the behavior data acquire the operation behavior data to be detected of the object to be detected, wherein the operation behavior data to be detected comprises detection data of a plurality of detection dimensions and target service identifiers, and the target service identifiers are used for uniquely identifying target services to which the object to be detected belongs. And performing anomaly detection on the detection data in each detection dimension based on the detection strategy matched with each detection dimension to obtain dimension detection results matched with each detection dimension, acquiring a corresponding relation of detection weights matched with each detection dimension and preset by each service identifier, determining the detection weights matched with each detection dimension corresponding to the target service identifier, describing the importance degree of the matched detection dimension in the target service through the detection weights, and performing weighting processing based on the dimension detection results matched with each detection dimension and the detection weights matched with each detection dimension to obtain behavior detection results matched with the object to be detected. The detection data in each detection dimension is subjected to abnormal detection through the detection strategies of the plurality of detection dimensions, and the weight proportion of different detection dimensions under different services is further considered, so that when the behavior detection result of an object to be detected is determined, the abnormal detection can be carried out from the plurality of detection dimensions, the importance of the plurality of detection dimensions under different service scenes is combined and considered, the actual service scenes and the actual operation behaviors are attached to carry out detection, and the efficiency and the accuracy of behavior detection are improved.

Drawings

FIG. 1 is a system architecture diagram of a block chain system in one embodiment;

FIG. 2 is a block diagram of a block chain system according to one embodiment;

FIG. 3 is an application environment diagram of a behavior detection method based on behavior data in one embodiment;

FIG. 4 is a flow chart of a behavior detection method based on behavior data in one embodiment;

FIG. 5 is a partial flow diagram of determining a detection policy for each object to match in each detection dimension in one embodiment;

FIG. 6 is a partial flow diagram of determining a detection policy that matches in each detection dimension in one embodiment;

FIG. 7 is a partial flow diagram of another embodiment for determining a detection policy for an object to match in each detection dimension;

FIG. 8 is a partial flow diagram of determining a detection policy that matches in each detection dimension in another embodiment;

FIG. 9 is a partial flow diagram of determining dimension detection results for which each detection dimension matches in one embodiment;

FIG. 10 is a flow chart of determining detection weights matching detection dimensions corresponding to a target service identifier in one embodiment;

FIG. 11 is a partial flow chart of a behavior detection result for determining that an object to be detected matches in one embodiment;

FIG. 12 is a partial flowchart of a behavior detection result for determining that an object to be detected matches in another embodiment;

FIG. 13 is a flow chart illustrating a method for determining behavior detection results based on behavior detection scores of objects to be detected in one embodiment;

FIG. 14 is a complete flow diagram of a behavior detection method based on behavior data in one embodiment;

FIG. 15 is a block diagram of a behavior detection device based on behavior data in one embodiment;

FIG. 16 is a block diagram of a behavior detection device based on behavior data in another embodiment;

fig. 17 is an internal structural view of a computer device in one embodiment.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

The system according to the embodiment of the present application may be a distributed system formed by connecting a client and a plurality of nodes (any form of computing device in an access network, such as a server and a user terminal) through a network communication.

Taking a distributed system as an example of a blockchain system, referring To fig. 1, fig. 1 is a schematic diagram of an alternative architecture of a distributed system 100 applied To a blockchain system according To an embodiment of the present invention, where the architecture is formed by a plurality of nodes (arbitrary computing devices in an access network, such as servers and user terminals) and clients, and a Peer-To-Peer (P2P, peer To Peer) network is formed between the nodes, where the P2P protocol is an application layer protocol running on top of a transmission control protocol (TCP, transmission Control Protocol) protocol. In a distributed system, any machine, such as a server, a terminal, may join to become a node, including a hardware layer, an intermediate layer, an operating system layer, and an application layer.

Referring to the functionality of each node in the blockchain system shown in fig. 1, the functions involved include:

1) The routing, the node has basic functions for supporting communication between nodes.

Besides the routing function, the node can also have the following functions:

2) The application is used for being deployed in a block chain to realize specific service according to actual service requirements, recording data related to the realization function to form recorded data, carrying a digital signature in the recorded data to represent the source of task data, sending the recorded data to other nodes in the block chain system, and adding the recorded data into a temporary block when the source and the integrity of the recorded data are verified by the other nodes.

3) The blockchain comprises a series of blocks (blocks) which are connected with each other according to the generated sequence time, the new blocks are not removed once being added into the blockchain, and record data submitted by nodes in the blockchain system are recorded in the blocks.

Referring to fig. 2, fig. 2 is an optional Block Structure (Block Structure) provided in an embodiment of the present application, where each Block includes a hash value of a transaction record stored in the Block (hash value of the Block) and a hash value of a previous Block, and each Block is connected by the hash value to form a Block chain. In addition, the block may include information such as a time stamp at the time of block generation. The Blockchain (Blockchain), which is essentially a de-centralized database, is a string of data blocks that are generated in association using cryptographic methods, each of which contains associated information that is used to verify the validity (anti-counterfeiting) of its information and to generate the next block.

The behavior detection method based on the behavior data provided by the embodiment of the application can be applied to an application environment shown in fig. 3. Wherein the terminal 302 communicates with the server 304 via a network. The data storage system may store data that the server 304 needs to process, such as: operational behavior data. The data storage system may be integrated on the server 104 or may be located on the cloud or other servers.

Specifically, taking the application of the embodiment of the present application to the server 304 as an example, before the server 304 detects a specific behavior of an object to be detected, it needs to determine a detection policy matched by each object in each detection dimension. The server 304 then obtains to-be-detected operation behavior data of the to-be-detected object, where the to-be-detected operation behavior data includes detection data of a plurality of detection dimensions and a target service identifier, and obtains a detection policy matched with the to-be-detected object in each detection dimension based on a predetermined detection policy matched with each object in each detection dimension, so that abnormal detection is performed on the detection data in each detection dimension based on the detection policy matched with each detection dimension, and a dimension detection result matched with each detection dimension is obtained. Based on this, the server 304 further obtains a corresponding relationship of detection weights matched with each detection dimension and preconfigured by each target service identifier, and determines the detection weights matched with each detection dimension corresponding to the target service identifier carried in the operation behavior data to be detected, so that weighting is performed on the dimension detection result matched with each detection dimension and the detection weights matched with each detection dimension, and a behavior detection result matched with the object to be detected is obtained. When determining the behavior detection result of the object to be detected, the server 304 can perform anomaly detection from multiple detection dimensions, and combine importance of the multiple detection dimensions under different service scenarios, so as to attach to the actual service scenarios and the actual operation behaviors for detection, thereby improving efficiency and accuracy of behavior detection.

The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, aircrafts, etc. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers. And the embodiments of the present application may be applied to various scenarios including, but not limited to, cloud technology, artificial intelligence (Artificial Intelligence, AI), intelligent transportation, assisted driving, and the like.

The artificial intelligence is a theory, method, technique and application system that uses a digital computer or a machine controlled by a digital computer to simulate, extend and expand human intelligence, sense the environment, acquire knowledge and use the knowledge to obtain optimal results. In other words, artificial intelligence is an integrated technology of computer science that attempts to understand the essence of intelligence and to produce a new intelligent machine that can react in a similar way to human intelligence. Artificial intelligence, i.e. research on design principles and implementation methods of various intelligent machines, enables the machines to have functions of sensing, reasoning and decision. The artificial intelligence technology is a comprehensive subject, and relates to the technology with wide fields, namely the technology with a hardware level and the technology with a software level. Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.

With research and advancement of artificial intelligence technology, research and application of artificial intelligence technology is being developed in various fields, such as common smart home, smart wearable devices, virtual assistants, smart speakers, smart marketing, unmanned, automatic driving, unmanned aerial vehicles, robots, smart medical treatment, smart customer service, etc., and it is believed that with the development of technology, artificial intelligence technology will be applied in more fields and with increasing importance value. The scheme provided by the embodiment of the application particularly relates to an artificial intelligence Machine Learning (ML) technology, wherein the Machine Learning is a multi-field interdisciplinary and relates to a plurality of disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory and the like. It is specially studied how a computer simulates or implements learning behavior of a human to acquire new knowledge or skills, and reorganizes existing knowledge structures to continuously improve own performance. Machine learning is the core of artificial intelligence, a fundamental approach to letting computers have intelligence, which is applied throughout various areas of artificial intelligence. Machine learning and deep learning typically include techniques such as artificial neural networks, confidence networks, reinforcement learning, transfer learning, induction learning, teaching learning, and the like.

In one embodiment, as shown in fig. 4, a behavior detection method based on behavior data is provided, and the method is applied to the server 304 in fig. 3 for illustration, it is understood that the method may also be applied to the terminal 302. Or may also be applied to a system comprising a terminal 302 and a server 304 and implemented through interaction of the terminal 302 and the server 304. In this embodiment, the method includes the steps of:

step 402, obtaining operation behavior data to be detected of an object to be detected, where the operation behavior data to be detected includes detection data of a plurality of detection dimensions and a target service identifier, where the target service identifier is used to uniquely identify a target service to which the object to be detected belongs.

The object to be detected is an object detected by behavior, and in this embodiment, the object to be detected is specifically: a persistent Access Key (AK/SK) to be detected. Based on this, the operation behavior data to be detected is operation behavior data corresponding to the object to be detected in a detection time period, where the detection time period may be 1 Minute (Min), 5Min, 10Min, and the like, and specifically needs to be determined based on the actual service scene requirement.

It can be appreciated that, on the basis that the object to be detected is AK/SK, the operation behavior data at least includes: calling information corresponding to interface calling behavior based on AK/SK, wherein the calling information at least comprises: call time, call area, call interface type, call interface number, etc. And interface call behavior that can be performed based on the object to be detected is preset, for example, based on the object to be detected: breaking through boundary interface calling behavior, credential access interface calling behavior and information collection interface calling behavior, the operation behavior data of the object to be detected can only include: at least one item of calling information corresponding to the boundary interface calling behavior, calling information corresponding to the credential access interface calling behavior and calling information corresponding to the information collection interface calling behavior is broken through.

Based on the detection, the operation behavior data to be detected comprises detection data of a plurality of detection dimensions and target service identification. The target service identifier is used for uniquely identifying a target service to which the object to be detected belongs, for example, the target service is specifically a video service, and a plurality of AK/SK are provided under the video service, so that the target service identifier for indicating the video service can be carried when the object to be detected (i.e. the AK/SK to be detected) performs an interface calling action.

Next, the aforementioned detection dimensions include at least: calling region, calling rate, calling response time, etc _， The calling area is used to describe: the calling area when the interface calling action is performed based on AK/SK, and the area division rule of the calling area should be determined based on the requirement of the target service, for example, the calling area is divided based on province, then the specific calling area may include: province 1, province 2, province 3, province 4, etc. Or, the calling area is based on country division, then the specific calling area may include: country 1, country 2, country 3, country 4, etc. Or, the calling area is divided based on the intranet area and the extranet area, and then the specific calling area may include: an intranet zone, an extranet zone, and the like.

And the call rate may describe: based on the ratio of the number of times of the AK/SK performing the interface calling action in the detection time period to the detection time period, for example, the detection time period is 5min, and based on the number of times of the AK/SK performing the interface calling action in the detection time period is 100 times, the calling rate can be obtained as follows: 20 times/min (100/5). It should be appreciated that, in practical applications, since one AK/SK may call interfaces of multiple call interface types, the call rate of AK/SK may also be described as follows: the ratio of the calling times of the interface calling behavior to the detection time period based on different calling interface types under AK/SK, namely the calling rate, can specifically comprise: and respectively corresponding call rates based on different call interface types under AK/SK. For example, the detection time period is 5min, and AK/SK may call the call interface type A1 and the call interface type A2, if the number of times of calling the call interface type A1 for the detection time period is 100 times, and the number of times of calling the call interface type A2 for the detection time period is 200 times, the call rate may be obtained including: the calling rate corresponding to the calling interface type A1 is 20 times/min (100/5), and the calling rate corresponding to the calling interface type A2 is 40 times/min (200/5).

The calling response time is used for describing average response time corresponding to interface calling behavior based on AK/SK in a detection time period, and the response time is specifically: based on the time interval between the moment the AK/SK issues the call request and the moment the response to the call request is received. For example, the AK/SK issues a call request at 11:38:01, the time when AK/SK receives the call request is 11:38:02, then the response time for this interface call behavior is 1 second(s). Secondly, if 3 times of interface calling behaviors are performed based on AK/SK within a detection time period, and the response time of the first time of interface calling behavior is 1s, the response time of the second time of interface calling behavior is 3s, and the response time of the third time of interface calling behavior is 2s, the calling response time of AK/SK can be determined as follows: 2s [ (1+3+2)/3 ].

Specifically, the server acquires operation behavior data to be detected of an object to be detected. The server may determine the object to be detected first, and acquire the operation behavior log corresponding to the object to be detected in real time in a detection time period, so as to acquire the operation behavior log (i.e. the operation behavior data to be detected) of the object to be detected in the detection time period at the end time point of the detection time period. Or, the server may first obtain all operation behavior logs in a detection time period at the end time point of the detection time period, where the operation behavior logs specifically include operation behavior logs corresponding to all objects, and then determine the object to be detected from the operation behavior logs, and obtain operation behavior logs corresponding to the object to be detected, where the operation behavior logs are operation behavior data to be detected.

It should be understood that in this embodiment, abnormal behaviors of each object in the system may be detected in a detection time period, so each object in the system may be an object to be detected, which is not limited herein. And the foregoing examples are provided for the understanding of the present aspects and are not to be construed as limiting the present aspects.

And step 404, performing anomaly detection on the detection data in each detection dimension based on the detection strategy matched with each detection dimension to obtain a dimension detection result matched with each detection dimension.

The detection strategies matched with the detection dimensions are specifically as follows: the detection data in the matched detection dimension belongs to a data anomaly range of anomaly data, and it can be understood that the data anomaly range can be: less than a predetermined value, e.g., less than 100. Or greater than a predetermined value, e.g., greater than 1000. Or in a range between two values, e.g., greater than 100 and less than 1000.

Secondly, the dimension detection result is used for describing the detection result of the object to be detected in the matched detection dimension. Namely, the dimension detection result includes: the detection data belonging to the data anomaly range under the matched detection dimension is data anomaly, and the detection data not belonging to the data anomaly range under the matched detection dimension is data normal. For example, the detection dimensions include dimension detection B1 and dimension detection B2, and the detection data in the detection dimension B1 is subjected to anomaly detection based on the detection policy matched by the dimension detection B1 to obtain a dimension detection result C1, and the detection data in the detection dimension B2 is subjected to anomaly detection based on the detection policy matched by the dimension detection B2 to obtain a dimension detection result C2, so that the dimension detection result C1 may describe the detection result of the object to be detected in the matched detection dimension B1, and the detection result C2 may describe the detection result of the object to be detected in the matched detection dimension B2.

Specifically, the server determines a detection strategy matched with each detection dimension, and performs abnormal detection on detection data under each detection dimension based on the detection strategy matched with each detection dimension to obtain a dimension detection result matched with each detection dimension. Based on the foregoing embodiments, the detection dimension includes at least: calling area, calling rate, calling response time, etc., so the detection policy matched in each detection dimension at least includes: calling a detection policy matched by the region, calling a detection policy matched by the rate, and calling a detection policy matched by the response time.

Based on this, the detection policy that the calling area matches may include: when the detection data of the calling area included in the operation behavior data to be detected belongs to the abnormal area range (e.g., the abnormal area range is the area D1, the area D2, and the area D3), it may be determined that the dimension detection result of the matching between the operation behavior data to be detected and the calling area is: the data is abnormal.

Similarly, the detection strategy matched with the calling rate comprises the following steps: the detected data at the call rate belongs to the abnormal rate range. For example, the abnormal rate range is greater than the calling rate (20 times/min), and when the detected data of the calling rate included in the operation behavior data to be detected belongs to the abnormal rate range (for example, the calling rate is 30 times/min), it may be determined that the dimension detection result matched with the operation behavior data to be detected and the calling rate is: the data is abnormal. It will be appreciated that since the call rate can also describe: the ratio of the number of calls of the interface call behavior to the detection time period based on different call interface types under AK/SK can be set in this case based on the abnormal rate range corresponding to each call interface type under AK/SK. For example, the abnormal rate range corresponding to the calling interface type G1 is greater than 20 times/min, the abnormal rate range corresponding to the calling interface type G2 is greater than 30 times/min, the abnormal rate range corresponding to the calling interface type G3 is greater than 35 times/min, and the like, so that the dimension detection result can accurately describe the detection result of each interface type.

And invoking the detection strategy matched with the response time comprises: the detected data at the call response time belongs to the abnormal response time range. For example, the abnormal response time range is greater than the call response time (1 s), and when the detected data of the call response time included in the operation behavior data to be detected belongs to the abnormal response time range (for example, the call response time is 3 s), it may be determined that the dimension detection result matched with the operation behavior data to be detected and the call response time is: the data is abnormal.

Step 406, obtaining the corresponding relation of the detection weights matched with the detection dimensions and preconfigured by the service identifiers, and determining the detection weights matched with the detection dimensions corresponding to the target service identifiers, wherein the detection weights are used for describing the importance degree of the matched detection dimensions in the target service.

The detection weight is used for describing the importance degree of the matched detection dimension in the target service. The detection weight of each service identifier matched with each detection dimension is preset, that is, the detection weights configured by different services for different detection dimensions may be different.

Specifically, a corresponding relation of detection weights matched with detection dimensions and pre-configured by each service identifier is obtained, and the detection weights matched with the detection dimensions corresponding to the target service identifiers are determined. To facilitate understanding, detecting dimensions includes: for example, for a certain intranet service, the setting of the intranet service generally considers the protection of the enterprise internal file or data to avoid the leakage and loss of the enterprise internal file or data, so that the importance degree of the calling area of the object to be detected is higher than that of other detection dimensions under the intranet service, at this time, the detection weight of the calling area of the object to be detected can be preconfigured to be 0.6, and the detection weight of the calling rate is 0.2, and the detection weight of the calling response time is 0.2. That is, the target service identified by the target service identifier is used for unique identifier is a certain intranet service, so that the corresponding target service identifier can be obtained: the detection weight of the calling area is 0.6, and the detection weight of the calling rate is 0.2 and the detection weight of the calling response time is 0.2.

Secondly, for a certain video online playing service, the setting of the video online playing service usually considers that video playing can be performed based on video source data in real time, so that the importance degree of the calling response time of an object to be detected is higher than that of other detection dimensions under the video online playing service, at this time, the detection weight of the calling response time of the object to be detected can be set to be 0.6, the detection weight of a calling area is 0.2, and the detection weight of a calling rate is 0.2. Namely, the target service of the target service identifier for the unique identifier is a video online playing service, so that the corresponding target service identifier can be obtained: the detection weight of the call response time is 0.6, and the detection weight of the call region is 0.2 and the detection weight of the call rate is 0.2.

Or the target service identifier is used for the target service with the unique identifier, the number of times of data abnormality occurs under the calling rate is more in the previous detection time period adjacent to the current detection time period, and at this time, the detection weight of the calling rate of the object to be detected can be set to be higher than the detection weights of other detection dimensions. It will be appreciated that the foregoing examples are merely for understanding the present solution, and that the detection weights for each detection dimension match may be 1 in sum, or determined directly based on the traffic demand, which is not limiting to the present application.

And step 408, weighting processing is performed based on the dimension detection results matched with each detection dimension and the detection weights matched with each detection dimension, so as to obtain behavior detection results matched with the object to be detected.

Wherein, the behavior detection result is used for describing: based on the detection result of the operation behavior of the object to be detected in the detection time period. The behavior detection result may include: the operation behavior of the object to be detected in the detection time period is normal behavior, or the operation behavior of the object to be detected in the detection time period is abnormal behavior. Under the actual service demand scene, under the condition that the operation behavior of the object to be detected is abnormal behavior in the detection time period, the abnormal grade of the abnormal behavior, such as high-grade abnormal behavior, medium-grade abnormal behavior, common abnormal behavior and the like, can be further determined, so that different touching and damage stopping means and the like are performed based on the abnormal behaviors of different grades in the actual application, and the method is not limited in the specific place.

Specifically, since the dimension detection result is specifically used to describe the detection result of the object to be detected in the matched detection dimension, the detection weight is used to describe the importance of the matched detection dimension in the target service. Therefore, the server needs to determine the detection score matched by each detection dimension based on the dimension detection result matched by each detection dimension, and perform weighted summation based on the detection score matched by each detection dimension and the detection weight matched by each detection dimension to determine the behavior detection result matched by the object to be detected.

In the behavior detection method based on the behavior data, the detection data in each detection dimension is subjected to abnormal detection through the detection strategies of the plurality of detection dimensions, and the weight proportion of different detection dimensions under different services is further considered, so that when the behavior detection result of the object to be detected is determined, the abnormal detection can be carried out from the plurality of detection dimensions, the importance of the plurality of detection dimensions under different service scenes is combined and considered, the detection is carried out according to the actual service scenes and the actual operation behaviors, and the efficiency and the accuracy of the behavior detection are improved.

Mention is made in the preceding examples of: the detection policies that are matched in each detection dimension may be different for different objects (i.e., AK/SK), and the detection policies that are matched in each detection dimension may be different, and thus, how to determine the detection policies that are matched in each detection dimension for each object is described in detail below.

In one embodiment, as shown in fig. 5, the behavior detection method based on the behavior data further includes:

step 502, obtaining a plurality of historical operation behavior data in a historical detection period, wherein one historical operation behavior data corresponds to one object.

The historical operation behavior data is operation behavior data corresponding to an object in a historical detection period. The historical detection period can be formed by a plurality of detection time periods, can also be a previous adjacent time period of the current detection time period, can be a historical detection period which is specifically determined based on service requirements, and has a duration greater than or equal to that of the detection time period.

Specifically, the server acquires a plurality of historical operational behavior data over a historical detection period. The server may acquire the log generated by the server during the running in real time during the history detection period, and acquire a plurality of pieces of history operation behavior data from the log, or the server may acquire the log generated during the history detection period and acquire a plurality of pieces of history operation behavior data from the log at the end time of the history detection period, or the server may further store the log generated during a plurality of detection time periods, and then acquire a plurality of pieces of history operation behavior data during the history detection period from the log generated during the plurality of detection time periods based on specific requirements, which is not limited in the manner of acquiring the plurality of pieces of history operation behavior data.

It should be understood that, in practical applications, the call information and the system running state information are described by fields, and the foregoing fields are described by analyzing the call behavior and the system running state from different angles. Therefore, at the end time of the history detection period, the server can obtain the log generated by the server during running, and the log can include call information, system running state information and the like.

Step 504, performing aggregate analysis on the plurality of historical operation behavior data, and determining a corresponding historical operation behavior data set of each object.

Wherein the polymerization analysis is for: aggregation is based on similarity of a plurality of historical operational behavior data. And the similarity of the historical operational behavior data is: the similarity between the operation behavior data of different candidate detection dimensions under the historical operation behavior data, wherein the candidate detection dimensions of the operation behavior data in the historical operation behavior data can include, but are not limited to, a calling area, a calling interface type, a calling speed, a calling response time, a calling network environment and the like, and specific candidate dimensions need to be determined based on specific operation behavior data of the historical operation behavior data.

Specifically, since the server acquires call information to obtain a plurality of pieces of historical operation behavior data specifically from the log generated when the server operates in the history detection period, the server needs to further determine to which object each piece of the historical operation behavior data specifically corresponds. Based on this, the server needs to perform an aggregate analysis on the plurality of historical operation behavior data to determine a set of historical operation behavior data corresponding to each object. The server performs aggregation analysis on the plurality of historical operation behavior data based on the similarity between the operation behavior data of different candidate detection dimensions under each historical operation behavior data to obtain a corresponding historical operation behavior data set of each object. At this time, the similarity between the historical operation behavior data in the historical operation behavior data set corresponding to the same object is greater than the similarity between the historical operation behavior data in the historical operation behavior data sets corresponding to other objects.

For example, the plurality of historical operating behavior data includes historical operating behavior data E1, historical operating behavior data E2, and historical operating behavior data E3, and the historical operating behavior data E1 specifically includes: call information corresponding to the call to the interface F1 and call information corresponding to the call to the interface F2, the historical operation behavior data E2 specifically includes: the historical operation behavior data E3 specifically includes: call information corresponding to the call to the interface F2, and call information corresponding to the call to the interface F4. At this point, based on the aggregation analysis, it can be determined that: the historical operation behavior data E1 and the historical operation behavior data E2 belong to a historical operation behavior data set corresponding to the same object, and the historical operation behavior data E3 belong to a historical operation behavior data set corresponding to another object.

Step 506, performing statistical analysis on the detection data under each candidate detection dimension for each historical operation behavior data in the historical operation behavior data set corresponding to each object, and determining the detection strategy matched by the object under each detection dimension.

The candidate detection dimension is a data dimension corresponding to all historical operation behavior data in the historical operation behavior data, for example, the candidate detection dimension may include, but is not limited to, a calling area, a calling interface type, a calling rate, a calling response time, a calling network environment, a calling frequency and the like. Second, statistical analysis is used to: counting abnormal detection data in the detection data of each candidate detection dimension in the historical operation behavior data, analyzing the abnormal detection data to determine a data abnormal range under the matched detection dimension, or analyzing the abnormal detection data to determine a data abnormal threshold under the matched detection dimension.

Specifically, the server performs statistical analysis on the detection data of each candidate detection dimension of each historical operation behavior data in the historical operation behavior data set corresponding to each object, and determines the detection strategy matched by the object in each detection dimension. Because the calling relation of each AK/SK calling behavior has periodic regularity under the same service, the server can analyze the detection data with abnormality (namely, without conforming to the periodic regularity) to determine the data abnormality threshold under each detection dimension. For example, then, in a history detection period, when abnormal behavior occurs based on AK/SK, there may be a large change in call rate, for example, an external malicious attacker crazy tries to access a data resource related to AK/SK or acquire personal information after AK/SK leakage. Therefore, the calling rate with larger change can be determined to be a detection dimension, and an abnormal rate range in which the calling rate abnormality is likely to occur is determined according to the calling rate corresponding to the abnormal behavior.

Based on the above, the server performs the following operation on each historical operation behavior data in the historical operation behavior data set corresponding to each object: counting abnormal detection data in detection data of each candidate detection dimension in historical operation behavior data, determining the candidate detection dimension matched with the detection data without the abnormality as a non-detection dimension, and determining the candidate detection dimension matched with the detection data with the abnormality as the detection dimension under the object. For example, the historical operation behavior data includes the detection data of the calling area, the detection data of the calling interface type, the detection data of the calling rate, the detection data of the calling response time, and the detection data of the calling number of times, and in the case that the object has abnormal behavior, the detection data of the calling rate and the detection data of the calling number of times have changed greatly, while the detection data of the calling area, the detection data of the calling interface type, and the detection data of the calling response time have not changed significantly, the calling rate and the calling number of times can be determined as the detection dimension under the object.

Further, the server performs the following operation on each historical operation behavior data in the historical operation behavior data set corresponding to each object: and carrying out statistical analysis on the determined detection data of each detection dimension, and determining the specific change condition of the detection data of each detection dimension under the condition that the object has abnormal behavior, so as to determine the abnormal data range under each detection dimension. Based on the foregoing example, if the calling rate and the number of times of calling are determined as the detection dimension under the object, and when the behavior abnormality occurs in the object, the calling rate is changed from 20 times/min to 50 times/min, and the number of times of calling is changed from 200 times to 500 times, at this time, based on the foregoing data and experience under the service, it may be determined that the abnormal rate range of the object under the calling rate is: greater than 30 times/min, and determining the abnormal frequency range of the object under the calling frequency is as follows: greater than 300 times.

It should be appreciated that in one case, for example, invoking a call interface type based on an object may cause an object to behave abnormally, where the abnormality caused by the detection dimension is described as independent of other detection dimensions, where an n_sigma model is required to analyze and predict detection data in the detection dimensions to determine a matched detection policy in each detection dimension.

For easy understanding, the method for determining the matched detection policy under each detection dimension is shown in fig. 6, for each set of historical operation behavior data corresponding to each object, firstly, based on the set of historical operation behavior data of the object, counting abnormal detection data in the detection data of each candidate detection dimension in the historical operation behavior data of the object, and then performing statistical analysis on the detection data under each candidate detection dimension, namely, determining the candidate detection dimension matched by the detection data without the abnormality as a non-detection dimension, and determining the candidate detection dimension matched by the detection data with the abnormality as the detection dimension under the object. Based on the data, the detection data of each detection dimension is subjected to statistical analysis to determine a data abnormality threshold value in each detection dimension, and the detection strategy matched in each detection dimension is determined based on the data abnormality threshold value in each detection dimension, namely, the detection strategy is described by the detection strategy: the detection data in the matched detection dimension belongs to a data anomaly range of anomaly data, and the data anomaly range and the data anomaly threshold are determined.

It should be appreciated that the foregoing examples, as well as the example of fig. 6, are both useful for understanding the present approach, and that the particular detection strategy that is matched for each detection dimension also needs to be determined based on a large amount of experimental data, as well as a particular business scenario.

In this embodiment, through a plurality of historical operation behavior data in a historical detection period, each detection dimension actually required by each object is determined from candidate detection dimensions, so that reliability of division of the detection dimensions is guaranteed, and then a detection strategy conforming to actual service requirements is determined based on detection data in each detection dimension in the historical operation behavior data of each object, so that reliability and practicability of the detection strategy matched by each object in each detection dimension are guaranteed.

As can be seen from the foregoing embodiments, in one case, there may be an anomaly caused by the detection dimension independent of other detection dimensions, and in this case, an n_sigma model needs to be used to perform analysis prediction on the detection data in the detection dimensions to determine the detection policy matched in each detection dimension, and how to determine the detection policy in this case will be described in detail below.

In one embodiment, as shown in fig. 7, performing statistical analysis on the detection data under each candidate detection dimension for each historical operation behavior data in the historical operation behavior data set corresponding to each object to determine a detection policy matched by the object under each detection dimension, including:

Step 702, determining detection data in the detection dimension conforming to the normal distribution and detection data in the detection dimension not conforming to the normal distribution from the detection data in each candidate detection dimension.

Specifically, the server performs the following operation on each historical operation behavior data in the historical operation behavior data set corresponding to each object: counting abnormal detection data in detection data of each candidate detection dimension in historical operation behavior data, determining the candidate detection dimension matched with the detection data without the abnormality as a non-detection dimension, and determining the candidate detection dimension matched with the detection data with the abnormality as the detection dimension under the object.

Further, the server further performs all screening on the detection data under each detection dimension determined by each object, namely selects the detection data under the detection dimension conforming to normal distribution. For example, the server determines the candidate detection dimension to which the abnormal detection data has been matched as the detection dimension under the object, and the specific detection dimensions are the detection dimension B1, the detection dimension B2, and the detection dimension B3. And screening out detection data of the detection dimension B1 and detection data of the detection dimension B2 to be in accordance with normal distribution, and detecting data of the detection dimension B3 to be in accordance with non-normal distribution.

Step 704, calculating to obtain the data anomaly range matched by the object under each detection dimension according to the detection data under the detection dimension conforming to the normal distribution and the detection data under the detection dimension not conforming to the normal distribution.

The detection strategies matched by the object under each detection dimension are specifically as follows: the detection data under the matched detection dimension belongs to the data anomaly range of the anomaly data. Second, the data anomaly range may be: less than a predetermined value, e.g., less than 100. Or greater than a predetermined value, e.g., greater than 1000. Or in a range between two values, e.g., greater than 100 and less than 1000.

Specifically, the server calculates a data anomaly threshold value matched by the object in each detection dimension based on the detection data in the detection dimension conforming to the normal distribution and the detection data in the detection dimension not conforming to the normal distribution, so as to calculate a data anomaly range matched by the object in each detection dimension, wherein the data anomaly range is determined by the data anomaly threshold value, that is, the data anomaly range can be smaller than the data anomaly threshold value and larger than the data anomaly threshold value, or when the data anomaly threshold value comprises two values, the data anomaly range is a range formed between the two values. Therefore, the server sets the detection strategy matched with the object under each detection dimension through the data abnormal range matched with the object under each detection dimension.

For easy understanding, the present embodiment takes a 3sigma algorithm as an example, and the 3sigma algorithm is specifically based onThe principle of execution is that,the principle is also called as the Laida criterion, specifically, the Laida criterion is to firstly assume that a group of detection data only contains random errors, then calculate the original data to obtain standard deviation, determine the range of error interval according to a certain probability,the detected data whose error exceeds the error interval range is then considered to belong to an outlier.

Based on this, if the detected data in the detected dimension is subjected to normal distribution, andin principle, if the abnormal data of the detection data in the detection dimension exceeds 3 times of standard deviation, the abnormal data of the detection data in the detection dimension can be regarded as a usable abnormal value. In practical application, plus or minus->Is 99.7%, then the distance average +.>The probability of appearance of values outside is +.>The abnormal data of the detection data in the detection dimension exceeding 3 times of standard deviation is determined as the data abnormal threshold value in the detection dimension, which belongs to extremely individual small probability events. Secondly, if the detection data in the detection dimension does not follow normal distribution, determining that the detection data in the detection dimension is far from the N times standard deviation of the average value based on the calculation result to describe the data abnormality threshold in the detection dimension. Based on this, the detection policy that is matched in that detection dimension is determined based on the data anomaly threshold.

For easy understanding, as shown in fig. 8, firstly, based on the historical operation behavior data set of the object, abnormal detection data in the detection data of each candidate detection dimension is counted, then, statistical analysis is performed on the detection data under each candidate detection dimension, that is, the candidate detection dimension matched by the detection data without the abnormality is determined as a non-detection dimension, and the candidate detection dimension matched by the detection data with the abnormality is determined as the detection dimension under the object. Based on this, detection data of detection dimensions conforming to the normal distribution and detection data of detection dimensions not conforming to the normal distribution are then selected from the detection data of the respective detection dimensions. Based on this, the foregoing method is adopted to perform statistical analysis on the detection data of the detection dimension conforming to the normal distribution and the detection data of the detection dimension not conforming to the normal distribution, that is, for the detection data of the detection dimension conforming to the normal distribution, the abnormal data of the detection data in the detection dimension exceeding 3 times of standard deviation is determined as the data abnormal threshold in the detection dimension, and for the detection data of the detection dimension not conforming to the normal distribution, the data abnormal threshold in the detection dimension is described by keeping the detection data in the detection dimension away from the N times of standard deviation of the average value. The detection strategy matched in each detection dimension is determined by the detection strategy description: the detection data in the matched detection dimension belongs to a data anomaly range of anomaly data, and the data anomaly range is determined through a data anomaly threshold.

In this embodiment, since the detection data conforming to the normal distribution can be more accurate, and the problem that the detection data is totally deviated from the data inclination such as the mean value is avoided, the detection data conforming to the normal distribution and the detection data not conforming to the normal distribution are respectively determined, so that the detection data are processed through different algorithms, and the matched detection strategy under each detection dimension is ensured to be more accurate.

In practical applications, there is a special service requirement for a part of services, so that there may be a specific detection policy for specific detection dimension matching when the target service is a special requirement service, which will be described in detail below:

in one embodiment, as shown in fig. 9, based on a detection policy matched with each detection dimension, performing anomaly detection on detection data in each detection dimension to obtain a dimension detection result matched with each detection dimension, including:

step 902, obtaining a target detection policy matched with a target service identifier in a target detection dimension, which is preconfigured.

The target detection dimension is a specific detection dimension under the target service. It will be appreciated that the objective detection dimension is determined based on historical operational behavior data and specific service experience, and the type of call interface or call interface area that may pose a high risk to the objective service is determined by counting the type of call interface (e.g., information collection, credential authentication, breach of boundaries, rights maintenance, rights upgrade, etc.) and the call interface area of the objective service in the historical operational behavior data.

Specifically, the server obtains a specific detection policy (i.e., a target detection dimension) that is preconfigured by the target service identifier and matched in the target detection dimension.

The target service is an intranet service, and the intranet service aims at protecting files or data inside an enterprise so as to avoid leakage and loss of the files or data inside the enterprise, so that a target detection dimension can be preset as a calling area, and a target detection policy can be: the calling area is a non-intranet area and is abnormal in data. Or, the target service is a public data interaction service, and the main purpose of the data interaction service is to perform public data interaction between a plurality of servers, that is, the data reading authority required by the public data interaction service is only used for reading public data, that is, the authority level is low, where the setting of an inaccessible call interface type in the public data interaction service may be specifically considered, for example: the permission upgrade call interface type, that is, the target detection dimension is set as the call interface type, and the target detection policy may be: the calling interface type is the authority upgrading calling interface type, namely the data exception.

Step 904, based on the target detection policy, performing anomaly detection on the detection data under the target detection dimension in the operation behavior data to be detected, so as to obtain a dimension detection result matched with the target detection dimension.

Specifically, the server performs anomaly detection on detection data under the target detection dimension in the operation behavior data to be detected based on the target detection policy determined in step 902, so as to obtain a dimension detection result matched with the target detection dimension. For ease of understanding, it is known based on the example of step 902 that if the target service is a certain intranet service, the target detection policy is: the calling area is a non-intranet area and is abnormal, and if the detection data under the calling area in the operation behavior data to be detected is: the calling area is an intranet area, so that the dimension detection result matched with the calling area is determined to be normal. Secondly, if the target service is a public data interaction service, and the target detection policy is: the calling interface type is the authority upgrading calling interface type, namely the data is abnormal, and if the detection data under the calling interface type in the operation behavior data to be detected is: the calling interface type is a upgrading calling interface type, so that the dimension detection result matched with the calling interface type is determined to be abnormal.

Step 906, based on the detection policy matched with each remaining detection dimension, performing anomaly detection on the detection data in each remaining detection dimension to obtain a dimension detection result matched with each remaining detection dimension.

The remaining detection dimensions and the target detection dimensions form a plurality of detection dimensions in the operation behavior data to be detected, for example, the plurality of detection dimensions in the operation behavior data to be detected include a calling area, a calling rate and a calling response time, and the target detection dimensions are the calling area, so that the remaining detection dimensions are the calling rate and the calling response time.

Specifically, the server performs anomaly detection on the detection data in each remaining detection dimension based on the detection policy matched with each remaining detection dimension, so as to obtain a dimension detection result matched with each remaining detection dimension, and the specific embodiment is similar to step 404, and will not be described here again.

In this embodiment, by performing anomaly detection on the target detection dimension alone, the important detection dimension affecting the target service can be positioned more accurately and efficiently, so that the obtained dimension detection result can describe the behavior data of the object to be detected in more aspects, and further the accuracy of subsequent behavior detection is improved.

In one embodiment, as shown in fig. 10, obtaining a pre-configured correspondence of each service identifier to a detection weight matched to each detection dimension, and determining a detection weight matched to each detection dimension corresponding to a target service identifier, includes:

step 1002, obtaining a pre-configured corresponding relation of detection weights matched with each detection dimension of each service identifier, and determining a target detection weight matched with the target service identifier under the target detection dimension, and a detection weight of each remaining detection dimension, where the target detection weight is greater than the detection weight of each remaining detection dimension.

The target detection weight is greater than the detection weight of each residual detection dimension, and the importance degree of the target detection dimension matched with the target detection weight in the target service is greater than the importance degree of the matched residual detection dimension of each residual detection dimension in the target service. The probability that the detection data of the target detection dimension matched with the target detection weight causes abnormality to the target service is also larger.

Specifically, a corresponding relation of detection weights matched with detection dimensions and preconfigured by each service identifier is obtained, and target detection weights matched with target service identifiers under the target detection dimensions and detection weights of the residual detection dimensions are determined. For example, if the target service identified by the target service identifier is a certain intranet service, and the detection dimensions under the intranet service include: calling region, calling rate, and calling response time. Since the setting of the intranet service generally considers the protection of the files or data inside the enterprise to avoid the leakage and the loss of the files or data inside the enterprise, the importance degree of the calling area of the object to be detected may be higher than that of other detection dimensions under the intranet service, and at this time, the detection weight of the calling area of the object to be detected may be set to 0.8, the detection weight of the calling rate is 0.1, and the detection weight of the calling response time is 0.1.

Secondly, if the target service identified by the target service identifier is a certain public data interaction service, and the detection dimension under the intranet service comprises: calling region, calling interface type, calling rate, and calling response time. The main purpose of the data interaction service is to perform common data interaction between multiple servers, that is, the data reading authority required by the common data interaction service is only used for reading common data, that is, the authority level is low, so that the importance degree of the calling interface type of the object to be detected can be set higher than that of other detection dimensions under the common data interaction service, at this time, the detection weight of the calling interface type of the object to be detected can be set to be 0.7, the detection weight of the calling area is 0.1, the detection weight of the calling rate is 0.1, and the detection weight of the calling response time is 0.1. It is to be understood that the foregoing examples are provided merely for the understanding of the present invention and are not to be construed as limiting in detail.

In this embodiment, the target detection weight is set to be greater than the detection weight of each remaining detection dimension, which indicates that the importance degree of the target detection dimension matched by the target detection weight in the target service is higher, and the probability that the detection data of the target detection dimension matched by the target detection weight causes abnormality to the target service is also higher, thereby being capable of detecting the abnormal behavior more accurately.

In one embodiment, as shown in fig. 10, weighting is performed based on dimension detection results matched by each detection dimension and detection weights matched by each detection dimension to obtain behavior detection results matched by an object to be detected, including:

in step 1102, dimension detection results describing data anomalies are filtered out, and a detection dimension matched with the dimension detection results describing data anomalies is determined as an anomaly detection dimension.

The dimension detection result matched with the abnormality detection dimension is data abnormality, namely the detection data of the abnormality detection dimension belongs to the data abnormality range of the abnormality detection dimension. It should be understood that the dimension detection result that is matched is the normal detection dimension, that is, the detection data of the normal detection dimension does not belong to the data anomaly range of the normal detection dimension.

Specifically, the server screens out dimension detection results describing data anomalies based on dimension detection results under each detection dimension, and determines the detection dimension matched with the dimension detection results describing data anomalies as the anomaly detection dimension. For ease of understanding, detecting dimensions includes at least: the calling area and the calling rate are described as examples, and if the dimension detection result of the calling area is abnormal, and the dimension detection result of the calling rate is normal, the calling area matched with the dimension detection result for the abnormal data is determined to be the abnormal detection dimension.

Step 1104 calculates an anomaly score for each anomaly detection dimension based on the detection data for each anomaly detection dimension.

The anomaly score is used for describing the probability of causing behavior anomaly by the matched detection data of the anomaly detection dimension, namely, the higher the anomaly score is, the higher the probability of causing behavior anomaly due to data anomaly of the detection data of the anomaly detection dimension is.

Based on this, the server calculates an abnormality score for each abnormality detection dimension based on the detection data for each abnormality detection dimension. It can be understood that, because emphasis points of different services are different, the score calculation methods of the detection dimensions of the objects are different under different services, that is, the score calculation policy of the anomaly score of each anomaly detection dimension is determined based on the target service and the historical operation behavior data.

Further, as can be seen from the foregoing examples, the detection dimension includes at least: calling region, calling rate, calling response time, etc. The abnormal score calculation strategy of the detection dimension is described below.

1. Calling regions

The calling area is used to describe: the calling area is determined based on the requirements of the target service when the interface calling behavior is performed based on AK/SK, namely the calling area can be divided based on different requirements of province, urban area, country, internal and external network environment areas and the like. Based on this, if the calling area is divided by the internal and external network environment area, and the external network environment area is described in the form of normalized score based on the service requirement of the target service as the abnormal area range, when the calling area is the external network environment area, the abnormal score of the calling area can be set to be 1. Conversely, when the calling area is the intranet environment area, the abnormal score of the calling area may be set to 0.

Next, if the calling area is divided by the province, and the provinces 30 to 34 are determined as the abnormal area range based on the service requirement of the target service, and the provinces 1 to 29 are the normal area range. Thus, describing in normalized score form, when the calling area is any one of provinces 30 to 34, the abnormal score of the calling area may be set to 1. In contrast, when the calling area is any one of provinces 1 to 29, the abnormality score of the calling area is not calculated. In practical application, the abnormal region range may be further classified, for example: the provinces 30 to 34 are abnormal area ranges, and the provinces 30 and 31 are intermediate-level abnormal area ranges, and the provinces 32, 33, and 34 are high-level abnormal area ranges. Therefore, in order to describe different abnormality levels more accurately, description may be made in the form of percentage scores at this time, the abnormality score of the calling area may be set to 60 when the calling area is any one of the provinces 30 and 31, and the abnormality score of the calling area may be set to 100 when the calling area is any one of the provinces 32, 33, and 34.

2. Calling rate

Since the call rate can be described: and carrying out the ratio of the calling times of the interface calling behavior to the detection time period based on AK/SK. Or, the call rate may also describe: and carrying out the ratio of the calling times of the interface calling behavior to the detection time period based on different calling interface types under AK/SK. The call rate is described first below: the method is introduced based on the ratio of the calling times of the interface calling behavior to the detection time period of AK/SK.

Based on this, describing in a normalized score form by taking an abnormal rate range of more than 20 times/min as an example, if the calling rate is 30 times/min, the abnormal score of the calling rate may be set to be 1. Otherwise, if the calling rate is 10 times/min, the abnormal score of the calling rate can be set to be 0. Alternatively, describing in percentage score form, if the calling rate is 30 times/min, the abnormal score of the calling rate may be set to be 30, and if the calling rate is 50 times/min, the abnormal score of the calling rate may be set to be 50. Otherwise, if the calling rate is 10 times/min, the abnormal score of the calling rate is not calculated at the moment because the data abnormality does not occur.

Next, the following description is made at the call rate: the ratio of the calling times of the interface calling behavior to the detection time period is introduced under AK/SK based on different calling interface types. In this case, it is also necessary to consider different importance degrees of different call interface types under AK/SK, the importance degrees being used to reflect the probability that the matched call interface types cause data anomalies.

Therefore, in this embodiment, a corresponding call interface weight is set for each call interface type, and for ease of understanding, the following is shown in table 1:

TABLE 1

Calling interface names	Calling interface type	Calling interface weights
			Updatenetwork	Breaking boundary	0.5
Createtoken	Credential access	0.3
			Updateuser	Rights maintenance	0.2
Getuser	Information collection	0.1
			Updateadmingroup	Rights upgrade	0.4

As shown in table 1, the call interface name "updatetetwork" corresponds to the call interface type "break through boundary", and the call interface type "break through boundary" corresponds to the call interface weight "0.5". The call interface name "Createtoken" corresponds to the call interface type "credential access", and the call interface type "break through boundary" corresponds to the call interface weight "0.3". The call interface name "Updateuser" corresponds to the call interface type "rights maintenance", and the call interface type "break-through boundary" corresponds to the call interface weight "0.2". The call interface name "updatedimmingroup" corresponds to the call interface type "information collection", and the call interface type "break through boundary" corresponds to the call interface weight "0.1". The call interface name "updatetetwork" corresponds to the call interface type "authority upgrade", and the call interface type "break through boundary" corresponds to the call interface weight "0.4". I.e. the different importance levels at AK/SK for each call interface type shown in table 1.

It can be understood that in practical application, normalization processing may be performed on each call interface type under the same AK/SK, so that the sum of call interface weights corresponding to each call interface type is 1, so that score calculation with other detection dimensions reaches a unified calculation dimension, and specific setting of call interface weights needs to be determined based on actual services, and the foregoing example should not be construed as limiting the scheme.

Based on this, the call rate description is presented below: under the condition that the ratio of the calling times of the interface calling behavior to the detection time period is carried out based on different calling interface types under AK/SK, the abnormal score calculation strategy specifically needs to calculate the abnormal score of the calling rate corresponding to each calling interface type, and then the abnormal score of the calling rate can be obtained by carrying out weighted summation on the abnormal score of the calling rate corresponding to each calling interface type and the calling interface weight corresponding to each calling interface type. Taking the example that the abnormal rate range corresponding to the calling interface type G1 is larger than 20 times/min, the abnormal rate range corresponding to the calling interface type G2 is larger than 30 times/min, and the abnormal rate range corresponding to the calling interface type G3 is larger than 35 times/min. And describing in a normalized score form, wherein the call interface weight corresponding to the call interface type G1 is 0.5, the call interface weight corresponding to the interface type G2 is 0.2, and the call interface weight corresponding to the interface type G3 is 0.3, if the call rate corresponding to the call interface type G1 is 30 times/min, the abnormal score of the call rate of the call interface type G1 may be set to 1, if the call rate corresponding to the call interface type G2 is 20 times/min, the abnormal score of the call rate of the call interface type G1 may be set to 0 (no abnormality occurs), and if the call rate corresponding to the call interface type G3 is 30 times/min, since no data abnormality occurs, the abnormal score of the call rate corresponding to the call interface type G3 is not calculated, and at this time, the abnormal score of the call rate may be obtained to 0.5 (1×0.5+0×0.2+0×0.3).

Or if the call rate corresponding to the call interface type G1 is 40 times/min, the abnormal score of the call rate of the call interface type G1 may be set to 40 times/min, if the call rate corresponding to the call interface type G2 is 40 times/min, the abnormal score of the call rate of the call interface type G1 may be set to 40 times/min, and if the call rate corresponding to the call interface type G3 is 30 times/min, since no data abnormality occurs, the abnormal score of the call rate corresponding to the call interface type G3 is not calculated, and at this time, the abnormal score of the call rate may be obtained to be 28 (40×0.5+40×0.2+0×0.3).

3. Call response time

Call response time is used to describe: and carrying out average response time corresponding to the interface calling behavior in the detection time period based on AK/SK. Based on this, describing in the form of normalized scores, when the call response time belongs to the abnormal response time range, the abnormal score of the call response time may be set to 1. In contrast, when the call response time does not belong to the abnormal response time range, since no data abnormality occurs, the abnormality score of the call response time is not calculated at this time.

Secondly, in practical application, the abnormal response time range may be further classified, for example: the first abnormal response time range in the abnormal response time range is a middle-level abnormal area range, and the second abnormal response time range in the abnormal response time range is a high-level abnormal area range. Therefore, in order to describe different anomaly levels more accurately, it may be described in terms of percentage scores, and when the call response time specifically belongs to the first anomaly response time range, the anomaly score of the call response time may be set to 60, and when the call response time specifically belongs to the second anomaly response time range, the anomaly score of the call response time may be set to 100.

It will be appreciated that the foregoing examples are merely for understanding how the anomaly score for each anomaly detection dimension is calculated in the present scenario, and that other detection dimensions may be considered in practice, such as: interface type, etc., and thus the foregoing examples should not be construed as being particularly limiting.

Step 1106, calculating a behavior detection score of the object to be detected based on the detection weights of the abnormality score of each abnormality detection dimension and the matching of each abnormality detection dimension, and determining a behavior detection result based on the behavior detection score of the object to be detected.

The behavior detection score is used for describing the probability of abnormality of the object to be detected, namely, the higher the behavior detection score is, the higher the probability of abnormality of the object to be detected is.

Specifically, the server performs weighted summation based on the anomaly score of each anomaly detection dimension and the detection weight matched with each anomaly detection dimension to calculate a behavior detection score of the object to be detected, and then determines a behavior detection result based on the behavior detection score of the object to be detected. For example, the detection dimension includes a calling area, a calling rate and a calling response time, and the detection weight of the calling area match is 0.2, the detection weight of the calling rate match is 0.5, and the detection weight of the calling response time match is 0.3, and if the description is given in the form of normalized score, and the anomaly score of the calling area is 1, and the anomaly score of the calling rate is 0.5, then the behavior detection score may be obtained to be 0.45 (1×0.2+0.5×0.5). Next, if the description is made in the form of percentage score, and the anomaly score of the calling area is 60, the anomaly score of the calling rate is 28, and the anomaly score of the calling response time is 60, the behavior detection score is 44 (60×0.2+28×0.5+60×0.3). It is to be understood that the foregoing examples have been provided merely for the purpose of explanation and are in no way to be construed as limiting.

It may be appreciated that, in one embodiment, if the importance of the target detection dimension is high in the target service, in step 904 of the foregoing embodiment, if the obtained dimension detection result matched with the target detection dimension is abnormal, step 906 may not be executed at this time, and then the dimension detection result matched with each detection dimension obtained by the server only includes the dimension detection result matched with the target detection dimension, and the dimension detection result matched with each remaining detection dimension is set to be null. At this time, product calculation can be performed on the obtained abnormal score of the target detection dimension and the detection weight matched with the target detection dimension, so as to directly obtain the behavior detection score. For example, if the dimension detection result matched with the calling region is abnormal, the abnormal score of the calling region can be calculated based on the method, and the product calculation is performed by the abnormal score of the calling region and the detection weight of the calling region, so as to obtain the behavior detection score. For example, the anomaly score of the calling area is 100, and the detection weight of the calling area is 0.8, then the behavior detection score is 80 (100×0.8).

In this embodiment, by calculating the anomaly score of each anomaly detection dimension, the anomaly detection dimension in which the data anomaly occurs can be specifically considered in the process of judging the anomaly behavior, that is, the probability of occurrence of the data anomaly is accurately described through the anomaly score, and then the importance degree of each anomaly detection dimension is further considered based on the detection weight of the anomaly detection dimension, so that the finally obtained behavior detection score can describe the anomaly data more in a plurality of dimensions, thereby improving the reliability and accuracy of the obtained behavior detection result.

In one embodiment, as shown in fig. 12, the behavior detection method based on the behavior data further includes:

step 1202, screening out the dimension detection results with normal description data, and determining the detection dimension matched with the dimension detection results with normal description data as the normal detection dimension.

The dimension detection result matched with the normal detection dimension is data normal, namely the detection data of the normal detection dimension belongs to the data normal range of the normal detection dimension.

Specifically, the server screens out the detection dimension of which the matched dimension detection result is normal based on the dimension detection result under each detection dimension, and determines the detection dimension as the normal detection dimension. For ease of understanding, detecting dimensions includes at least: the calling area and the calling rate are described as examples, if the dimension detection result of the calling area is abnormal, and the dimension detection result of the calling rate is normal, the calling rate matched with the dimension detection result for the data is determined to be the normal detection dimension.

In step 1204, a normal score for each normal detection dimension is calculated based on the detection data for each normal detection dimension.

The normal score is used for describing the probability that the matched detection data with the normal detection dimension cause the behavior to be normal, and is generally lower, that is, the probability that the detection data with the normal detection dimension cause the behavior to be normal is lower.

Specifically, the server screens out the detection dimension of which the matched dimension detection result is normal based on the dimension detection result under each detection dimension, and determines the detection dimension as the normal detection dimension. Based on this, the server calculates a normal score for each normal detection dimension based on the detection data for each normal detection dimension. It can be understood that, because emphasis points of different services are different, the score calculation methods of the detection dimensions of the objects under different services are also different, that is, the score calculation policy of the normal score of each normal detection dimension is determined based on the target service and the historical operation behavior data.

And from the foregoing examples, the detection dimensions include at least: calling area, calling speed, calling response time and the like, and the normal score calculation strategy of each detection dimension is similar to the abnormal score calculation strategy, such as: when the detected data of the detected dimension does not belong to the data anomaly range, the description is performed in a normalized score form, and the normal score of the detected dimension can be set to be a value approaching 0, such as 0.1, 0.05, 0.01, and the like. If the description is made in the form of percentage score, the normal score of the detection dimension can be set to be 10, 5, 1 and other values. And in particular will not be described in detail herein.

Based on this, a behavior detection score of the object to be detected is calculated based on the detection weight that the abnormality score of each abnormality detection dimension matches with each abnormality detection dimension, including:

in step 1206, an abnormal behavior detection score is calculated based on the detection weights of the abnormal score and the abnormal detection dimension, and a normal behavior detection score is calculated based on the detection weights of the normal score and the normal detection dimension.

The abnormal behavior detection score is used for describing the probability of occurrence of abnormality caused by detection data in an abnormal detection dimension. The normal behavior detection score is used to describe the probability that the detected data in the normal detection dimension will cause an anomaly.

Specifically, the server performs weighted summation based on the anomaly score of each anomaly detection dimension and the detection weight matched with each anomaly detection dimension to obtain an anomaly behavior detection score. If the detection dimension includes a calling area, a calling rate and a calling response time, and the detection weight of the calling area match is 0.2, the detection weight of the calling rate match is 0.5, and the detection weight of the calling response time match is 0.3, if the description is given in the form of normalized score, and the abnormal score of the calling area is 1, and the abnormal score of the calling rate is 0.5, the abnormal behavior detection score can be obtained to be 0.45 (1×0.2+0.5×0.5).

Similarly, the server performs weighted summation based on the normal score of each normal detection dimension and the detection weight matched with each normal detection dimension to obtain a normal behavior detection score. If the detection dimension includes a calling area, a calling rate and a calling response time, and the detection weight of the calling area match is 0.2, the detection weight of the calling rate match is 0.5, and the detection weight of the calling response time match is 0.3, if the description is performed in a normalized score form, and the normal score of the calling response time is 0.05, then the normal behavior detection score can be obtained to be 0.015 (0.05×0.3).

Step 1208, calculating a behavior detection score according to the abnormal behavior detection score and the normal behavior detection score.

Specifically, the server sums the abnormal behavior detection score and the normal behavior detection score to obtain the behavior detection score. Based on the example of step 1206, the abnormal behavior detection score is 0.45 and the normal behavior detection score is 0.015, then the resulting behavior detection score is 0.465 (0.45+0.015).

In this embodiment, in the process of determining the abnormal behavior, on the basis of considering the abnormal detection dimension in which the data is abnormal, the normal detection dimension in which the data is normal is further considered, and at this time, the overall behavior information of the object to be detected can be more comprehensively considered, so that the final obtained behavior detection score can describe the abnormal data more in multiple dimensions, and other behavior data can also be considered, so as to further improve the reliability and accuracy of the obtained behavior detection result.

In one embodiment, as shown in fig. 13, determining a behavior detection result based on a behavior detection score of an object to be detected includes:

step 1302, if the behavior detection score is greater than or equal to the abnormal behavior score threshold, determining that the behavior detection result is that the object to be detected is abnormal.

The abnormal behavior score threshold needs to be determined based on the score form and the actual service demand, for example, if the abnormal behavior score threshold is described in a normalized score form, the abnormal behavior score threshold can be set as follows: 0.4, 0.5, etc., in the form of percent scores, then the abnormal behavior score threshold may be set as: 40. 50, 60, etc.

Specifically, the server determines that the behavior detection score is greater than or equal to the abnormal behavior score threshold, and determines that the behavior detection result is that the object to be detected is abnormal in behavior at this time, that is, indicates that abnormal behavior occurs based on the object to be detected in a detection time period. For example, describing in a normalized score form, the abnormal behavior score threshold is 0.4, and the behavior detection score is 0.465, where it may be described that the object to be detected is abnormal in behavior, that is, the behavior detection result is abnormal in behavior of the object to be detected. If the description is performed in the form of percentage score, the abnormal behavior score threshold is 60 and the behavior detection score is 65, it may be indicated that the object to be detected is abnormal in behavior, that is, the behavior detection result is abnormal in behavior of the object to be detected.

In practical applications, the object to be detected may be a behavioral abnormality, which may include: the object to be detected leaks, so that an external malicious attacker carries out malicious attack on the system based on the object to be detected. Therefore, when the server determines that the object to be detected is abnormal in behavior, the server performs corresponding touching and damage stopping means.

In the actual service demand scenario, under the condition that the object to be detected is determined to be abnormal in behavior, the server can further determine abnormal grades of abnormal behaviors, such as advanced abnormal behaviors, medium-grade abnormal behaviors, normal abnormal behaviors and the like, so that different touching and damage stopping means and the like are performed based on the abnormal behaviors of different grades in the actual application, and the method is not limited in the specific place.

Optionally, in one embodiment, in step 1304, if the behavior detection score is less than the abnormal behavior score threshold, it is determined that the behavior detection result is that the object to be detected is normal.

Similar to the foregoing embodiment, specifically, the server determines that the behavior detection score is smaller than the abnormal behavior score threshold, and determines that the behavior detection result is that the object to be detected is normal in behavior, that is, indicates that no abnormal behavior occurs in the detection time period based on the object to be detected. For example, describing in a normalized score form, the abnormal behavior score threshold is 0.4, and the behavior detection score is 0.35, where it may be indicated that the object to be detected is normal in behavior, i.e., the behavior detection result is that the object to be detected is normal in behavior. In practical application, the object to be detected can be normal in behavior, namely, the situation that the object to be detected does not leak is judged at the moment, and the system is not attacked maliciously and the like.

In this embodiment, the behavior detection result is determined specifically through the abnormal behavior score threshold value, so as to determine whether the object to be detected belongs to the behavior abnormality or the behavior normal condition, so that the behavior detection result is determined more accurately, and the practicability and accuracy of the behavior detection result are improved.

Based on the foregoing detailed description of the embodiments, a complete flow of the behavior detection processing method according to the embodiments of the present application will be described below, and as shown in fig. 14, the method is described by taking the server 304 in fig. 3 as an example, and it will be understood that the method may also be applied to the terminal 302. Or may also be applied to a system comprising a terminal 302 and a server 304 and implemented through interaction of the terminal 302 and the server 304. In this embodiment, the method includes the steps of:

step 1401, a plurality of historical operational behavior data over a history detection period is acquired.

Step 1402, performing aggregate analysis on the plurality of historical operation behavior data, and determining a corresponding historical operation behavior data set of each object.

Step 1403, from the detection data in each candidate detection dimension, the detection data in the detection dimension conforming to the normal distribution and the detection data in the detection dimension not conforming to the normal distribution are determined.

Specifically, the server performs the following operation on each historical operation behavior data in the historical operation behavior data set corresponding to each object: counting abnormal detection data in detection data of each candidate detection dimension in historical operation behavior data, determining the candidate detection dimension matched with the detection data without the abnormality as a non-detection dimension, and determining the candidate detection dimension matched with the detection data with the abnormality as the detection dimension under the object. Further, the server further performs all screening on the detection data under each detection dimension determined by each object, namely selects the detection data under the detection dimension conforming to normal distribution.

Step 1404, determining a detection policy for the object to match in each detection dimension based on the detection data in the detection dimension that matches the normal distribution and the detection data in the detection dimension that does not match the normal distribution.

Specifically, the server determines a data anomaly threshold value matched by the object in each detection dimension based on the detection data in the detection dimension conforming to the normal distribution, and further determines a detection policy matched by the object in each detection dimension based on the data anomaly threshold value matched by the object in each detection dimension.

For easy understanding, the present embodiment takes a 3sigma algorithm as an example, and the 3sigma algorithm is specifically based onThe principle of execution is that,the principle is also called the Laeded criterion, which is to say that a group of detection data only contains random errors, and then to the originalThe initial data is calculated to obtain standard deviation, an error interval range is determined according to a certain probability, and then detection data with errors exceeding the error interval range is considered to belong to abnormal values.

In step 1405, operation behavior data to be detected of the object to be detected is obtained.

The object to be detected is an object detected by behavior, and in this embodiment, the object to be detected is specifically: AK/SK to be detected. Based on the detection, the operation behavior data to be detected are operation behavior data corresponding to the object to be detected in the detection time period.

It can be appreciated that, on the basis that the object to be detected is AK/SK, the operation behavior data at least includes: calling information corresponding to interface calling behavior based on AK/SK, wherein the calling information at least comprises: call time, call area, call interface type, call interface number, etc. And the interface calling behavior which can be performed based on the object to be detected is preset. Based on the detection, the operation behavior data to be detected comprises detection data of a plurality of detection dimensions and target service identification. The target service identifier is used for uniquely identifying the target service to which the object to be detected belongs,

next, the aforementioned detection dimensions include at least: calling region, calling rate, calling response time, etc _， The calling area is used to describe: and calling areas when the interface calling behavior is performed based on AK/SK. And the call rate may describe: based on the ratio of the number of calls of the interface calling behavior performed by the AK/SK in the detection time period to the detection time period, and because one AK/SK may call interfaces of multiple calling interface types, the call rate of the AK/SK may also be described: and carrying out the ratio of the calling times of the interface calling behavior to the detection time period based on different calling interface types under AK/SK. And the call response time is used for describing average response time corresponding to interface call behavior in a detection time period based on AK/SK. The foregoing embodiments have been described in detail, and are not repeated here.

Step 1406, based on the detection policy matched with each detection dimension, performing anomaly detection on the detection data in each detection dimension to obtain a dimension detection result matched with each detection dimension.

The detection strategies matched with the detection dimensions are specifically as follows: the detection data under the matched detection dimension belongs to the data anomaly range of the anomaly data. The dimension detection result is used for describing the detection result of the object to be detected under the matched detection dimension.

Specifically, the server determines a detection strategy matched with each detection dimension, and performs abnormal detection on detection data under each detection dimension based on the detection strategy matched with each detection dimension to obtain a dimension detection result matched with each detection dimension.

Step 1407, obtaining the pre-configured corresponding relation of the detection weights matched with the detection dimensions of the service identifiers, and determining the detection weights matched with the detection dimensions corresponding to the target service identifiers.

The detection weight is used for describing the importance degree of the matched detection dimension in the target service. The detection weight of the target service identifier matched with each detection dimension is preset, and the detection weights configured by different services for different detection dimensions can be different. Specifically, a corresponding relation of detection weights matched with detection dimensions and pre-configured by each service identifier is obtained, and the detection weights matched with the detection dimensions corresponding to the target service identifiers are determined.

In step 1408, dimension detection results describing the data anomalies are filtered out, the detection dimension matched with the dimension detection results describing the data anomalies is determined as the anomaly detection dimension, and the anomaly score of each anomaly detection dimension is calculated based on the detection data of each anomaly detection dimension.

The dimension detection result matched with the abnormality detection dimension is data abnormality, namely the detection data of the abnormality detection dimension belongs to the data abnormality range of the abnormality detection dimension. It should be understood that the dimension detection result that is matched is the normal detection dimension, that is, the detection data of the normal detection dimension does not belong to the data anomaly range of the normal detection dimension. Secondly, the anomaly score is used for describing the probability that the matched detection data of the anomaly detection dimension causes the behavior anomaly, namely, the higher the anomaly score is, the higher the probability that the behavior anomaly is caused due to the data anomaly of the detection data of the anomaly detection dimension is.

Specifically, the server screens out dimension detection results describing data anomalies based on dimension detection results under each detection dimension, and determines the detection dimension matched with the dimension detection results describing data anomalies as the anomaly detection dimension. Based on this, the server calculates an anomaly score for each anomaly detection dimension based on the detection data for each anomaly detection dimension. It can be understood that, because emphasis points of different services are different, the score calculation methods of the detection dimensions of the objects are different under different services, that is, the score calculation policy of the anomaly score of each anomaly detection dimension is determined based on the target service and the historical operation behavior data.

Step 1409, screening out the dimension detection results describing the normal data, determining the detection dimension matched with the dimension detection results describing the normal data as the normal detection dimension, and calculating the normal score of each normal detection dimension based on the detection data of each normal detection dimension.

The dimension detection result matched with the normal detection dimension is data normal, namely the detection data of the normal detection dimension belongs to the data normal range of the normal detection dimension. And secondly, the normal score is used for describing the probability that the matched detection data with the normal detection dimension cause the behavior to be normal, and the normal score is generally lower, namely the probability that the detection data with the normal detection dimension cause the behavior to be normal is lower.

Step 1410, calculating an abnormal behavior detection score based on the detection weights of the abnormal score of each abnormal detection dimension and the abnormal detection dimension, and calculating a normal behavior detection score based on the detection weights of the normal score of each normal detection dimension and the normal detection dimension.

Specifically, the server performs weighted summation based on the anomaly score of each anomaly detection dimension and the detection weight matched with each anomaly detection dimension to obtain an anomaly behavior detection score. Similarly, the server performs weighted summation based on the normal score of each normal detection dimension and the detection weight matched with each normal detection dimension to obtain a normal behavior detection score.

Step 1411, calculating a behavior detection score according to the abnormal behavior detection score and the normal behavior detection score.

Specifically, the server sums the abnormal behavior detection score and the normal behavior detection score to obtain the behavior detection score.

Step 1412, if the behavior detection score is greater than or equal to the abnormal behavior score threshold, determining that the behavior detection result is that the object to be detected is abnormal.

Specifically, the server determines that the behavior detection score is greater than or equal to the abnormal behavior score threshold, and determines that the behavior detection result is that the object to be detected is abnormal in behavior at this time, that is, indicates that abnormal behavior occurs based on the object to be detected in a detection time period.

Step 1413, if the behavior detection score is smaller than the abnormal behavior score threshold, determining that the behavior detection result is that the object to be detected is normal.

Specifically, the server determines that the behavior detection score is smaller than the abnormal behavior score threshold, and determines that the behavior detection result is that the object to be detected is normal in behavior at this time, that is, it is indicated that no abnormal behavior occurs in the detection time period based on the object to be detected.

It should be understood that the specific implementation of steps 1401 to 1413 is similar to the previous embodiments, and will not be repeated here.

It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides a behavior detection device based on behavior data for realizing the behavior detection method based on behavior data. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the behavior detection device based on behavior data provided below may be referred to the limitation of the behavior detection method based on behavior data hereinabove, and will not be repeated here.

In one embodiment, as shown in fig. 15, there is provided a behavior detection apparatus based on behavior data, including: a data acquisition module 1502, a dimension detection module 1504, a detection weight determination module 1506, and a behavior detection module 1508, wherein:

the data acquisition module 1502 is configured to acquire to-be-detected operation behavior data of an object to be detected, where the to-be-detected operation behavior data includes detection data of a plurality of detection dimensions and a target service identifier, where the target service identifier is used to uniquely identify a target service to which the object to be detected belongs;

the dimension detection module 1504 is configured to perform anomaly detection on the detection data in each detection dimension based on the detection policy matched with each detection dimension, so as to obtain a dimension detection result matched with each detection dimension;

the detection weight determining module 1506 is configured to obtain a correspondence of detection weights, which are preconfigured by each service identifier and matched with each detection dimension, and determine the detection weights, which are matched with each detection dimension corresponding to the target service identifier, where the detection weights are used to describe the importance degree of the matched detection dimension in the target service;

the behavior detection module 1508 is configured to perform weighting processing based on dimension detection results matched by each detection dimension and detection weights matched by each detection dimension, so as to obtain behavior detection results matched by the object to be detected.

In one embodiment, as shown in fig. 16, the behavior detection apparatus based on behavior data further includes an analysis module 1602;

the data acquisition module 1502 is further configured to acquire a plurality of historical operation behavior data in a historical detection period, where one historical operation behavior data corresponds to one object;

the analysis module 1602 is configured to perform aggregate analysis on the plurality of historical operational behavior data, and determine a set of historical operational behavior data corresponding to each object; and carrying out statistical analysis on the detection data of each candidate detection dimension of each historical operation behavior data in the historical operation behavior data set corresponding to each object, and determining the detection strategy matched by the object under each detection dimension.

In one embodiment, the analysis module 1602 is further configured to determine, from the detection data in each candidate detection dimension, detection data in the detection dimension that conforms to the normal distribution and detection data in the detection dimension that does not conform to the normal distribution; calculating to obtain the data abnormal range matched with the object under each detection dimension through the detection data under the detection dimension conforming to the normal distribution and the detection data under the detection dimension not conforming to the normal distribution; the detection strategies matched by the object under each detection dimension are specifically as follows: the detection data under the matched detection dimension belongs to the data anomaly range of the anomaly data.

In one embodiment, the dimension detection module 1504 is further configured to obtain a target detection policy that is preconfigured by the target service identifier and is matched in the target detection dimension; based on a target detection strategy, carrying out abnormal detection on detection data under a target detection dimension in the operation behavior data to be detected to obtain a dimension detection result matched with the target detection dimension; and based on the detection strategy matched with each residual detection dimension, carrying out abnormal detection on the detection data under each residual detection dimension to obtain a dimension detection result matched with each residual detection dimension.

In one embodiment, the detection weight determining module 1506 is further configured to obtain a pre-configured correspondence of each service identifier to a detection weight matched to each detection dimension, and determine a target detection weight matched by the target service identifier in the target detection dimension, and a detection weight of each remaining detection dimension, where the target detection weight is greater than the detection weight of each remaining detection dimension.

In one embodiment, the behavior detection module 1508 is further configured to screen out a dimension detection result describing the data anomaly, and determine a detection dimension matched with the dimension detection result describing the data anomaly as an anomaly detection dimension; calculating an anomaly score for each anomaly detection dimension based on the detection data for each anomaly detection dimension; and calculating a behavior detection score of the object to be detected based on the abnormal score of each abnormal detection dimension and the detection weight matched with each abnormal detection dimension, and determining a behavior detection result based on the behavior detection score of the object to be detected.

In one embodiment, the dimension detection module 1504 is further configured to screen out a dimension detection result that describes that the data is normal, and determine a detection dimension that matches the dimension detection result that describes that the data is normal as a normal detection dimension; calculating a normal score of each normal detection dimension based on the detection data of each normal detection dimension; calculating an abnormal behavior detection score based on the detection weight of the abnormal score of each abnormal detection dimension and the detection weight of each abnormal detection dimension, and calculating a normal behavior detection score based on the detection weight of the normal score of each normal detection dimension and the detection weight of each normal detection dimension; and calculating the behavior detection score according to the abnormal behavior detection score and the normal behavior detection score.

In one embodiment, the behavior detection module 1508 is further configured to determine that the behavior detection result is that the object to be detected is behaving abnormally if the behavior detection score is greater than or equal to the abnormal behavior score threshold; if the behavior detection score is smaller than the abnormal behavior score threshold, determining that the behavior detection result is that the object to be detected is normal in behavior.

In one embodiment, the plurality of detection dimensions includes at least: calling area, calling rate and calling response time; the detection strategies matched in each detection dimension at least comprise: calling a detection strategy matched with the region, calling a detection strategy matched with the rate and calling a detection strategy matched with the response time; the detection strategy matched with the calling area comprises the following steps: the detection data under the calling area belongs to the abnormal area range; the detection strategy matched with the calling rate comprises the following steps: the detected data under the calling rate belongs to an abnormal rate range; invoking the detection strategy matched with the response time comprises: the detected data at the call response time belongs to the abnormal response time range.

The modules in the behavior detection device based on behavior data may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 17. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used to store operational behavior data. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a behavior detection method based on behavior data.

It will be appreciated by those skilled in the art that the structure shown in FIG. 17 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.

In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.

In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.

The technical feature information of the above embodiments may be arbitrarily combined, and for brevity of description, all possible combinations of the technical feature information in the above embodiments are not described, however, as long as there is no contradiction between the combinations of the technical feature information, they should be considered as the scope of the description.

The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims

1. A behavior detection method based on behavior data, the method comprising:

acquiring operation behavior data to be detected of an object to be detected, wherein the operation behavior data to be detected comprises detection data of a plurality of detection dimensions and a target service identifier, and the target service identifier is used for uniquely identifying a target service to which the object to be detected belongs;

Based on the detection strategy matched with each detection dimension, carrying out abnormal detection on the detection data in each detection dimension to obtain a dimension detection result matched with each detection dimension;

acquiring a pre-configured corresponding relation of each service identifier and each detection dimension matched detection weight, and determining each detection dimension matched detection weight corresponding to the target service identifier, wherein the detection weights are used for describing the importance degree of the matched detection dimension in the target service;

and carrying out weighting processing based on dimension detection results matched with the detection dimensions and detection weights matched with the detection dimensions to obtain behavior detection results matched with the object to be detected.

2. The method according to claim 1, wherein the method further comprises:

acquiring a plurality of historical operation behavior data in a historical detection period, wherein one historical operation behavior data corresponds to one object;

performing aggregation analysis on the plurality of historical operation behavior data to determine a historical operation behavior data set corresponding to each object;

and carrying out statistical analysis on the detection data under each candidate detection dimension on each historical operation behavior data in the historical operation behavior data set corresponding to each object, and determining the detection strategy matched by the object under each detection dimension.

3. The method according to claim 2, wherein said statistically analyzing the detection data in each candidate detection dimension for each historical operational behavior data in the set of historical operational behavior data corresponding to each of the objects to determine a detection policy for which the object matches in each of the detection dimensions comprises:

determining detection data in the detection dimension conforming to normal distribution and detection data in the detection dimension not conforming to the normal distribution from the detection data in each candidate detection dimension;

calculating to obtain a data abnormal range matched with the object under each detection dimension according to the detection data under the detection dimension conforming to the normal distribution and the detection data under the detection dimension not conforming to the normal distribution;

the detection strategies matched by the object under each detection dimension are specifically as follows: the detection data under the matched detection dimension belongs to the data anomaly range of the anomaly data.

4. The method according to claim 1, wherein the performing anomaly detection on the detection data in each detection dimension based on the detection policy matched with each detection dimension to obtain a dimension detection result matched with each detection dimension includes:

Acquiring a target detection strategy matched with the target service identifier in a target detection dimension, wherein the target detection strategy is preconfigured;

based on the target detection strategy, carrying out abnormal detection on detection data in the target detection dimension in the operation behavior data to be detected to obtain a dimension detection result matched with the target detection dimension;

and performing anomaly detection on the detection data in each residual detection dimension based on the detection strategy matched with each residual detection dimension to obtain dimension detection results matched with each residual detection dimension.

5. The method of claim 4, wherein the obtaining the pre-configured correspondence of the detection weights of the service identities and the detection dimensions, and determining the detection weights of the target service identities and the detection dimensions, comprises:

acquiring a pre-configured corresponding relation of detection weights matched with the detection dimensions of the service identifiers, and determining target detection weights matched with the target service identifiers under the target detection dimensions and detection weights of the residual detection dimensions, wherein the target detection weights are larger than the detection weights of the residual detection dimensions.

6. The method according to any one of claims 1 to 5, wherein the determining the behavior detection result matched by the object to be detected based on the dimension detection result matched by each of the detection dimensions and the detection weight matched by each of the detection dimensions includes:

screening out dimension detection results describing data anomalies, and determining a detection dimension matched with the dimension detection results describing data anomalies as an anomaly detection dimension;

calculating an anomaly score for each anomaly detection dimension based on the detection data for each anomaly detection dimension;

and calculating the behavior detection score of the object to be detected based on the detection weight of the abnormal score of each abnormal detection dimension and the abnormal detection dimension, and determining the behavior detection result based on the behavior detection score of the object to be detected.

7. The method of claim 6, wherein the method further comprises:

screening out a dimension detection result with normal description data, and determining a detection dimension matched with the dimension detection result with normal description data as a normal detection dimension;

calculating a normal score of each normal detection dimension based on the detection data of each normal detection dimension;

The calculating the behavior detection score of the object to be detected based on the detection weight of the abnormality score of each abnormality detection dimension matching each abnormality detection dimension includes:

calculating an abnormal behavior detection score based on the detection weight of the abnormal score of each abnormal detection dimension and the detection weight of each abnormal detection dimension, and calculating a normal behavior detection score based on the detection weight of the normal score of each normal detection dimension and the detection weight of each normal detection dimension;

and calculating the behavior detection score according to the abnormal behavior detection score and the normal behavior detection score.

8. The method of claim 6, wherein the determining the behavior detection result based on the behavior detection score of the object to be detected comprises:

if the behavior detection score is greater than or equal to an abnormal behavior score threshold, determining that the behavior detection result is that the object to be detected is abnormal in behavior;

and if the behavior detection score is smaller than the abnormal behavior score threshold, determining that the behavior detection result is that the object to be detected is normal in behavior.

9. The method of any one of claims 1 to 5, wherein the plurality of detection dimensions comprises at least: calling area, calling rate and calling response time;

The detection strategies matched in each detection dimension at least comprise: the detection strategy matched by the calling area, the detection strategy matched by the calling rate and the detection strategy matched by the calling response time;

the detection strategy matched with the calling area comprises the following steps: the detection data under the calling area belongs to the abnormal area range; the detection strategy matched with the calling rate comprises the following steps: the detection data under the calling rate belongs to an abnormal rate range; the detection strategy matched with the call response time comprises the following steps: the detected data at the call response time belongs to an abnormal response time range.

10. A behavior detection apparatus based on behavior data, the apparatus comprising:

the system comprises a data acquisition module, a detection module and a detection module, wherein the data acquisition module is used for acquiring to-be-detected operation behavior data of an object to be detected, the to-be-detected operation behavior data comprises detection data of a plurality of detection dimensions and a target service identifier, and the target service identifier is used for uniquely identifying a target service to which the object to be detected belongs;

the dimension detection module is used for carrying out abnormal detection on the detection data in each detection dimension based on the detection strategy matched with each detection dimension to obtain a dimension detection result matched with each detection dimension;

The detection weight determining module is used for acquiring a corresponding relation of detection weights matched with the detection dimensions and preconfigured by each service identifier, and determining the detection weights matched with the detection dimensions corresponding to the target service identifiers, wherein the detection weights are used for describing the importance degree of the matched detection dimensions in the target service;

11. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 9 when the computer program is executed.

12. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 9.

13. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 9.