CN117057929B - Abnormal user behavior detection method, device, equipment and storage medium - Google Patents
Abnormal user behavior detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN117057929B CN117057929B CN202311311710.1A CN202311311710A CN117057929B CN 117057929 B CN117057929 B CN 117057929B CN 202311311710 A CN202311311710 A CN 202311311710A CN 117057929 B CN117057929 B CN 117057929B
- Authority
- CN
- China
- Prior art keywords
- abnormal
- data
- behavior
- model
- embedded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 192
- 238000001514 detection method Methods 0.000 title claims description 53
- 230000006399 behavior Effects 0.000 claims abstract description 208
- 239000011159 matrix material Substances 0.000 claims abstract description 69
- 238000000034 method Methods 0.000 claims abstract description 40
- 238000012549 training Methods 0.000 claims description 42
- 238000011835 investigation Methods 0.000 claims description 9
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 claims description 7
- 230000005856 abnormality Effects 0.000 claims description 5
- 238000013145 classification model Methods 0.000 claims description 3
- 230000001953 sensory effect Effects 0.000 claims 2
- 238000004590 computer program Methods 0.000 claims 1
- 230000009471 action Effects 0.000 description 26
- 238000010586 diagram Methods 0.000 description 8
- 238000000605 extraction Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000004913 activation Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000013527 convolutional neural network Methods 0.000 description 3
- 230000010354 integration Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 2
- 238000006731 degradation reaction Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000003909 pattern recognition Methods 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- QVGXLLKOCUKJST-UHFFFAOYSA-N atomic oxygen Chemical compound [O] QVGXLLKOCUKJST-UHFFFAOYSA-N 0.000 description 1
- 239000008280 blood Substances 0.000 description 1
- 210000004369 blood Anatomy 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 229910052760 oxygen Inorganic materials 0.000 description 1
- 239000001301 oxygen Substances 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/06—Asset management; Financial planning or analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/042—Knowledge-based neural networks; Logical representations of neural networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/09—Supervised learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/04—Inference or reasoning models
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Business, Economics & Management (AREA)
- Molecular Biology (AREA)
- General Health & Medical Sciences (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Life Sciences & Earth Sciences (AREA)
- Finance (AREA)
- Development Economics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Accounting & Taxation (AREA)
- Computer Hardware Design (AREA)
- Entrepreneurship & Innovation (AREA)
- Economics (AREA)
- Quality & Reliability (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Strategic Management (AREA)
- Technology Law (AREA)
- General Business, Economics & Management (AREA)
- Game Theory and Decision Science (AREA)
- Human Resources & Organizations (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the field of network security, and discloses a method, a device, equipment and a storage medium for detecting abnormal user behaviors, wherein the method comprises the following steps: acquiring front-end sensing data of a current user; inquiring the rear-end buried point data at the current session time based on the current session time; inputting front-end sensing data and rear-end buried data into a preset bipartite graph inference model to obtain an adjacency matrix; judging whether the behavior of the current user has abnormal conditions or not according to the adjacency matrix. According to the invention, after the front-end sensing data is acquired, the rear-end buried point data at the current session time is queried, the front-end sensing data and the rear-end buried point data are input into a two-part graph inference model structure, so that the abnormal reasoning is completed together, the abnormal situation of the current user behavior is judged specifically according to the adjacency matrix output by the model, and compared with the existing abnormal recognition method, the abnormal user behavior can be recognized at the end side without waiting for the transaction behavior to occur, and the prompt promotion of risk intervention is facilitated.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting abnormal user behavior.
Background
Currently, with the development of internet finance, fraud risk is gradually raised in the process of conducting financial transactions based on the internet. In order to maintain the stability of the financial system and protect the legal rights of both parties to the transaction, in the field of financial anti-fraud, a plurality of different anomaly detection means are adopted to identify fraudulent users.
The abnormal detection based on the user action mode is an important anti-fraud means, however, the identification of the actions is usually performed by using a traditional method such as network embedded point data analysis or simple classification, so that the method needs to be bound with business of enterprises to form regular setting, has low generalization, can identify actions with preference to coarse granularity, can identify the actions when financial transaction actions occur, and cannot perform risk intervention in time.
The foregoing is provided merely for the purpose of facilitating understanding of the technical scheme of the present invention and is not intended to represent an admission that the foregoing is related art.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a storage medium for detecting abnormal user behaviors, and aims to solve the technical problems that in a financial anti-fraud scene, abnormal recognition rules are set only by combining business of enterprises and user network behaviors in a traditional mode, so that generalization is low, and abnormal user behaviors are not recognized timely and effectively.
In order to achieve the above object, the present invention provides an abnormal user behavior detection method, the method comprising the steps of:
acquiring front-end sensing data of a current user;
inquiring rear-end buried point data at the current session time based on the current session time;
inputting the front-end sensing data and the rear-end buried data into a preset bipartite graph inference model to obtain an adjacency matrix;
judging whether the behavior of the current user has abnormal conditions or not according to the adjacency matrix.
Optionally, the acquiring front end sensing data of the current user includes:
acquiring sensor acquisition data of the current user;
extracting characteristics of the sensor acquisition data of the current user through a front-end coding model to obtain the sensor behavior embedded characteristics of the current user;
the step of inquiring the back-end buried data before the current session time based on the current session time comprises the following steps:
acquiring the webpage behavior of the current session moment;
extracting characteristics of the webpage behaviors at the current session time through a back-end coding model to obtain abnormal embedded point embedding characteristics at the current session time;
correspondingly, the querying the back-end buried point data at the current session time based on the current session time comprises:
And inquiring the embedded characteristics of the abnormal buried points at the current session time based on the current session time.
Optionally, before the step of acquiring the front end sensing data of the current user, the method includes:
initializing a front-end coding model to be trained, wherein the front-end coding model comprises a two-dimensional convolution layer and a graph annotation network layer;
acquiring acquisition data of each sensor, and establishing a time chart based on acquisition time points corresponding to the acquisition data of the sensors;
and training the front end coding model through a time chart corresponding to each acquisition time point to obtain a trained front end coding model.
Optionally, before the step of acquiring the front end sensing data of the current user, the method includes:
initializing a back-end coding model based on the Bert model;
acquiring a buried point running water log of a webpage, and constructing a training data set by combining an abnormal mark sample;
and training the back-end coding model through the training data set to obtain a trained back-end coding model.
Optionally, before the step of acquiring the front end sensing data of the current user, the method includes:
initializing a bipartite graph reasoning model;
respectively acquiring training output data of the front end coding model and the rear end coding model, wherein the training output data of the front end coding model is a sensing behavior embedded feature, and the training output data of the rear end coding model is an abnormal buried point embedded feature;
Constructing an undirected graph according to the sensing behavior embedded features and the abnormal embedded point embedded features;
and determining a connection side relation in the undirected graph based on the session time, and updating the bipartite graph inference model according to the connection side relation to obtain a preset bipartite graph inference model.
Optionally, the inputting the front end sensing data and the back end buried data into a preset bipartite graph inference model to obtain an adjacency matrix includes:
determining node characteristics to be predicted according to the sensing behavior embedded characteristics of the current user and the abnormal embedded point embedded characteristics of the current session time, and inputting the node characteristics to be predicted into a preset bipartite graph inference model;
and performing node matching on the node characteristics to be predicted through the preset bipartite graph inference model to obtain an adjacency matrix.
Optionally, the determining, according to the adjacency matrix, whether the behavior of the current user has an abnormal situation includes:
judging whether a connection edge relationship exists between the sensing behavior embedded feature and the abnormal embedded point embedded feature according to the adjacent matrix;
if yes, judging that the behavior of the current user has abnormal conditions, and generating investigation early warning information.
In addition, to achieve the above object, the present invention also proposes an abnormal user behavior detection apparatus, the apparatus comprising:
the data acquisition module is used for acquiring front-end sensing data of a current user;
the data query module is used for querying the rear-end buried point data at the current session time based on the current session time;
the model reasoning module is used for inputting the front-end sensing data and the rear-end buried data into a preset bipartite graph reasoning model to obtain an adjacency matrix;
and the abnormality judging module is used for judging whether the behavior of the current user has abnormal conditions or not according to the adjacency matrix.
In addition, in order to achieve the above object, the present invention also proposes an abnormal user behavior detection apparatus including a memory, a processor, and an abnormal user behavior detection program stored on the memory and executable on the processor, the abnormal user behavior detection program being configured to implement the abnormal user behavior detection method as described above.
In addition, in order to achieve the above object, the present invention also proposes a storage medium having stored thereon an abnormal user behavior detection program which, when executed by a processor, implements the abnormal user behavior detection method as described above.
The invention discloses a method for acquiring front-end sensing data of a current user; inquiring rear-end buried point data at the current session time based on the current session time; inputting the front-end sensing data and the rear-end buried data into a preset bipartite graph inference model to obtain an adjacency matrix; judging whether the behavior of the current user has abnormal conditions or not according to the adjacency matrix. According to the invention, after the front-end sensing data is acquired, the rear-end buried point data at the current session time is queried, the front-end sensing data and the rear-end buried point data are input into the two graph inference model structures, so that the abnormal reasoning is completed together, the abnormal situation of the current user behavior is judged specifically according to the adjacency matrix output by the model, and compared with the existing abnormal recognition method, the abnormal user behavior can be recognized on the end side in time without waiting for the transaction behavior to occur, the risk intervention is facilitated to be advanced in time, and the risk cost is saved.
Drawings
FIG. 1 is a schematic diagram of an abnormal user behavior detection device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart of a first embodiment of the abnormal user behavior detection method of the present invention;
FIG. 3 is a flowchart illustrating a method for detecting abnormal user behavior according to a second embodiment of the present invention;
FIG. 4 is a diagram showing a network structure during a training phase in a second embodiment of the abnormal user behavior detection method according to the present invention;
FIG. 5 is a flowchart illustrating a third embodiment of an abnormal user behavior detection method according to the present invention;
FIG. 6 is a flow chart for implementing abnormal user behavior detection using a preset bipartite graph inference model;
fig. 7 is a block diagram showing the construction of a first embodiment of the abnormal user behavior detection apparatus according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an abnormal user behavior detection device in a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the abnormal user behavior detection apparatus may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
It will be appreciated by those skilled in the art that the structure shown in fig. 1 does not constitute a limitation of the abnormal user behavior detection apparatus, and may include more or fewer components than shown, or may combine certain components, or may be a different arrangement of components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and an abnormal user behavior detection program may be included in the memory 1005 as one type of storage medium.
In the abnormal user behavior detection apparatus shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the abnormal user behavior detection apparatus of the present invention may be provided in the abnormal user behavior detection apparatus, which invokes the abnormal user behavior detection program stored in the memory 1005 through the processor 1001 and executes the abnormal user behavior detection method provided by the embodiment of the present invention.
An embodiment of the present invention provides a method for detecting abnormal user behavior, and referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of the method for detecting abnormal user behavior of the present invention.
In this embodiment, the abnormal user behavior detection method includes the following steps:
step S10: and acquiring front-end sensing data of the current user.
It should be noted that, the method of the embodiment may be applied in a financial anti-fraud scenario, or may be applied in other scenarios where abnormal user behavior detection is required. The execution body of the method of the embodiment may be a computing service device with functions of data transmission, data storage, model calling, network communication and program running, such as a mobile phone, a tablet computer, a personal computer, an abnormal user behavior detection device, etc. Other electronic devices that perform the same or similar functions are also possible. The present embodiment and the following embodiments will be described below taking the above-described abnormal user behavior detection apparatus (hereinafter referred to simply as detection apparatus) as an example.
It will be appreciated that the current user may be a user in a current financial transaction scenario, the current user may be a user who needs to conduct a financial transaction using a mobile terminal such as a cell phone.
It should be noted that, the front end sensing data may be data collected by a sensor built in a mobile terminal held by a current user, and the mobile terminal held by the user may be the detection device, so as to obtain the front end sensing data capable of being input to a preset bipartite graph inference model, step S10 includes:
Step S101: and acquiring sensor acquisition data of the current user.
It should be understood that the sensor collected data may include data collected by sensors built into the mobile terminal, and the types of sensors built into the mobile terminal may include, for example: acceleration sensor, gravity sensor, light sensor, proximity sensor, magnetic field sensor, gyroscope, GPS position sensor, hall sensor, barometric pressure sensor, heart rate sensor, blood oxygen sensor, ultraviolet sensor, temperature sensor, fingerprint sensor, magnetometer, motion processor, etc.
The built-in sensors of various types can acquire various types of acquisition parameters, the acquisition parameters can be integrated based on the acquisition frequencies of the sensors of different types, the acquisition parameters of the sensors of various types, namely sensor integration data, are acquired in one acquisition time interval, and the acquisition time can be the minimum value of the acquisition frequencies in the sensors of various types.
It should be understood that when acquiring the acquisition parameters of various types, the data format conversion processing can be performed on the acquisition parameters to obtain the acquisition parameters of the same data format, which is favorable for integrating the acquisition parameters of various types, and the acquired sensor integrated data can be used for screening out the repetition parameters and the blank parameters, so that the data redundancy can be reduced.
It will be appreciated that the sensor data may comprise sensor integrated data for a plurality of acquisition times in a session in which the user is currently located, wherein the sensor integrated data may be differentiated based on the acquisition times.
Step S102: and extracting characteristics of the sensor acquisition data of the current user through a front-end coding model to obtain the sensor behavior embedded characteristics of the current user.
When the detection device is a mobile terminal held by a user, the front end coding model can be deployed at the front end of the mobile terminal, and can directly perform feature extraction after acquiring sensor acquisition data without transmitting the sensor acquisition data to the background. Because the streaming water does not need to be transmitted back to the rear end, the data leakage of the user can be avoided, and the privacy of the user is guaranteed.
It will be appreciated that the front-end coding model may be a model for feature extraction of sensor acquisition data to obtain a model reflecting the behavior pattern features of the current user in the session in which the user is located. Taking into account the acquisition time of multiple sensors that may be contained within the same session, the sensor acquisition data input into the front-end coding model may be represented as * s, wherein->And s is the session where the current user is located for the ith acquisition time.
It should be noted that the front-end coding model may be constructed based on a convolutional neural network (Convolutional Neural Network, CNN), and may be constructed based on a time graph convolution network, considering that the input sensor acquisition data has a time characteristic.
It will be appreciated that the sensory-behavior-embedding feature (empdding) may be a feature that represents the current user's behavior pattern of actions within the session. In the conventional abnormal action recognition under the financial anti-fraud scene, the action behavior pattern recognition and the abnormal judgment of the action pattern are generally segmentation tasks, so that the risk of leakage of the action behavior pattern obtained by recognition exists in the process of executing the segmentation tasks, and the recognized probability can be reduced by a user in the scene through action avoidance. In this embodiment, since the behavior definition representing the behavior pattern of the user action is extracted and is not readable, it is possible to avoid the situation that the recognition accuracy of the abnormal user action is reduced due to the avoidance of the user through the action when the feature reflecting the behavior pattern of the user is revealed.
In a specific implementation, the detection device performs feature extraction on the collected data of the sensor of the current user through a front-end encoder arranged at the front end to obtain sensing behavior empdding capable of reflecting the action behavior pattern of the current user in the session where the current user is located, so that the privacy of the user is protected, and meanwhile, abnormal user behavior recognition accuracy degradation caused by leakage of the action behavior pattern can be prevented.
Step S20: and inquiring the rear-end buried point data at the current session time based on the current session time.
It should be noted that, the current session time may be the session time corresponding to the obtained front end sensing data, and before step S20, the method includes:
step S021: and acquiring the webpage behavior of the current session time.
It should be noted that, the web page behavior at the current session time may be all the embedded point running logs at the current session time. The embedded point pipeline log within the session time may be organized in What (What), why (Why), how (How), when (white), and Who (What), i.e., 4W 1H), and translated in english and variable abbreviations.
Step S022: and extracting characteristics of the webpage behaviors at the current session time through a back-end coding model to obtain abnormal embedded point embedded characteristics at the current session time.
It can be understood that the back-end coding model may be a classification model subjected to supervised training learning, and the back-end coding model may perform feature coding on an input embedded point flow log to obtain ebedding reflecting all web page behaviors at a current session time, and classify the ebedding of all web page behaviors to obtain an abnormal embedded point ebedding at the current session time, where the abnormal embedded point ebedding may represent an abnormal transaction behavior in the current session time.
It should be understood that the abnormal buried point embedding at the current session time may be stored in a vector database built in the detection device, where each abnormal buried point embedding may be stored for a node based on a user. The storage frequency of the abnormal embedded point embedding can be preset, and the storage frequency is used for updating the abnormal embedded point embedding representing the abnormal transaction behavior in the current session time.
Accordingly, step S20 includes:
step S20': and inquiring the embedded characteristics of the abnormal buried points at the current session time based on the current session time.
In a specific implementation, when the sensing behavior of the current user is acquired, based on the current session time, the abnormal embedded point of the current user in the session representing the abnormal transaction behavior is queried in the vector database, so that the different embedding points are matched conveniently, and whether the current user behavior is abnormal or not is detected.
Step S30: and inputting the front-end sensing data and the rear-end buried data into a preset bipartite graph inference model to obtain an adjacency matrix.
It should be understood that the bipartite graph inference model may be a model that learns semantic and relevance information between nodes by using a bipartite graph structure, thereby implementing the task of reasoning and predicting node relationships. The front end sensing data and the rear end buried point data can be used as two types of nodes for inputting a bipartite graph inference model, namely sensing behavior embedding and abnormal buried point embedding can be respectively used as node characteristics for constructing a bipartite graph.
It should be noted that the preset bipartite graph inference model may be an end-to-end matching model established based on a bipartite graph neural network architecture, and the preset bipartite graph model may be a model that is learned in advance through node association. The preset bipartite graph reasoning model can perform correlation reasoning on the sensor acquisition data of the front end and abnormal transaction behaviors in the buried point flow journal of the rear end, and the correlation degree of the front end sensing data and the rear end buried point data is obtained.
It should be appreciated that the adjacency matrix may describe the association of nodes in the bipartite graph, by which the degree of correlation of the front-end sensing data and the back-end buried point data may be quantified based on a numerical value.
In the specific implementation, sensing behavior enabling and abnormal buried point enabling are used as node features, the node features are input into a preset bipartite graph inference model, association inference prediction of the bipartite graph is completed, and whether the action behavior mode of the current user has correlation with abnormal transaction behaviors in a session where the action behavior mode of the current user exists can be predicted.
Step S40: judging whether the behavior of the current user has abnormal conditions or not according to the adjacency matrix.
It should be noted that, since each element in the adjacency matrix may represent a connection condition between nodes, the value of the element in the adjacency matrix may be 0 or 1. Where 1 indicates that there is a connection between two nodes, 0 indicates that there is no connection between two nodes, and the sparseness of the adjacency matrix may indicate how many elements are connected as 1 in the adjacency matrix.
In a specific implementation, when the sensing behavior of the current user and the abnormal behavior of the current session are input as nodes, the correlation degree of the action behavior mode of the current user and the abnormal transaction behavior in the session of the current user can be judged according to the sparseness degree of the adjacency matrix. When the preset bipartite graph reasoning model outputs the adjacency matrix, the adjacency matrix can be regarded as the abnormal condition of the current user behavior. And the lower the sparseness of the output adjacency matrix, i.e., the greater the number of elements in which the connection is 1, the greater the likelihood that there is an abnormality in the behavior of the current user.
The embodiment obtains front end sensing data of the current user; inquiring rear-end buried point data at the current session time based on the current session time; the front-end sensing data is sensing behavior embellishing, the rear-end embedded point data is abnormal embedded point embellishing, and due to the unreadability of the embellishing, the user privacy is protected, and meanwhile abnormal user behavior recognition accuracy degradation caused by leakage of an action behavior mode can be prevented. And the front-end sensing data and the rear-end buried data are input into a preset bipartite graph inference model to jointly complete exception reasoning, and the exception condition of the current user behavior is specifically judged according to an adjacency matrix output by the model.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of the abnormal user behavior detection method according to the present invention, and based on the foregoing embodiment, the second embodiment of the abnormal user behavior detection method according to the present invention is provided.
Considering that the sensor acquisition data may include sensor integration data of a plurality of acquisition times of a user in one session, in order to extract the sensing behavior of the current user from the sensor acquisition data, before step S10, the method includes:
step S0101: initializing a front-end coding model to be trained, wherein the front-end coding model comprises a two-dimensional convolution layer and a graph annotation network layer.
It will be appreciated that since there are about 13 categories of sensor data that can be collected at the mobile terminal side, it represents biometric information of the user. The traditional data mining mode for collecting data from the sensor is mainly remained in the traditional machine learning method due to the limitation of privacy protection of users, data transmission cost and end-side resource limitation type, and the action behavior mode of the identifiable users is biased to coarse granularity and a large number of labeling samples are needed.
It should be understood that, in this embodiment, a two-dimensional convolutional layer (Conv 2 d) and a schematic network layer (Graph Attention Network Layer, GAT layer) may be used as a framework for constructing a front-end coding model, where the front-end coding model may be formed by one Conv2d layer and three GAT layers.
Step S0102: acquiring acquisition data of each sensor, and establishing a time chart based on acquisition time points corresponding to the acquisition data of the sensors.
It will be appreciated that the sensor acquisition data may be sensor integration data of multiple acquisition times in the session in which the current user is located, and that a time chart may be created for session s in order to distinguish based on acquisition timesWherein the vertices can be divided into +>I is the sequence number of the acquisition time in the same session, which can contain N acquisition times, i.e. the time diagram has N nodes,/I>Namely the edge connection relation of the i node and the j node in the N nodes.
It should be appreciated that the time graph may be a directed graph through which interactions in the time dimension of different acquired features of the same user within one session may be obtained.
It should be noted that, when the sensor integrated data of each acquisition time in the session is acquired, the feature extraction can be performed on the sensor integrated data by Conv2d and adopting a convolution with a convolution kernel 1*1, so as to construct nodes obtained by dividing each vertex in the time chart.
Step S0103: and training the front end coding model through a time chart corresponding to each acquisition time point to obtain a trained front end coding model.
It should be appreciated that the training process of the front-end coding model may be: after the time graph is built, a graph attention mechanism (GAT) may be used to calculate a weight adjacency matrix for the time graphThe weight adjacency matrix can represent the interaction relation of the sensor acquisition data of different acquisition times in the same session in the time dimension. The initialized front-end coding model can be trained by the adjacent matrix of the calculated time chart.
Specifically, a time-graph convolution operation can be defined, and by combining the convolution operation in the space and the convolution operation in the time dimension, the formula of the time-graph convolution calculation is as follows:
,
wherein,for the node eigenvector obtained after convolution, +.>For adjacency matrix->Adding an enhanced adjacency matrix derived from the node self-connecting matrix I,>is->Degree matrix of->(. Cndot.) is an activation function, (. Cndot.)>Is a matrix of parameters that can be learned.
It can be understood that after acquiring the acquired data of each sensor, the node feature vector after the convolution of the time chart can be obtained through the front end coding model, that is, the sensing behavior empedding of the user object acquired by the sensor is acquired, where the sensing behavior empedding represents the action behavior pattern feature of the user object in the session including multiple acquisition times.
Further, in order to perform feature encoding and anomaly classification on the embedded point running log, to obtain an anomaly embedded point embedding representing an anomaly transaction behavior in the current session time, before step S10, the method further includes:
step S0111: and initializing a back-end coding model based on the Bert model.
It should be noted that the Bert model may be a pre-training language model based on a Transformer architecture, and the Bert model may convert input text training into a hidden state representation, that is, may convert readable text sentences into unreadable embedded features.
It should be understood that the Bert model may be a model that has been trained in advance using chinese corpus, or may be a model that has been trained in advance using a word database in the current financial scenario. The trained Bert model is capable of embedded feature extraction of the laid-out chinese text data.
Step S0112: and acquiring a buried point running water log of the webpage, and combining the abnormal mark sample to construct a training data set.
It is appreciated that web page behavior at the same session time may be considered to be web page behavior of multiple users, and thus may be based on one user as a node. Firstly, using 4W1H to lay out all buried point running water logs under a conversation for the same user according to a reverse order mode of the occurrence time of the conversation, and translating English and variable abbreviations in the buried point running water logs. And then, coding the embedded point flow log by adopting a Bert model trained by Chinese language materials.
It should be appreciated that the anomaly tagging samples may be robot or human pre-tagged pipeline samples that may be combined with the encoded buried point pipeline logs described above as a training set for supervised learning to anomaly classify the backend encoding models.
Step S0113: and training the back-end coding model through the training data set to obtain a trained back-end coding model.
It should be understood that, through the training data set, supervised anomaly classification learning can be performed on the back-end coding model, the trained back-end coding model can obtain the ebedding of the webpage behavior, and can obtain the anomaly embedded point ebedding of the current session time, and the anomaly embedded point ebedding can represent the anomaly transaction behavior in the current session time.
Further, in order to connect the front-end encoder and the back-end encoder, the learning training of the end-to-end bipartite graph inference model is realized, and before step S10, the method further includes:
step S0121: initializing a bipartite graph inference model.
It will be appreciated that the bipartite graph inference model can be constructed based on bipartite graph convolution (Bipartite Graph Convolution), which is a layer of graph convolution neural network (Graph Convolutional Networks, GCN) for processing bipartite graph data, designed based on features of bipartite graphs based on conventional graph convolution algorithms.
It should be understood that the front-end coding model and the back-end coding model may be regarded as input layers where the two-part graph inference model is deployed at different ends, the front-end coding model may be deployed at an end side of the detection device, and the back-end coding model may be deployed at a background of the detection device. When the front end coding model extracts sensing behavior embellishment, the sensing behavior embellishment can be transmitted back to the background, an abnormal buried point embellishment is obtained through inquiry, and abnormal reasoning is completed together based on a bipartite graph structure.
Step S0122: and respectively acquiring training output data of the front-end coding model and the rear-end coding model, wherein the training output data of the front-end coding model is a sensing behavior embedded feature, and the training output data of the rear-end coding model is an abnormal buried point embedded feature.
It will be appreciated that the front-end coding model, the back-end coding model, and the preset bipartite graph inference model may be trained synchronously,
step S0123: and constructing an undirected graph according to the sensing behavior embedded features and the abnormal embedded point embedded features.
Step S0124: and determining a connection side relation in the undirected graph based on the session time, and updating the bipartite graph inference model according to the connection side relation to obtain a preset bipartite graph inference model.
Here, reference may be made to fig. 4, where fig. 4 is a network structure design diagram of a training stage, and in fig. 4, sensor behavior embellishment output by a front end coding model and abnormal buried point embellishment output by a back end coding model are respectively used as left and right nodes forming a two-part diagram. The node set of the sensor behavior is U, and one session is used as a node in the node set U; the node set of the abnormal buried point is W, and one user is used as a node in the node set W.
In fig. 4, the bipartite graph inference model may include two bipartite graph convolution (Bipartite Graph Convolution) layers, where each bipartite graph convolution layer is connected to an activation function (Relu) layer, and through the bipartite graph inference model, an adjacency matrix reflecting a matching result of left and right nodes may be output; the input of the front end coding model is the sensor acquisition data of i acquisition moments, and the front end coding model comprises a two-dimensional convolution layer (Conv 2 d) and a three-layer graph attention network layer (GAT layer) and an activation function (Relu) layer; the input to the back-end coding model is a marshaled pipeline text, which includes an initial Bert model layer, an activation function (Relu) layer, and a softmax layer for anomaly classification.
In a specific implementation, an undirected graph G (V, E) is defined, where V is a vertex, V can be divided into a set of U nodes and a set of W nodes, and E is a matching edge connecting U and W. The task definition for this undirected graph is: a match M is determined to belong to E so that |M| can be a maximum. The user object corresponding to the abnormal transaction behavior, namely the abnormal guest group, can be determined through the defined task, and what is characterized by the action behavior pattern characteristics of the abnormal guest group (sensing behavior is determined). By adopting the task definition for each session time, the connection edge relationship in the undirected graph can be obtained.
It should be understood that the updated preset bipartite graph inference model may include a connection relationship between a U node set and a W node set, and when sensing behavior and abnormal buried point embedding behavior are subsequently input as node features to be predicted, the preset bipartite graph inference model may combine with the undirected graph G describing the connection relationship to jointly complete the associated inference prediction.
It can be understood that the conventional webpage operation process data embodying the habit of the user generally prevents the data volume transmission cost and the privacy of the user data from being transmitted back to the stream, the data information loss can occur when the user performs feature extraction according to experience, and the data content can be unstable along with different webpage designs or service flow changes and the like, so that the pattern recognition model of the user can not be stable.
In this embodiment, a set of preset bipartite graph inference models which are distributed and deployed are set, and the preset bipartite graph inference models can respectively obtain training output data of the front end coding model and training output data of the rear end coding model; constructing an undirected graph according to the sensing behavior embedded features and the abnormal embedded point embedded features; and determining a connection side relation in the undirected graph based on the session time, updating the bipartite graph inference model according to the connection side relation to obtain a preset bipartite graph inference model, and transmitting the sensor behavior ebedding back to the background when the front end coding model extracts the sensor behavior ebedding, inquiring to obtain an abnormal buried point ebedding, and completing the abnormal reasoning together based on a bipartite graph structure. The end-to-end deployment can prevent the leakage of the action behavior mode characteristics of the front end and the loss of data information, effectively advance the abnormal recognition to the end side, recognize the abnormal user behavior when the abnormal buried point is queried and the adjacency matrix is output, and realize the stable recognition of the abnormal user behavior in different financial scenes without subjective influence of human characteristic extraction.
Referring to fig. 5, fig. 5 is a flowchart illustrating a third embodiment of the abnormal user behavior detection method according to the present invention, and based on the foregoing embodiment, a third embodiment of the abnormal user behavior detection method according to the present invention is provided.
In order to take sensing behavior and abnormal buried point embedding as node characteristics, a preset bipartite graph inference model is input, and step S30 comprises the following steps:
step S301: and determining the node characteristics to be predicted according to the sensing behavior embedded characteristics of the current user and the abnormal embedded point embedded characteristics of the current session time, and inputting the node characteristics to be predicted into a preset bipartite graph inference model.
It can be understood that the node characteristics to be predicted can be two types of nodes needing node relation reasoning, sensing behavior embellishing can be used as a left node, an abnormal buried point embellishing is used as a right node, and a node characteristic matrix input to a preset bipartite graph reasoning model is formed.
Step S302: and performing node matching on the node characteristics to be predicted through the preset bipartite graph inference model to obtain an adjacency matrix.
It will be appreciated that the feature matrix of the sensing behavior of the sensing device may be denoted as w_left, the feature matrix of the abnormal buried point of the sensing device may be denoted as w_right, and the feature w of the node to be predicted is formed by w_left and w_right together, where the node to be predicted is a matrix describing feature information of the node, and each row or each column corresponds to a feature vector (sensing) of the node.
In a specific implementation, when sensing behavior and abnormal embedding point embedding are input as node characteristics W to be predicted, the preset bipartite graph inference model can be combined with the undirected graph G containing the connection relation between the U node and the W node set to jointly complete association inference prediction, and an adjacency matrix reflecting the connection relation between the two node edges of the sensing behavior and the abnormal embedding point embedding is output.
Further, since the adjacency matrix may reflect the edge connection relationship and the node association degree between the nodes, step S40 includes:
step S401: judging whether a connection side relationship exists between the sensing behavior embedded feature and the abnormal embedded point embedded feature according to the adjacent matrix.
Step S402: if yes, judging that the behavior of the current user has abnormal conditions, and generating investigation early warning information.
It will be appreciated that, since each element in the adjacency matrix may represent a connection between nodes, the value of an element in the adjacency matrix may be 0 or 1. When there is an element connected to 1 in the output adjacent matrix, it can be determined that the sensing behavior and the abnormal buried point are in an edge relationship.
It should be understood that when the sensing behavior enabling and the abnormal embedding point enabling are judged to have the edge relationship, it is indicated that the action behavior mode of the current user may be associated with the abnormal transaction behavior, that is, the behavior of the current user may be judged to have the abnormal condition, and then early warning information is generated to prompt relevant personnel to conduct investigation and intervention in real time under the financial scene, so that risk cost is saved.
Referring to fig. 6, fig. 6 is a flowchart for implementing abnormal user behavior detection by applying a preset bipartite graph inference model.
In fig. 6, sensing behavior empdding representing the action behavior mode of the current user is extracted based on the front-end coding model, and as the object described by the sensing behavior empdding belongs to the content of the W set, each abnormal buried point empdding stored in the vector database at the current session time and the description user object corresponding to the abnormal buried point empdding can be queried; when the abnormal buried point emmbedding is obtained through inquiry, sensing behavior emmbedding and abnormal buried point emmbedding are input into a preset bipartite graph reasoning model; judging whether the behavior mode of the current user is associated with abnormal transaction behaviors according to the output adjacency matrix, further finishing one-time abnormal judgment when the association exists, and generating early warning information to prompt relevant personnel to conduct investigation and intervention in real time under the financial scene.
For example, in fig. 6, if the user a is in a session k at time tk, and the extracted sensing behavior representing the action behavior pattern is EAk, it is necessary to query the abnormal embedding point embedding stored in the vector database at the current session time and the corresponding description user object, and in the same session, the abnormal embedding point embedding is EBj at time j before time k. EAk and EBj are input into a preset bipartite graph inference model, whether the user A is associated with abnormal transaction behaviors or not is judged according to the output adjacency matrix, and early warning information is further generated to prompt transfer checking.
If the sensing behavior is imbedding, namely EAi, in a session i of the user a at the time ti, when the node and imbedding of the corresponding channel product need to be queried a, the abnormal embedded point imbedding stored in the vector database at the current session time cannot be queried, and it can be determined that the user a is irrelevant to the abnormal transaction behavior, and the behavior of the user a is normal.
The vector database may store the abnormal embedding points of the same user at different session moments, for example, the abnormal embedding point of the user a, i.e. EAi, and the abnormal embedding point of the user B, i.e. EBj. And updating the abnormal buried point embedding representing the abnormal transaction behavior in the current session time by the back-end coding model according to the preset storage frequency. For example, in one update, the web page behavior of the user B at the time tj is obtained, the back-end coding model performs feature extraction on the web page behavior, obtains the abnormal buried point EBj which reflects the abnormal transaction behavior, and stores the EBj in the vector database.
According to the embodiment, the node characteristics to be predicted are determined according to the sensing behavior embedded characteristics of the current user and the abnormal embedded point embedded characteristics of the current session time, and the node characteristics to be predicted are input into a preset bipartite graph inference model; node matching is carried out on the node characteristics to be predicted through the preset bipartite graph inference model, and an adjacency matrix is obtained; judging whether a connection edge relationship exists between the sensing behavior embedded feature and the abnormal embedded point embedded feature according to the adjacent matrix; if yes, judging that the behavior of the current user has abnormal conditions, and generating investigation early warning information, wherein the abnormal conditions of the behavior of the current user can be judged according to element values of the adjacent matrix when the adjacent matrix is output by the preset bipartite graph inference model, the early warning information is generated, and related personnel in the financial scene can be timely prompted to conduct investigation intervention, so that risk cost is further saved.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium is stored with an abnormal user behavior detection program, and the abnormal user behavior detection program realizes the abnormal user behavior detection method when being executed by a processor.
Further, referring to fig. 7, fig. 7 is a block diagram showing a configuration of a first embodiment of an abnormal user behavior detection apparatus of the present invention, the abnormal user behavior detection apparatus including:
a data acquisition module 701, configured to acquire front end sensing data of a current user;
the data query module 702 is configured to query, based on a current session time, rear-end buried point data at the current session time;
the model reasoning module 703 is configured to input the front-end sensing data and the back-end buried data into a preset bipartite graph reasoning model to obtain an adjacency matrix;
and the abnormality determination module 704 is configured to determine whether an abnormal situation exists in the current user behavior according to the adjacency matrix.
Further, the data acquisition module 701 is further configured to acquire sensor acquisition data of the current user; extracting characteristics of the sensor acquisition data of the current user through a front-end coding model to obtain the sensor behavior embedded characteristics of the current user;
Further, the data query module 702 is further configured to obtain a web page behavior at the current session time; extracting characteristics of the webpage behaviors at the current session time through a back-end coding model to obtain abnormal embedded point embedding characteristics at the current session time; and inquiring the embedded characteristics of the abnormal buried points at the current session time based on the current session time.
The embodiment obtains front end sensing data of the current user; inquiring rear-end buried point data at the current session time based on the current session time; inputting the front-end sensing data and the rear-end buried data into a preset bipartite graph inference model to obtain an adjacency matrix; judging whether the behavior of the current user has abnormal conditions or not according to the adjacency matrix. According to the embodiment, after the front-end sensing data is acquired, the rear-end buried point data at the current session time is queried, the front-end sensing data and the rear-end buried point data are input into a two-part graph inference model structure, so that the abnormal inference is completed together, the abnormal condition of the current user behavior is judged specifically according to the adjacency matrix output by the model, and compared with the existing abnormal recognition method, the abnormal user behavior can be recognized on the end side in time without waiting for the transaction behavior to occur, the risk intervention is facilitated to be advanced in time, and the risk cost is saved.
Based on the first embodiment of the abnormal user behavior detection device of the present invention, a second embodiment of the abnormal user behavior detection device of the present invention is provided.
In this embodiment, a data acquisition module 701 is configured to initialize a front-end coding model to be trained, where the front-end coding model includes a two-dimensional convolution layer and a graph annotation network layer; acquiring acquisition data of each sensor, and establishing a time chart based on acquisition time points corresponding to the acquisition data of the sensors; and training the front end coding model through a time chart corresponding to each acquisition time point to obtain a trained front end coding model.
Further, the data acquisition module 701 is further configured to initialize a back-end coding model based on the Bert model; acquiring a buried point running water log of a webpage, and constructing a training data set by combining an abnormal mark sample; and training the back-end coding model through the training data set to obtain a trained back-end coding model.
Further, the data acquisition module 701 is further configured to initialize a bipartite graph inference model; respectively acquiring training output data of the front end coding model and the rear end coding model, wherein the training output data of the front end coding model is a sensing behavior embedded feature, and the training output data of the rear end coding model is an abnormal buried point embedded feature; constructing an undirected graph according to the sensing behavior embedded features and the abnormal embedded point embedded features; and determining a connection side relation in the undirected graph based on the session time, and updating the bipartite graph inference model according to the connection side relation to obtain a preset bipartite graph inference model.
The model reasoning module 703 is configured to determine a node feature to be predicted according to the sensing behavior embedded feature of the current user and the abnormal embedded feature of the current session time, and input the node feature to be predicted into a preset bipartite graph reasoning model; and performing node matching on the node characteristics to be predicted through the preset bipartite graph inference model to obtain an adjacency matrix.
An anomaly determination module 704, configured to determine, according to the adjacency matrix, whether a connection edge relationship exists between the sensing behavior embedded feature and the abnormal embedded point feature; if yes, judging that the behavior of the current user has abnormal conditions, and generating investigation early warning information.
Other embodiments or specific implementation manners of the abnormal user behavior detection device of the present invention may refer to the above method embodiments, and are not described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. read only memory mirror (Read Only Memory image, ROM)/random access memory (Random Access Memory, RAM), magnetic disk, optical disk), comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (6)
1. A method for detecting abnormal user behavior, the method comprising:
acquiring front-end sensing data of a current user;
inquiring rear-end buried point data at the current session time based on the current session time;
inputting the front-end sensing data and the rear-end buried data into a preset bipartite graph inference model to obtain an adjacency matrix;
judging whether the behavior of the current user has abnormal conditions or not according to the adjacency matrix;
the step of acquiring front end sensing data of the current user includes:
acquiring sensor acquisition data of the current user;
extracting characteristics of sensor acquisition data of the current user through a front-end coding model to obtain sensor behavior embedded characteristics of the current user, wherein the front-end coding model is constructed based on a time chart convolution network;
the step of inquiring the back-end buried data before the current session time based on the current session time comprises the following steps:
acquiring the webpage behavior of the current session moment;
extracting characteristics of the webpage behaviors at the current session time through a back-end coding model to obtain abnormal embedded point embedded characteristics at the current session time, wherein the back-end coding model is a classification model;
The querying the rear end buried point data at the current session time based on the current session time comprises the following steps:
inquiring abnormal embedded point embedded features at the current session time in a vector database based on the current session time;
before the front-end sensing data of the current user is acquired, the method comprises the following steps:
initializing a bipartite graph reasoning model;
respectively acquiring training output data of the front end coding model and the rear end coding model, wherein the training output data of the front end coding model is a sensing behavior embedded feature, and the training output data of the rear end coding model is an abnormal buried point embedded feature;
constructing an undirected graph according to the sensing behavior embedded features and the abnormal embedded point embedded features;
determining a connection side relation in the undirected graph based on the session time, and updating the bipartite graph inference model according to the connection side relation to obtain a preset bipartite graph inference model;
the step of inputting the front end sensing data and the rear end buried data into a preset bipartite graph inference model to obtain an adjacency matrix comprises the following steps:
determining node characteristics to be predicted according to the sensing behavior embedded characteristics of the current user and the abnormal embedded point embedded characteristics of the current session time, and inputting the node characteristics to be predicted into a preset bipartite graph inference model;
Node matching is carried out on the node characteristics to be predicted through the preset bipartite graph inference model, and an adjacency matrix is obtained;
wherein the judging whether the behavior of the current user has abnormal conditions according to the adjacency matrix comprises the following steps:
judging whether a connection edge relationship exists between the sensing behavior embedded feature and the abnormal embedded point embedded feature according to the adjacent matrix;
if yes, judging that the behavior of the current user has abnormal conditions, and generating investigation early warning information.
2. The abnormal user behavior detection method of claim 1, wherein prior to obtaining front-end sensory data of a current user, comprising:
initializing a front-end coding model to be trained, wherein the front-end coding model comprises a two-dimensional convolution layer and a graph annotation network layer;
acquiring acquisition data of each sensor, and establishing a time chart based on acquisition time points corresponding to the acquisition data of the sensors;
and training the front end coding model through a time chart corresponding to each acquisition time point to obtain a trained front end coding model.
3. The abnormal user behavior detection method of claim 1, wherein prior to obtaining front-end sensory data of a current user, comprising:
Initializing a back-end coding model based on the Bert model;
acquiring a buried point running water log of a webpage, and constructing a training data set by combining an abnormal mark sample;
and training the back-end coding model through the training data set to obtain a trained back-end coding model.
4. An abnormal user behavior detection apparatus, the apparatus comprising:
the data acquisition module is used for acquiring front-end sensing data of a current user;
the data query module is used for querying the rear-end buried point data at the current session time based on the current session time;
the model reasoning module is used for inputting the front-end sensing data and the rear-end buried data into a preset bipartite graph reasoning model to obtain an adjacency matrix;
the abnormality judging module is used for judging whether the behavior of the current user has abnormal conditions or not according to the adjacency matrix;
the data acquisition module is also used for acquiring sensor acquisition data of the current user; extracting characteristics of sensor acquisition data of the current user through a front-end coding model to obtain sensor behavior embedded characteristics of the current user, wherein the front-end coding model is constructed based on a time chart convolution network;
The data query module is further used for acquiring webpage behaviors at the current session time; extracting characteristics of the webpage behaviors at the current session time through a back-end coding model to obtain abnormal embedded point embedded characteristics at the current session time, wherein the back-end coding model is a classification model; inquiring abnormal embedded point embedded features at the current session time in a vector database based on the current session time;
the data acquisition module is also used for initializing a bipartite graph reasoning model; respectively acquiring training output data of the front end coding model and the rear end coding model, wherein the training output data of the front end coding model is a sensing behavior embedded feature, and the training output data of the rear end coding model is an abnormal buried point embedded feature; constructing an undirected graph according to the sensing behavior embedded features and the abnormal embedded point embedded features; determining a connection side relation in the undirected graph based on the session time, and updating the bipartite graph inference model according to the connection side relation to obtain a preset bipartite graph inference model;
the model reasoning module is further used for determining node characteristics to be predicted according to the sensing behavior embedded characteristics of the current user and the abnormal embedded point embedded characteristics of the current session time, and inputting the node characteristics to be predicted into a preset bipartite graph reasoning model; node matching is carried out on the node characteristics to be predicted through the preset bipartite graph inference model, and an adjacency matrix is obtained;
The abnormality judging module is further used for judging whether a connection edge relationship exists between the sensing behavior embedded feature and the abnormal embedded point embedded feature according to the adjacent matrix; if yes, judging that the behavior of the current user has abnormal conditions, and generating investigation early warning information.
5. An abnormal user behavior detection apparatus, characterized in that the abnormal user behavior detection apparatus comprises: a memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the abnormal user behavior detection method of any one of claims 1 to 3.
6. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a program that implements an abnormal user behavior detection method, the program implementing the abnormal user behavior detection method being executed by a processor to implement the steps of the abnormal user behavior detection method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311311710.1A CN117057929B (en) | 2023-10-11 | 2023-10-11 | Abnormal user behavior detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311311710.1A CN117057929B (en) | 2023-10-11 | 2023-10-11 | Abnormal user behavior detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117057929A CN117057929A (en) | 2023-11-14 |
| CN117057929B true CN117057929B (en) | 2024-01-26 |
Family
ID=88653875
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311311710.1A Active CN117057929B (en) | 2023-10-11 | 2023-10-11 | Abnormal user behavior detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117057929B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112183622A (en) * | 2020-09-27 | 2021-01-05 | 广州汇量信息科技有限公司 | Method, device, equipment and medium for detecting cheating in mobile application bots installation |
| CN112905894A (en) * | 2021-03-24 | 2021-06-04 | 合肥工业大学 | Collaborative filtering recommendation method based on enhanced graph learning |
| WO2022088408A1 (en) * | 2020-11-02 | 2022-05-05 | 南京博雅区块链研究院有限公司 | Graph neural network-based transaction fraud detection method and system |
| CN114880566A (en) * | 2022-05-17 | 2022-08-09 | 中国平安财产保险股份有限公司 | User behavior analysis method, device, equipment and medium based on graph neural network |
| CN115455302A (en) * | 2022-09-30 | 2022-12-09 | 南京工业大学 | Knowledge graph recommendation method based on optimized graph attention network |
| CN115640842A (en) * | 2022-11-10 | 2023-01-24 | 河海大学 | Network representation learning method based on graph attention self-encoder |
| CN115841332A (en) * | 2022-11-10 | 2023-03-24 | 电子科技大学 | Unsupervised abnormal user detection method on unbalanced data set of block chain bipartite graph |
| WO2023109085A1 (en) * | 2021-12-15 | 2023-06-22 | 深圳前海微众银行股份有限公司 | Method for training account risk model, and method for determining risk user group |
| CN116485406A (en) * | 2023-04-24 | 2023-07-25 | 中国工商银行股份有限公司 | Account detection method and device, storage medium and electronic equipment |
| CN116701992A (en) * | 2023-05-17 | 2023-09-05 | 哈尔滨工程大学 | Multi-mode anomaly detection method based on graph attention network and time convolution network |
-
2023
- 2023-10-11 CN CN202311311710.1A patent/CN117057929B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112183622A (en) * | 2020-09-27 | 2021-01-05 | 广州汇量信息科技有限公司 | Method, device, equipment and medium for detecting cheating in mobile application bots installation |
| WO2022088408A1 (en) * | 2020-11-02 | 2022-05-05 | 南京博雅区块链研究院有限公司 | Graph neural network-based transaction fraud detection method and system |
| CN112905894A (en) * | 2021-03-24 | 2021-06-04 | 合肥工业大学 | Collaborative filtering recommendation method based on enhanced graph learning |
| WO2023109085A1 (en) * | 2021-12-15 | 2023-06-22 | 深圳前海微众银行股份有限公司 | Method for training account risk model, and method for determining risk user group |
| CN114880566A (en) * | 2022-05-17 | 2022-08-09 | 中国平安财产保险股份有限公司 | User behavior analysis method, device, equipment and medium based on graph neural network |
| CN115455302A (en) * | 2022-09-30 | 2022-12-09 | 南京工业大学 | Knowledge graph recommendation method based on optimized graph attention network |
| CN115640842A (en) * | 2022-11-10 | 2023-01-24 | 河海大学 | Network representation learning method based on graph attention self-encoder |
| CN115841332A (en) * | 2022-11-10 | 2023-03-24 | 电子科技大学 | Unsupervised abnormal user detection method on unbalanced data set of block chain bipartite graph |
| CN116485406A (en) * | 2023-04-24 | 2023-07-25 | 中国工商银行股份有限公司 | Account detection method and device, storage medium and electronic equipment |
| CN116701992A (en) * | 2023-05-17 | 2023-09-05 | 哈尔滨工程大学 | Multi-mode anomaly detection method based on graph attention network and time convolution network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117057929A (en) | 2023-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110598206B (en) | Text semantic recognition method and device, computer equipment and storage medium | |
| CN113596007B (en) | Vulnerability attack detection method and device based on deep learning | |
| CN111177367A (en) | Case classification method, classification model training method and related products | |
| CN115222066A (en) | Model training method and device, behavior prediction method and device, and storage medium | |
| CN111091004A (en) | Training method and training device for sentence entity labeling model and electronic equipment | |
| CN116722992A (en) | Fraud website identification method and device based on multi-mode fusion | |
| CN113094478A (en) | Expression reply method, device, equipment and storage medium | |
| CN115546488A (en) | Information segmentation method, information extraction method and training method of information segmentation model | |
| CN111612284A (en) | Data processing method, device and equipment | |
| CN114266252A (en) | Named entity recognition method, device, equipment and storage medium | |
| CN113342927A (en) | Sensitive word recognition method, device, equipment and storage medium | |
| CN112765330A (en) | Text data processing method and device, electronic equipment and storage medium | |
| CN117057929B (en) | Abnormal user behavior detection method, device, equipment and storage medium | |
| CN113536784A (en) | Text processing method and device, computer equipment and storage medium | |
| CN116109420A (en) | Insurance product recommendation method, apparatus, equipment and medium | |
| CN115205975A (en) | Behavior recognition method and apparatus, electronic device, and computer-readable storage medium | |
| CN114398482A (en) | Dictionary construction method and device, electronic equipment and storage medium | |
| CN114067362A (en) | Sign language recognition method, device, equipment and medium based on neural network model | |
| CN114417891A (en) | Reply sentence determination method and device based on rough semantics and electronic equipment | |
| CN113901817A (en) | Document classification method and device, computer equipment and storage medium | |
| CN113807920A (en) | Artificial intelligence based product recommendation method, device, equipment and storage medium | |
| CN113343699A (en) | Log security risk monitoring method and device, electronic equipment and medium | |
| KR102051085B1 (en) | Device and method for providing nationality information of user name using neural networks | |
| CN113657092A (en) | Method, apparatus, device and medium for identifying label | |
| CN117332039B (en) | Text detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |