CN117670500A - Abnormal user identification system, method, electronic device, and storage medium - Google Patents
Abnormal user identification system, method, electronic device, and storage medium Download PDFInfo
- Publication number
- CN117670500A CN117670500A CN202311666307.0A CN202311666307A CN117670500A CN 117670500 A CN117670500 A CN 117670500A CN 202311666307 A CN202311666307 A CN 202311666307A CN 117670500 A CN117670500 A CN 117670500A
- Authority
- CN
- China
- Prior art keywords
- user
- preset
- map
- mode
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 129
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000003860 storage Methods 0.000 title claims abstract description 27
- 238000010276 construction Methods 0.000 claims abstract description 64
- 238000000605 extraction Methods 0.000 claims abstract description 30
- 238000012544 monitoring process Methods 0.000 claims abstract description 26
- 230000006399 behavior Effects 0.000 claims description 112
- 238000004422 calculation algorithm Methods 0.000 claims description 28
- 238000007689 inspection Methods 0.000 claims description 22
- 238000012545 processing Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 16
- 238000012360 testing method Methods 0.000 claims description 12
- 230000004927 fusion Effects 0.000 claims description 9
- 238000009826 distribution Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 5
- 238000010801 machine learning Methods 0.000 claims description 5
- 238000013500 data storage Methods 0.000 claims description 4
- 238000002372 labelling Methods 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000004140 cleaning Methods 0.000 claims description 3
- 238000007500 overflow downdraw method Methods 0.000 claims description 3
- 238000013528 artificial neural network Methods 0.000 claims description 2
- 238000010380 label transfer Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 23
- 238000004891 communication Methods 0.000 description 8
- 238000001228 spectrum Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 5
- 230000001960 triggered effect Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 210000002268 wool Anatomy 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 230000004884 risky behavior Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000000551 statistical hypothesis test Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000011282 treatment Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses an abnormal user identification system, an abnormal user identification method, electronic equipment and a storage medium. Wherein, unusual user identification system includes: the system comprises a data acquisition module, a map construction and updating module, a body construction and updating module, a knowledge discovery module, a rule extraction module and a monitoring and early warning module. The abnormal user identification system provided by the embodiment of the invention realizes the construction and updating of the user access map by utilizing the map construction and updating module and the body construction and updating module, and provides a data basis for the identification of abnormal users; the knowledge discovery module and the rule extraction module improve the accuracy and the judgment efficiency of the discovery of the abnormal user behavior mode, and effectively improve the accuracy and the efficiency of the identification of the abnormal user; real-time abnormal user monitoring and abnormal risk early warning of the application system are realized through the monitoring and early warning module, and the safety of the application system is greatly improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an abnormal user identification system, an abnormal user identification method, an electronic device, and a storage medium.
Background
The commercial banking industry at present gradually presents a pattern of diversified and fierce competition, the identification capability of risks to users is more important, in addition, under the current situation, the hiding capability of the risks to users is gradually enhanced, the identification difficulty of the risks to users by commercial banks is greatly improved, the early identification of the risks to users becomes the key work of the commercial banks, along with the continuous development of big data technology, the data application technology of the commercial banks is also developed for a long time, the rapid and accurate identification of abnormal users from relevant data of users is possible, a large amount of user data in the line can be applied by using the existing big data technology, the abnormal modes of the users can be rapidly identified, the abnormal users can be accurately positioned, early discovery and early warning of the abnormal users can be realized, the risk identification capability of the commercial banks is greatly improved, and the important practical significance is achieved.
Currently, when a commercial bank performs risk assessment, there are two strategies for risk customer identification. One is to check response index according to practitioner's experience, judge whether this user will carry on the risk judgement with experience, the course relies on practitioner's experience to judge completely, can't discern in time to recessive, new risk behavior, this method has coverage rate, recognition accuracy and recognition efficiency lower problem. And the other is to refine the experience of practitioners, designate related indexes and related conditions to establish a simple linear model, and perform general rule ordering on the risk conditions of clients.
Disclosure of Invention
The invention provides an abnormal user identification system, an abnormal user identification method, electronic equipment and a storage medium, so that the accuracy and efficiency of abnormal user identification are improved, risk behaviors are blocked timely and accurately, and the safety of an application system is effectively improved.
According to an aspect of the present invention, there is provided an abnormal user identification system, the method comprising:
the data acquisition module is used for acquiring and storing user behavior data;
the map construction and updating module is used for constructing a user access map according to the user behavior data and a preset map construction mode and updating the user access map according to a preset map updating mode;
the ontology construction and updating module is used for drawing a knowledge graph ontology according to the user behavior data and updating a user access graph according to the knowledge graph ontology;
the knowledge discovery module is used for carrying out knowledge reasoning on the user access map and acquiring an abnormal user behavior mode;
the rule extraction module is used for determining rule hit conditions according to preset standardized rules and rule key indexes corresponding to abnormal user behavior patterns, and determining corresponding matched user hit patterns according to the rule hit conditions;
And the monitoring and early warning module is used for determining the risk level of the user according to the hit mode of the user and the corresponding preset risk weight and issuing a user risk prompt according to the risk level of the user.
According to another aspect of the present invention, there is provided an abnormal user identification method applied to an abnormal user identification system, the method comprising:
acquiring real-time user behavior data sent by a target user, constructing a sample space according to sub-graphs corresponding to the real-time user behavior data and determining sample characteristics corresponding to the sample space;
constructing a reference space according to a pre-constructed user access map, and determining integral features corresponding to the reference space;
determining a graph test result corresponding to the sample characteristic and the integral characteristic according to a preset hypothesis test mode, and determining an abnormal user behavior mode corresponding to the target user;
determining rule hit conditions according to preset standardized rules and rule key indexes corresponding to abnormal user behavior patterns, and determining corresponding matched user hit patterns according to the rule hit conditions;
and determining a user risk level according to the user hit mode and the corresponding preset risk weight, and issuing a user risk prompt according to the user risk level.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of identifying an abnormal user according to any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the abnormal user identification method according to any one of the embodiments of the present invention when executed.
The abnormal user identification system provided by the embodiment of the invention is used for acquiring and storing user behavior data through the data acquisition module; the map construction and updating module is used for constructing a user access map according to the user behavior data and a preset map construction mode and updating the user access map according to a preset map updating mode; the ontology construction and updating module is used for drawing a knowledge graph ontology according to the user behavior data and updating a user access graph according to the knowledge graph ontology; the knowledge discovery module is used for carrying out knowledge reasoning on the user access map and acquiring an abnormal user behavior mode; the rule extraction module is used for determining rule hit conditions according to preset standardized rules and rule key indexes corresponding to abnormal user behavior patterns, and determining corresponding matched user hit patterns according to the rule hit conditions; and the monitoring and early warning module is used for determining the risk level of the user according to the hit mode of the user and the corresponding preset risk weight and issuing a user risk prompt according to the risk level of the user. The abnormal user identification system provided by the embodiment of the invention realizes the construction and updating of the user access map by utilizing the map construction and updating module and the body construction and updating module, and provides a data basis for the identification of abnormal users; the knowledge discovery module and the rule extraction module improve the accuracy and the judgment efficiency of the discovery of the abnormal user behavior mode, and effectively improve the accuracy and the efficiency of the identification of the abnormal user; real-time abnormal user monitoring and abnormal risk early warning of the application system are realized through the monitoring and early warning module, and the safety of the application system is greatly improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an abnormal user identification system according to a first embodiment of the present invention;
FIG. 2 is a schematic diagram of a data acquisition module according to a first embodiment of the present invention;
FIG. 3 is a schematic diagram of a map construction and update module according to a first embodiment of the present invention;
FIG. 4 is a schematic diagram of a map real-time update process according to a first embodiment of the present invention;
FIG. 5 is a schematic diagram of an ontology construction and update module according to a first embodiment of the present invention;
FIG. 6 is a schematic diagram of a knowledge discovery module provided in accordance with a first embodiment of the invention;
FIG. 7 is a schematic diagram of a diagram inspection unit provided according to a first embodiment of the present invention;
FIG. 8 is a schematic diagram of a rule extraction module according to a first embodiment of the present invention;
fig. 9 is a schematic diagram of a rule extraction unit according to a first embodiment of the present invention;
FIG. 10 is a schematic diagram of a monitoring and early warning module according to a first embodiment of the present invention;
FIG. 11 is a flowchart of an abnormal user identification method according to a second embodiment of the present invention;
fig. 12 is a schematic structural diagram of an abnormal user identification apparatus according to a third embodiment of the present invention;
fig. 13 is a schematic structural diagram of an electronic device implementing an abnormal user identification method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a schematic diagram of an abnormal user identification system according to an embodiment of the present invention, where the embodiment is applicable to a situation of identifying an abnormal user. As shown in fig. 1, an abnormal user identification system provided in the first embodiment includes: the system comprises a data acquisition module 11, a map construction and updating module 12, a body construction and updating module 13, a knowledge discovery module 14, a rule extraction module 15 and a monitoring and early warning module 16. The following specifically describes the structural composition of the abnormal user identification system of the present embodiment.
The data acquisition module 11 is configured to acquire and store user behavior data.
The user behavior data may refer to behavior data triggered by a user when the user accesses the target application system using the user terminal, and exemplary user behavior data may include, but is not limited to: clicking a button, accessing a system page, switching system pages, etc.
In the embodiment of the invention, the data acquisition module can be invoked to acquire the user behavior data triggered when the user accesses the target application system by using the user terminal, for example, the key node of the target application system can be buried in advance, when the user triggers a corresponding user behavior event by using the user terminal, the preset real-time stream processing engine can be invoked to acquire the corresponding user behavior buried data, and then the user behavior data is obtained by analyzing the user behavior buried data; after the user behavior data is obtained, data processing operations such as data cleaning, data conversion, entity disambiguation, entity fusion, relation fusion and the like can be performed on the user behavior data to form preliminary map basic data, and then the map basic data are stored in a database or a database cluster.
Further, on the basis of the above embodiment of the present invention, the data acquisition module 11 specifically includes:
The data acquisition unit is used for calling a preset real-time stream processing engine to acquire user behavior data sent by the user terminal;
the data processing unit is used for processing the user behavior data according to a preset data processing mode; the preset data processing mode at least comprises the following steps: data cleaning, data conversion, entity disambiguation, entity fusion and relationship fusion;
and the data storage unit is used for storing the processed user behavior data to the target database.
Fig. 2 is a schematic diagram of a data acquisition module according to an embodiment of the invention. As shown in fig. 2, the purpose of the data acquisition module is to build a data base for the whole abnormal user identification system, and provide basic user behavior data for continuous and stable operation of the system, where the data acquisition module includes: the device comprises a data acquisition unit, a data processing unit and a data storage unit. Specifically, when a user performs actions such as access and clicking on a terminal, a data acquisition unit acquires user action data and sends the user action data to an abnormal user identification system in real time in a data stream form, after receiving the user action data, a data processing unit is called and is processed into more standard data through simple ETL (Extract-Transform-Load), business layer integration processing is performed according to existing business rules to form standard data streams, then entity disambiguation, entity fusion, relation fusion and the like are performed according to historical data, a simple model, existing rules and the like to form map basic data, finally a data storage unit is called to store the processed data into a database, wherein the stored historical data is stored mainly in a distributed file system (Hadoop Distributed File System, HDFS), and when the daily data is stored by using the relation database, the real-time data streams are generally transmitted and stored in a Flink mode.
The map construction and updating module 12 is configured to construct a user access map according to the user behavior data and the preset map construction mode, and update the user access map according to the preset map updating mode.
The preset pattern constructing method may be a method for constructing a user access pattern by a preconfigured user, and the preset pattern constructing method may at least include: a Schema model method and a map fusion method. The user access pattern may refer to a knowledge pattern including nodes and relationships constructed using collected user behavior data, the user access pattern may be composed of a plurality of associated sub-graphs, entities in the user access pattern may include clients (personal and public), device numbers, purchased items, etc., and the relationships may include transfer relationships, investment (invested) relationships, guarantee (guaranteed) relationships, association relationships, device use relationships, etc. The preset map updating mode may set a preset mode for updating the constructed user access map, and the preset map updating mode may at least include: offline timing updates and real-time triggered updates.
In the embodiment of the invention, after the user behavior data is acquired, the map construction and updating module can be called to extract entity, relation and attribute information from the user behavior data, a basic user access map is constructed according to a preset map construction mode, the user access map is updated by utilizing a preset map updating mode, and finally, after the user access map is constructed and updated, the user access map can be stored in a database, for example, different types of data can be combined in a multi-database coexistence mode, so that the advantages of different data in different scenes can be exerted. It is to be understood that the map construction operation is only invoked when the map is first constructed.
Further, based on the above embodiment of the present invention, the map construction and updating module 12 specifically includes:
the map construction unit is used for extracting entity, relation and attribute information from the user behavior data and constructing a user access map according to a preset map construction mode; the preset map construction mode at least comprises the following steps: a Schema model method and a map fusion method;
the first map updating unit is used for executing timing full-quantity updating, timing increment updating and timing appointed data updating operation on the user access map when the preset map updating mode is offline timing updating; when the preset map updating mode is real-time triggering updating, acquiring real-time data to be updated, analyzing a data updating type of the real-time data to be updated, and matching corresponding updating queues for the real-time data to be updated according to the data updating type;
and the map storage unit is used for storing the constructed user access map to the target database.
Fig. 3 is a schematic diagram of a map construction and update module according to a first embodiment of the present invention. As shown in fig. 3, the purpose of the graph construction and updating module is to provide analysis basis for monitoring and identifying abnormal behavior of the user, including: the device comprises a map construction unit, a first map updating unit and a map storage unit. Specifically, the pattern constructing unit is called when the pattern is constructed for the first time, two main pattern constructing methods are adopted, the first method is to design a pattern Schema according to business rules, the pattern is constructed on the basis of the Schema to provide pattern support for subsequent application, and most basic patterns are constructed in the mode; and secondly, carrying out spectrum fusion on the basis of the existing spectrum to form a new application spectrum, constructing a special spectrum of a general specific business scene in the mode, and establishing association and linkage updating with the basic spectrum.
The first map updating unit is used for carrying out data updating on the established user access map, wherein the offline timing updating comprises timing full-quantity updating of the map, incremental updating of appointed data, body updating and the like, and is generally updating with larger influence on the map structure; the real-time triggering update is the update of the real-time stream data, and generally triggers the update flow after receiving the real-time data stream. As shown in fig. 4, in the process of map real-time update, different update types are defined for different types of data in the program, different update strategies and update modes are respectively formulated for modes such as entity addition, relationship addition, attribute update and statistical index update, and different update priorities are set according to different update types and influence degrees.
Based on the first map updating unit, the embodiment of the invention provides a map real-time updating method based on updating type judgment, wherein the map storage data amount is larger, related contents are stored in different databases, related data related to updating is more, real-time updating difficulty is larger, in order to reduce updating difficulty, before the map is updated in real time, the data to be updated is firstly analyzed, the type needing to be updated is judged, different updating strategies and updating modes are respectively formulated according to modes such as entity addition, relation addition, attribute updating and statistical index updating, different updating priorities are set according to different updating types and influence degrees, timeliness of the data is improved while the data quality is ensured, and rapid updating of the data is completed.
The map storage unit is used for realizing the storage of the user access map, and can combine different types of data in a mode of coexistence of multiple databases to play the advantages of different data in different scenes.
The ontology construction and updating module 13 is configured to draw a knowledge graph ontology according to user behavior data, and update a user access graph according to the knowledge graph ontology.
The knowledge graph ontology may be understood as formalized description of entities, concepts and relationships in user behavior data, and is used to define concepts and relationships among the concepts in a user access graph. The ontology construction can be to identify different types of entities according to the data self-knowledge system and the ontology basic business rules, so that scattered entities are subjected to merging and other treatments to form a normalized map, and business characteristics are displayed more clearly.
In the embodiment of the invention, a pre-configured ontology construction algorithm can be called to draw the knowledge graph ontology corresponding to the user behavior data, and then the knowledge graph ontology is utilized to update the graph data in the user access graph, so that the automatic identification and construction of the ontology are realized.
Further, on the basis of the above embodiment of the present invention, the body constructing and updating module 13 specifically includes:
the ontology construction unit is used for calling a preset ontology construction algorithm to draw a knowledge graph ontology corresponding to the user behavior data; the preset ontology construction algorithm at least comprises the following steps: a rule-based ontology construction algorithm and a machine learning-based ontology construction algorithm;
and the second map updating unit is used for updating the map data in the user access map according to the knowledge map body.
Fig. 5 is a schematic diagram of an ontology construction and update module according to an embodiment of the present invention. As shown in fig. 5, the ontology construction and update module aims to comb service ontologies for specific application scenarios, and includes: the body construction unit and the second map updating unit automatically carry out body construction by methods such as rules, machine learning and the like, and are used for updating the map structure specially for the application scene, simplifying the map, reducing the analysis difficulty and improving the analysis accuracy and the analysis efficiency.
The knowledge discovery module 14 is configured to perform knowledge reasoning on the user access map and obtain abnormal user behavior patterns.
The knowledge reasoning can be understood as that unknown facts or relations are deduced based on the facts or relations existing in the user access map, and new facts, new relations, new axiom, new rules and the like can be deduced in an auxiliary mode through the knowledge map reasoning. An abnormal user may refer to a user whose behavior pattern, relationship characteristics, etc. do not conform to the normal pattern of most users, unlike most users, and may include, for example, an abnormal user having risky behavior such as a wool cut, a heuristic attack, a non-self operation, etc. The abnormal user behavior pattern may refer to a special pattern different from most normal user patterns, and the abnormal user behavior pattern may include abnormal patterns such as wool, heuristic attacks, non-self operations, etc.
In the embodiment of the invention, the knowledge discovery module can be called to execute knowledge reasoning operation on the user access map, so that the establishment of the invisible relation is realized, and the abnormal user behavior mode is rapidly and accurately identified according to the user access map and the deduced invisible relation.
Further, on the basis of the above embodiment of the present invention, the knowledge discovery module 14 specifically includes:
the knowledge reasoning unit is used for calling a preset knowledge reasoning algorithm to execute label transfer and relationship reasoning operation on the user access map; wherein the preset knowledge reasoning algorithm comprises at least one of the following: a rule-based reasoning algorithm, a graph structure-based reasoning algorithm, a distributed representation learning-based reasoning algorithm and a neural network-based reasoning algorithm;
the map inspection unit is used for accessing the map to select a target node to be detected at a user, constructing a sample space according to the target node to be detected and the corresponding sub-map, and determining a preset business rule index, a map base index and a map community index corresponding to the sample space as sample characteristics; randomly extracting a preset number of nodes from the user access map, constructing a reference space according to the nodes and the corresponding subgraphs, and determining the integral characteristics corresponding to the reference space; invoking a preset hypothesis testing mode to determine whether the sample features meet the target data distribution corresponding to the overall features, and generating a graph testing result;
the pattern extraction unit is used for determining the target node to be detected as an abnormal user behavior pattern when the graph inspection result shows that the sample characteristics do not meet the target data distribution; and calling a preset data statistics method to extract a mode key index of the abnormal user behavior mode, and classifying and labeling the risk degree of the abnormal user behavior mode according to the mode key index, a preset mode key index threshold value and a preset service rule.
Fig. 6 is a schematic diagram of a knowledge discovery module according to an embodiment of the invention. As shown in fig. 6, the knowledge discovery module is a core functional module of the abnormal user identification system, and targets the discovery of the abnormal behavior pattern of the user, and includes: the knowledge reasoning unit, the graph checking unit and the pattern extracting unit are used for forming a complete automatic graph checking system by focusing on the whole of the user access graph and utilizing a tip statistics and hypothesis checking method from the part of a single user. Specifically, the knowledge reasoning unit mainly provides a knowledge reasoning function for the user access map, performs simple reasoning works such as label transmission, relation reasoning and the like on the user access map, performs map updating and assists in map analysis.
Referring to fig. 7, the graph inspection unit is configured to automatically analyze a local pattern of a user at regular time, construct a sample space from a local start of a node, randomly extract a large number of nodes and their relational subgraphs to construct a reference space, and take indexes such as basic service rule indexes, spectrum base indexes (triggering frequencies of different levels, path lengths, dispersities, graph shapes, etc.), spectrum community indexes (community indexes extracted by algorithm models such as GN community detection algorithm, community detection algorithm based on spectrum optimization, community detection algorithm based on extremum optimization, etc.) as sample features; randomly extracting a preset number of nodes from the user access map, constructing a reference space according to the nodes and the corresponding subgraphs, and determining the integral characteristics corresponding to the reference space; and finally, carrying out statistical analysis and hypothesis test, judging whether the sample features meet the target data distribution corresponding to the overall features, thereby identifying a new mode of the user and locking the new mode.
Based on the graph inspection unit, the embodiment of the invention can provide an index inspection method based on a hypothesis inspection, the method takes the hypothesis inspection as a theoretical basis, based on a user access behavior graph, a sample space is constructed from the local part of nodes, a large number of nodes and relational subgraphs thereof are randomly extracted to construct a reference space, business rules, subgraph indexes and the like are used as sample characteristics, the reference space characteristic values are used as integral characteristic values, whether individual characteristics obey integral distribution is inspected by using the method of the hypothesis inspection, the graph index inspection method is formed, abnormal nodes different from most nodes are further identified, and the risk condition of the user is judged.
The pattern extraction unit is mainly used for locking the abnormal user behavior pattern found by the graph inspection unit, calling a preset data statistics method to extract a pattern key index of the abnormal user behavior pattern, and classifying and labeling the risk degree of the abnormal user behavior pattern according to the pattern key index, a preset pattern key index threshold value and a preset business rule, wherein the classifying and labeling of the risk degree is mainly based on the business rule, and carrying out small-amplitude correction by combining occurrence frequency, graph inspection significance degree and the like.
The rule extraction module 15 is configured to determine a rule hit condition according to a preset standardized rule and a rule key indicator corresponding to the abnormal user behavior pattern, and determine a corresponding matched user hit pattern according to the rule hit condition.
The preset standardized rule may be understood as a rule configured in advance for determining a rule hit condition according to a rule key index corresponding to an abnormal user behavior mode, and the preset standardized rule may include, but is not limited to: whether the node degree value is larger than a preset threshold value, whether the number of sub-graph nodes is larger than a preset threshold value, whether the sub-graph relation number is larger than a preset threshold value, whether the sub-graph node type duty ratio is larger than a preset threshold value, and the like. The rule key index may refer to a key index formed by performing index disassembly on graph features, sub-graph indexes and the like corresponding to the abnormal user behavior mode, and the rule key index may include the number of sub-graph nodes of the user page relationship, the number of sub-graph nodes of the user equipment relationship, the degree of output of the user nodes and the like. The user hit pattern may refer to a case where the user hits in different application profiles.
In the embodiment of the invention, the rule extraction module can be called to extract the rule corresponding to the abnormal user behavior mode, so as to determine the rule hit condition, specifically, the graph characteristics, sub-graph indexes and the like corresponding to the abnormal user behavior mode can be firstly subjected to index disassembly to obtain the rule key indexes such as the number of sub-graph nodes of the user page relationship, the number of sub-graph nodes of the user equipment relationship, the degree of emergence of the user nodes and the like, and then the rule key indexes are compared with the preset standardized rule which is preset to determine the corresponding rule hit condition and determine the corresponding matched user hit mode.
In the embodiment of the invention, the modes in the map are separated and associated with the rules, the modes in the map are described by utilizing the key indexes and the threshold value, and the key indexes are associated with the specific rules to form the standardized rules.
Further, on the basis of the above embodiment of the present invention, the rule extraction module 15 specifically includes:
the rule extraction unit is used for carrying out mode storage on graph characteristics, graph basic indexes and sub-graph indexes corresponding to the abnormal user behavior modes; performing index disassembly on the graph characteristics, the map basic indexes and the sub-graph indexes to obtain regular key indexes; comparing the rule key index with a preset standardized rule to generate a rule hit condition;
and the rule application unit is used for searching the corresponding matched user hit mode in the preset mode classification table according to the rule hit condition.
Fig. 8 is a schematic diagram of a rule extraction module according to an embodiment of the invention. As shown in fig. 8, the rule extraction module relies on the abnormal mode extracted by the knowledge discovery module to provide specific indexes for monitoring and early warning for the whole system, and comprises a rule extraction unit and a rule application unit. Specifically, referring to fig. 9, the rule extraction unit is a function triggered by the knowledge discovery module, when the knowledge discovery module discovers a new mode, the rule extraction module is triggered, the mode is stored by using graph features, graph basic indexes, sub-graph indexes and the like, indexes of the graph modes, the sub-graph indexes and the like are disassembled, a plurality of key indexes, namely rule key indexes, are formed, different rule key indexes are corresponding to preset standardized rules, the hit condition of the standardized rules is used for corresponding to the behavior mode of a user, the standardized rules are stored and recorded, the application difficulty is simplified, and the rule extraction process is automatically completed after the knowledge discovery module triggers.
Based on the rule extraction unit, the embodiment of the invention provides a method for converting a user behavior mode into a standardized rule, which uses graph characteristics, sub-graph indexes and the like in a graph to describe the user behavior mode (such as multiple access times, centralized access pages, frequent user switching and the like of user-by-user behavior, the graph is described as high user output degree, centralized in a small part of pages, relatively complex equipment and user relationship between the user and the page), and disassembles the graph characteristics, the sub-graph indexes and the like to form a plurality of key indexes (such as the number of sub-graph nodes of the user page relationship, the number of sub-graph nodes of the user equipment relationship, the degree of output of the user nodes and the like), and corresponds different key indexes to the standardized rule (such as node degree value, sub-graph node point number, sub-graph relationship coefficient, sub-graph node type ratio and the like), and determines the specific behavior condition by using the hit condition of the standardized rule, thereby greatly simplifying the determination process while comprehensively describing the user behavior mode, and greatly improving the user risk condition determination efficiency without losing the determination accuracy.
The rule application unit triggers after the atlas is updated, calculates corresponding parameters according to the updated atlas information and a rule list, and searches a corresponding matched user hit mode in a preset mode classification table according to rule hit conditions, wherein the preset mode classification table pre-stores association relations between different rule hit conditions and corresponding user hit modes.
The monitoring and early warning module 16 is configured to determine a user risk level according to the user hit mode and a corresponding preset risk weight, and issue a user risk prompt according to the user risk level.
The preset risk weight may be a risk weight preset for different user hit modes, and the specific risk weight may be set according to an actual service rule, which is not specifically limited in the embodiment of the present invention.
In the embodiment of the invention, the monitoring and early warning module can be called to acquire the user hit mode determined by the rule extraction module, determine the corresponding user risk level according to the corresponding preset risk weight, and issue a user risk prompt to the target application system.
Further, on the basis of the above embodiment of the present invention, the monitoring and early warning module 16 specifically includes:
the monitoring unit is used for determining mode hit values of different preset application patterns corresponding to the target user according to the user hit mode, determining weighted results of the mode hit values and the corresponding preset risk weights, and searching corresponding user risk grades in the preset risk grading table according to the weighted results;
and the early warning unit is used for transmitting basic information and risk information of the abnormal user to the target application system according to the risk level of the user.
Fig. 10 is a schematic diagram of a monitoring and early warning module according to an embodiment of the invention. As shown in fig. 10, the monitoring and early warning module is for real-time monitoring of a user and providing early warning information for an application system, and includes a monitoring unit and an early warning unit. Specifically, the monitoring unit calculates the risk level of the user for receiving the user hit mode provided by the rule extraction module to form a user risk trend, wherein the calculation of the risk level of the user is weighted calculation according to different mode conditions hit by the user in different application patterns, and the specific weight conditions are mainly based on service rules and are corrected in a small amplitude through a machine learning algorithm; the early warning unit is used for issuing user basic information and risk information to the target application system according to specific customization requirements of the application system and the risk trend situation of the user, and providing support for specific application of the target application system.
The abnormal user identification system provided by the embodiment of the invention is used for acquiring and storing user behavior data through the data acquisition module; the map construction and updating module is used for constructing a user access map according to the user behavior data and a preset map construction mode and updating the user access map according to a preset map updating mode; the ontology construction and updating module is used for drawing a knowledge graph ontology according to the user behavior data and updating a user access graph according to the knowledge graph ontology; the knowledge discovery module is used for carrying out knowledge reasoning on the user access map and acquiring an abnormal user behavior mode; the rule extraction module is used for determining rule hit conditions according to preset standardized rules and rule key indexes corresponding to abnormal user behavior patterns, and determining corresponding matched user hit patterns according to the rule hit conditions; and the monitoring and early warning module is used for determining the risk level of the user according to the hit mode of the user and the corresponding preset risk weight and issuing a user risk prompt according to the risk level of the user. The abnormal user identification system provided by the embodiment of the invention realizes the construction and updating of the user access map by utilizing the map construction and updating module and the body construction and updating module, and provides a data basis for the identification of abnormal users; the knowledge discovery module and the rule extraction module improve the accuracy and the judgment efficiency of the discovery of the abnormal user behavior mode, and effectively improve the accuracy and the efficiency of the identification of the abnormal user; real-time abnormal user monitoring and abnormal risk early warning of the application system are realized through the monitoring and early warning module, and the safety of the application system is greatly improved.
Example two
Fig. 11 is a flowchart of an abnormal user identification method provided in a second embodiment of the present invention, where the method may be performed by an abnormal user identification device, and the abnormal user identification device may be implemented in hardware and/or software, and the abnormal user identification device may be configured in an electronic device with computing capability. As shown in fig. 11, the method for identifying an abnormal user provided in the second embodiment is applied to an abnormal user identification system, and specifically includes the following steps:
s210, acquiring real-time user behavior data sent by a target user, constructing a sample space according to the sub-graph corresponding to the real-time user behavior data, and determining sample characteristics corresponding to the sample space.
In the embodiment of the invention, the real-time user behavior data sent by the target user can be acquired, the user access pattern in the abnormal user identification system is updated based on the real-time user behavior data, then the subgraph related to the pattern update is constructed as a sample space, and the preset business rule index, the pattern basic index and the pattern community index corresponding to the sample space are determined as sample characteristics.
S220, constructing a reference space according to a pre-constructed user access map, and determining integral features corresponding to the reference space.
In the embodiment of the invention, a preset number of nodes can be randomly extracted from the user access map, a reference space is constructed according to the nodes and the corresponding subgraphs, and the corresponding characteristic value of the reference space is taken as the integral characteristic
S230, determining a graph test result corresponding to the sample feature and the integral feature according to a preset hypothesis test mode, and determining an abnormal user behavior mode corresponding to the target user.
In the embodiment of the invention, a preset hypothesis test mode can be called to determine whether the sample characteristics meet the target data distribution corresponding to the integral characteristics, and a graph test result is generated; and if the graph inspection result shows that the sample characteristics do not meet the target data distribution, identifying the target user as an abnormal node, and simultaneously determining a corresponding abnormal user behavior mode.
Through a graph inspection algorithm, a subgraph generation sample related to graph updating is subjected to automatic mode detection, and key index extraction is performed on the discovered new mode, so that the implicit and novel behavior mode of the user is rapidly identified and discovered, the technical guarantee is provided for the automatic discovery of the whole abnormal user, the manpower consumption and the dependence on experts are greatly reduced, and the overall efficiency is improved.
S240, determining rule hit conditions according to preset standardized rules and rule key indexes corresponding to abnormal user behavior patterns, and determining corresponding matched user hit patterns according to the rule hit conditions.
In the embodiment of the invention, pattern storage can be performed on the graph characteristics, the graph basic indexes and the sub-graph indexes corresponding to the abnormal user behavior patterns, then index disassembly is performed on the graph characteristics, the graph basic indexes and the sub-graph indexes to obtain rule key indexes, then the rule key indexes are compared with a preset standardized rule to generate rule hit conditions, and finally the corresponding matched user hit patterns are searched in a preset pattern classification table according to the rule hit conditions.
The patterns in the map are separated and associated with the rules, the patterns in the map are described by utilizing the key indexes and the threshold value, and the key indexes are associated with the specific rules to form standardized rules.
S250, determining a user risk level according to the user hit mode and the corresponding preset risk weight, and issuing a user risk prompt according to the user risk level.
In the embodiment of the invention, the mode hit values of different preset application patterns corresponding to the target user can be determined according to the user hit mode, the weighted results of the mode hit values and the corresponding preset risk weights are determined, then the corresponding user risk level is searched in the preset risk classification table according to the weighted results, and finally the basic information and the risk information of the abnormal user are issued to the target application system according to the user risk level.
According to the abnormal user identification method provided by the embodiment of the invention, the sample space is constructed according to the sub-graph corresponding to the real-time user behavior data by acquiring the real-time user behavior data sent by the target user, and the sample characteristics corresponding to the sample space are determined; constructing a reference space according to a pre-constructed user access map, and determining integral features corresponding to the reference space; determining a graph test result corresponding to the sample characteristic and the integral characteristic according to a preset hypothesis test mode, and determining an abnormal user behavior mode corresponding to the target user; determining rule hit conditions according to preset standardized rules and rule key indexes corresponding to abnormal user behavior patterns, and determining corresponding matched user hit patterns according to the rule hit conditions; and determining a user risk level according to the user hit mode and the corresponding preset risk weight, and issuing a user risk prompt according to the user risk level. The embodiment of the invention improves the accuracy and the judging efficiency of the discovery of the abnormal user behavior mode by using the graph inspection method based on the user access graph; the user hit mode corresponding to the matching is determined according to the rule hit condition, so that the accuracy and the efficiency of abnormal user identification are effectively improved; meanwhile, a user risk prompt is issued according to the user risk level, so that the safety of the application system is greatly improved.
Example III
Fig. 12 is a schematic structural diagram of an abnormal user identification device according to a third embodiment of the present invention. As shown in fig. 12, an abnormal user identification apparatus is applied to an abnormal user identification system, the apparatus comprising:
the data acquisition and sample space construction module 31 is configured to acquire real-time user behavior data sent by a target user, construct a sample space according to a sub-graph corresponding to the real-time user behavior data, and determine sample characteristics corresponding to the sample space;
a reference space constructing module 32, configured to construct a reference space according to a pre-constructed user access map, and determine overall features corresponding to the reference space;
the abnormal user identification module 33 is configured to determine a graph inspection result corresponding to the sample feature and the overall feature according to a preset hypothesis inspection manner, and determine an abnormal user behavior pattern corresponding to the target user;
the rule hit determining module 34 is configured to determine a rule hit condition according to a rule key indicator corresponding to a preset standardized rule and an abnormal user behavior pattern, and determine a corresponding matched user hit pattern according to the rule hit condition;
the risk prompt module 35 is configured to determine a risk level of the user according to the user hit mode and a corresponding preset risk weight, and issue a risk prompt for the user according to the risk level of the user.
According to the technical scheme, real-time user behavior data sent by a target user is obtained through a data obtaining and sample space constructing module, a sample space is constructed according to sub-graphs corresponding to the real-time user behavior data, and sample characteristics corresponding to the sample space are determined; the reference space construction module constructs a reference space according to a pre-constructed user access map and determines integral features corresponding to the reference space; the abnormal user identification module determines a graph inspection result corresponding to the sample characteristic and the integral characteristic according to a preset hypothesis inspection mode, and determines an abnormal user behavior mode corresponding to the target user; the rule hit determining module determines rule hit conditions according to preset standardized rules and rule key indexes corresponding to abnormal user behavior modes, and determines corresponding matched user hit modes according to the rule hit conditions; and the risk prompt module determines a user risk grade according to the user hit mode and the corresponding preset risk weight, and issues a user risk prompt according to the user risk grade. The embodiment of the invention improves the accuracy and the judging efficiency of the discovery of the abnormal user behavior mode by using the graph inspection method based on the user access graph; the user hit mode corresponding to the matching is determined according to the rule hit condition, so that the accuracy and the efficiency of abnormal user identification are effectively improved; meanwhile, a user risk prompt is issued according to the user risk level, so that the safety of the application system is greatly improved.
The abnormal user identification device provided by the embodiment of the invention can execute the abnormal user identification method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example five
Fig. 13 shows a schematic diagram of an electronic device 40 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 13, the electronic device 40 includes at least one processor 41, and a memory communicatively connected to the at least one processor 41, such as a Read Only Memory (ROM) 42, a Random Access Memory (RAM) 43, etc., in which the memory stores a computer program executable by the at least one processor, and the processor 41 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 42 or the computer program loaded from the storage unit 48 into the Random Access Memory (RAM) 43. In the RAM 43, various programs and data required for the operation of the electronic device 40 may also be stored. The processor 41, the ROM 42 and the RAM 43 are connected to each other via a bus 44. An input/output (I/O) interface 45 is also connected to bus 44.
Various components in electronic device 40 are connected to I/O interface 45, including: an input unit 46 such as a keyboard, a mouse, etc.; an output unit 47 such as various types of displays, speakers, and the like; a storage unit 48 such as a magnetic disk, an optical disk, or the like; and a communication unit 49 such as a network card, modem, wireless communication transceiver, etc. The communication unit 49 allows the electronic device 40 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 41 may be various general and/or special purpose processing components with processing and computing capabilities. Some examples of processor 41 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 41 performs the respective methods and processes described above, such as an abnormal user identification method.
In some embodiments, the abnormal user identification method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 48. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 40 via the ROM 42 and/or the communication unit 49. When the computer program is loaded into RAM 43 and executed by processor 41, one or more steps of the abnormal user identification method described above may be performed. Alternatively, in other embodiments, processor 41 may be configured to perform the abnormal user identification method in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. An abnormal user identification system, the system comprising:
the data acquisition module is used for acquiring and storing user behavior data;
the map construction and updating module is used for constructing a user access map according to the user behavior data and a preset map construction mode and updating the user access map according to a preset map updating mode;
the ontology construction and updating module is used for drawing a knowledge graph ontology according to the user behavior data and updating the user access graph according to the knowledge graph ontology;
The knowledge discovery module is used for carrying out knowledge reasoning on the user access map and acquiring an abnormal user behavior mode;
the rule extraction module is used for determining rule hit conditions according to preset standardized rules and rule key indexes corresponding to the abnormal user behavior patterns, and determining corresponding matched user hit patterns according to the rule hit conditions;
and the monitoring and early warning module is used for determining the risk level of the user according to the user hit mode and the corresponding preset risk weight and issuing a user risk prompt according to the risk level of the user.
2. The system of claim 1, wherein the data acquisition module comprises:
the data acquisition unit is used for calling a preset real-time stream processing engine to acquire the user behavior data sent by the user terminal;
the data processing unit is used for processing the user behavior data according to a preset data processing mode; the preset data processing mode at least comprises the following steps: data cleaning, data conversion, entity disambiguation, entity fusion and relationship fusion;
and the data storage unit is used for storing the processed user behavior data to a target database.
3. The system of claim 1, wherein the map construction and updating module comprises:
the map construction unit is used for extracting entity, relation and attribute information from the user behavior data and constructing the user access map according to the preset map construction mode; the preset map construction mode at least comprises the following steps: a Schema model method and a map fusion method;
the first map updating unit is used for executing timing full-quantity updating, timing increment updating and timing appointed data updating operation on the user access map when the preset map updating mode is offline timing updating; when the preset map updating mode is real-time triggering updating, acquiring real-time data to be updated, analyzing a data updating type of the real-time data to be updated, and matching corresponding updating queues for the real-time data to be updated according to the data updating type;
and the map storage unit is used for storing the constructed user access map to a target database.
4. The system of claim 1, wherein the ontology construction and update module comprises:
the ontology construction unit is used for calling a preset ontology construction algorithm to draw the knowledge graph ontology corresponding to the user behavior data; the preset ontology construction algorithm at least comprises the following steps: a rule-based ontology construction algorithm and a machine learning-based ontology construction algorithm;
And the second map updating unit is used for updating the map data in the user access map according to the knowledge map body.
5. The system of claim 1, wherein the knowledge discovery module comprises:
the knowledge reasoning unit is used for calling a preset knowledge reasoning algorithm to execute label transfer and relation reasoning operation on the user access map; wherein the preset knowledge reasoning algorithm comprises at least one of the following: a rule-based reasoning algorithm, a graph structure-based reasoning algorithm, a distributed representation learning-based reasoning algorithm and a neural network-based reasoning algorithm;
the map checking unit is used for selecting a target node to be detected from the user access map, constructing a sample space according to the target node to be detected and the corresponding sub-graph, and determining a preset business rule index, a map base index and a map community index corresponding to the sample space as sample characteristics; randomly extracting a preset number of nodes from the user access map, constructing a reference space according to the nodes and the corresponding subgraphs, and determining the integral characteristics corresponding to the reference space; invoking a preset hypothesis testing mode to determine whether the sample features meet target data distribution corresponding to the integral features, and generating a graph testing result;
The pattern extraction unit is used for determining the target node to be detected as the abnormal user behavior pattern when the pattern detection result shows that the sample characteristics do not meet the target data distribution; and calling a preset data statistics method to extract a mode key index of the abnormal user behavior mode, and classifying and labeling the risk degree of the abnormal user behavior mode according to the mode key index, a preset mode key index threshold and a preset business rule.
6. The system of claim 1, wherein the rule extraction module comprises:
the rule extraction unit is used for carrying out mode storage on the graph characteristics, the graph basic indexes and the sub-graph indexes corresponding to the abnormal user behavior modes; performing index disassembly on the graph characteristics, the map basic index and the sub-graph index to obtain the rule key index; comparing the rule key index with the preset standardized rule to generate the rule hit condition;
and the rule application unit is used for searching the user hit mode which is correspondingly matched in a preset mode classification table according to the rule hit condition.
7. The system of claim 1, wherein the monitoring and early warning module comprises:
The monitoring unit is used for determining mode hit values of different preset application patterns corresponding to the target user according to the user hit mode, determining weighting results of the mode hit values and the corresponding preset risk weights, and searching the corresponding user risk grades in a preset risk grade table according to the weighting results;
and the early warning unit is used for issuing basic information and risk information of the abnormal user to the target application system according to the user risk level.
8. An abnormal user identification method, applied to an abnormal user identification system, comprising:
acquiring real-time user behavior data sent by a target user, constructing a sample space according to a sub-graph corresponding to the real-time user behavior data, and determining sample characteristics corresponding to the sample space;
constructing a reference space according to a pre-constructed user access map, and determining integral features corresponding to the reference space;
determining a graph inspection result corresponding to the sample feature and the integral feature according to a preset hypothesis inspection mode, and determining an abnormal user behavior mode corresponding to the target user;
determining rule hit conditions according to preset standardized rules and rule key indexes corresponding to the abnormal user behavior patterns, and determining corresponding matched user hit patterns according to the rule hit conditions;
And determining a user risk level according to the user hit mode and the corresponding preset risk weight, and issuing a user risk prompt according to the user risk level.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the abnormal user identification method of claim 8.
10. A computer readable storage medium storing computer instructions for causing a processor to implement the abnormal user identification method of claim 8 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311666307.0A CN117670500A (en) | 2023-12-06 | 2023-12-06 | Abnormal user identification system, method, electronic device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311666307.0A CN117670500A (en) | 2023-12-06 | 2023-12-06 | Abnormal user identification system, method, electronic device, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117670500A true CN117670500A (en) | 2024-03-08 |
Family
ID=90084115
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311666307.0A Pending CN117670500A (en) | 2023-12-06 | 2023-12-06 | Abnormal user identification system, method, electronic device, and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117670500A (en) |
-
2023
- 2023-12-06 CN CN202311666307.0A patent/CN117670500A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114580916A (en) | Enterprise risk assessment method and device, electronic equipment and storage medium | |
| CN116225769B (en) | Method, device, equipment and medium for determining root cause of system fault | |
| US20230004613A1 (en) | Data mining method, data mining apparatus, electronic device and storage medium | |
| CN116471174A (en) | Log data monitoring system, method, device and storage medium | |
| CN117670500A (en) | Abnormal user identification system, method, electronic device, and storage medium | |
| CN115600607A (en) | Log detection method and device, electronic equipment and medium | |
| CN114692778B (en) | Multi-mode sample set generation method, training method and device for intelligent inspection | |
| CN115665783A (en) | Abnormal index tracing method and device, electronic equipment and storage medium | |
| CN114841598A (en) | Decision method, device, equipment and program product for operation risk | |
| CN115080607A (en) | Method, device, equipment and storage medium for optimizing structured query statement | |
| CN116467198A (en) | Method, device, electronic equipment and storage medium for determining performance actual measurement necessity | |
| CN117670128A (en) | Data processing method and device | |
| CN115392399A (en) | Method, device, equipment and medium for training and using process timeout prediction model | |
| CN116701147A (en) | Log data processing method, device, equipment and storage medium | |
| CN117851599A (en) | Method, device, equipment and medium for extracting text of other elements of investment supervision | |
| CN117891640A (en) | Micro-service fault diagnosis method and device based on large language model and electronic equipment | |
| CN117609723A (en) | Object identification method and device, electronic equipment and storage medium | |
| CN116362346A (en) | Digital wallet recognition model training, digital wallet recognition method, device and equipment | |
| CN116298690A (en) | Positioning method, device, equipment and medium for fault position of power distribution network | |
| CN114971695A (en) | Industry trend prediction method, apparatus, device, medium, and program product | |
| CN117332426A (en) | Intelligent determination method, device, equipment and storage medium of vulnerability restoration priority | |
| CN117593113A (en) | Credit card account risk assessment method, apparatus, device and storage medium | |
| CN117611011A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN117312288A (en) | Data quality inspection method and device, electronic equipment and storage medium | |
| CN117454313A (en) | Multi-source heterogeneous data fusion method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |