WO2019214511A1 - Method for analyzing abnormal file operation behavior through clustering, system and terminal - Google Patents

Method for analyzing abnormal file operation behavior through clustering, system and terminal Download PDF

Info

Publication number
WO2019214511A1
WO2019214511A1 PCT/CN2019/085190 CN2019085190W WO2019214511A1 WO 2019214511 A1 WO2019214511 A1 WO 2019214511A1 CN 2019085190 W CN2019085190 W CN 2019085190W WO 2019214511 A1 WO2019214511 A1 WO 2019214511A1
Authority
WO
WIPO (PCT)
Prior art keywords
abnormal
clustering
group
data
operation behavior
Prior art date
Application number
PCT/CN2019/085190
Other languages
French (fr)
Chinese (zh)
Inventor
郭景楠
王建磊
何华荣
王志
Original Assignee
深圳市联软科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市联软科技股份有限公司 filed Critical 深圳市联软科技股份有限公司
Publication of WO2019214511A1 publication Critical patent/WO2019214511A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Definitions

  • the invention belongs to the technical field of information security, and particularly relates to a method, a system and a terminal for analyzing an abnormal operation behavior of a file by clustering.
  • the prior art mainly uses rules or strategies to judge whether the file operation behavior is abnormal, but the rules and policies cannot cover all abnormal behaviors, so the prior art is mechanical, and the new abnormal behavior is ignored or cannot be recognized in time.
  • the present invention provides a method, system and terminal for analyzing abnormal behavior of a file by clustering, which can monitor and judge whether the file operation behavior is abnormal, which is incomparable compared with the prior art. Automated, timeliness and accuracy.
  • the present invention provides a method for analyzing an abnormal operation behavior of a file by clustering, comprising the following steps:
  • the current operational behavior data is input into the clustering model for analysis, and the analysis result of whether the operation behavior is abnormal is obtained, and if it is abnormal, the comprehensive abnormality index is calculated.
  • the current operational behavior data is input into a clustering model for analysis, to obtain an analysis result of whether the operational behavior is abnormal, and if the abnormality is, the comprehensive abnormality index is calculated, specifically:
  • the current operational behavior data is input into the single clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, a single abnormality index is obtained;
  • the current operational behavior data is input into the group clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, the group abnormality index is obtained;
  • the comprehensive anomaly index is calculated by the weighting calculation formula.
  • the method for establishing the single clustering model is as follows:
  • the sample data is clustered by the hierarchical clustering method
  • the method for establishing the clustering model is as follows:
  • the group distance matrix between the group terminals is calculated according to several sample data of a plurality of single terminals
  • group distance matrix several sample data are clustered by hierarchical clustering method
  • the current operation behavior data is input into the single cluster model to obtain an analysis result of whether the operation behavior is abnormal, and if it is abnormal, a single abnormality index is obtained, specifically:
  • the distance H1 is greater than the single-class radius corresponding to the single-class center, it is determined that the current operational behavior is abnormal, and the excess single abnormality index is calculated according to the distance H1 and the single-class radius.
  • the current operation behavior data is input into the group clustering model to obtain an analysis result of whether the operation behavior is abnormal. If the abnormality is obtained, the group abnormality index is obtained, specifically:
  • the excess group abnormality index is calculated according to the distance H2 and the group class radius.
  • the weighting calculation formula is as follows:
  • score_single is the single anomaly index
  • score_community is the group anomaly index
  • the method for establishing the single cluster model and the group cluster model includes the steps of model correction, and the steps of the model modification are specifically:
  • the modified sample data of the mark is input into the model. If the result of the model recognition is different from the mark, the class center and class radius closest to the corrected sample data are updated accordingly.
  • the present invention provides a system for analyzing an abnormal operation behavior of a file by clustering, and is applicable to the method for analyzing an abnormal operation behavior of a file by clustering according to the first aspect, including:
  • a data acquisition unit configured to acquire current operation behavior data for operating the file
  • the abnormality analyzing unit is configured to input the current operational behavior data into the clustering model for analysis, to obtain an analysis result of whether the operational behavior is abnormal, and if the abnormality is, calculate a comprehensive abnormality index.
  • the present invention provides a terminal for analyzing an abnormal operation behavior of a file by clustering, comprising a processor, an input device, an output device, and a memory, wherein the processor, the input device, the output device, and the memory are connected to each other, wherein
  • the memory is for storing a computer program, the computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of the first aspect.
  • the invention has the beneficial effects that the invention can monitor and judge whether the file operation behavior is abnormal, and has incomparable automaticness, timeliness and accuracy compared with the prior art.
  • FIG. 1 is a flowchart of a method for analyzing an abnormal operation behavior of a file by clustering in the embodiment
  • FIG. 2 is a structural block diagram of a system for analyzing an abnormal operation behavior of a file by clustering in the embodiment
  • FIG. 3 is a block diagram of a terminal module for analyzing an abnormal operation behavior of a file by clustering in the embodiment.
  • the terminals described in this embodiment of the invention include, but are not limited to, other portable devices such as mobile phones, laptop computers or tablet computers having touch sensitive surfaces (e.g., touch screen displays and/or touch pads). It should also be understood that in some embodiments, the device is not a portable communication device, but a desktop computer having a touch sensitive surface (eg, a touch screen display and/or a touch pad).
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • This embodiment provides a method for analyzing an abnormal operation behavior of a file by clustering, and the method needs to apply a single cluster model and a cluster cluster model.
  • the sample data is clustered by the hierarchical clustering method
  • the operation behavior includes, but is not limited to, creation, transmission, copying, deletion, and the like of a file.
  • the operational behavior data such as: operator identity, operation time, process name, file name, file type, disk where the file is located, file size, read and write data size, number of operations, duration of each, and the like.
  • the data standardization preprocessing such as data cleaning, data integration, data transformation, data reduction, etc., obtains higher quality sample data after data preprocessing.
  • the single distance matrix of this embodiment is a matrix containing the distance between the two sample data (ie, a two-dimensional array), and then using the hierarchical clustering method to perform sample data according to the single distance matrix. Clustering, and get a number of single-class, single-class centers of each single class and corresponding single-class radii.
  • the method for establishing the clustering model is as follows:
  • the group distance matrix between the group terminals is calculated according to several sample data of a plurality of single terminals
  • group distance matrix several sample data are clustered by hierarchical clustering method
  • a sample data set of a plurality of terminals is obtained, and a group distance matrix between the plurality of terminals is calculated. Similar to the above method, after clustering, several group classes, group class centers of each group class and corresponding group class radii are obtained.
  • the method for establishing the single cluster model and the group cluster model includes the steps of model correction, and the steps of the model modification are specifically:
  • the modified sample data of the mark is input into the model. If the result of the model recognition is different from the mark, the class center and class radius closest to the corrected sample data are updated accordingly.
  • the manager marks the modified sample data, which is an abnormal operation behavior or a normal operation behavior.
  • the model is identified. If the result of the model recognition is different from the mark, it indicates that the model is incorrect, and the model is corrected. If the marked behavior is abnormal and the model recognition result is also abnormal, the recognition is correct, and the operation behavior is classified as an abnormality; if the operation behavior is abnormal, but the model recognition is normal, the recognition is incorrect, and the update distance correction is correct.
  • the model center is corrected by the nearest class center and class radius. Enter a plurality of modified samples marked in the model until the result of the model recognition is correct, thereby improving the accuracy of the model recognition.
  • the method for analyzing the abnormal operation behavior of the file by clustering includes two steps of S1 and S2:
  • obtaining current operational behavior data for operating the file For example, a computer terminal monitors the user's operation behavior in real time, and monitors that the user opens a word document under the directory (computer D disk/company file/confidential category/development data) and copies the content of the word document. The computer terminal monitors the current operational behavior data collected by the user to operate the word document, and sends the operation behavior data to the remote server, and the remote server further acquires the current operation data.
  • a computer terminal monitors the user's operation behavior in real time, and monitors that the user opens a word document under the directory (computer D disk/company file/confidential category/development data) and copies the content of the word document.
  • the computer terminal monitors the current operational behavior data collected by the user to operate the word document, and sends the operation behavior data to the remote server, and the remote server further acquires the current operation data.
  • the S2 includes three steps of S21, S22 and S23:
  • Step S21 Input the current operation behavior data into the single cluster model to obtain an analysis result of whether the operation behavior is abnormal, and if it is abnormal, obtain a single abnormality index.
  • Step S21 is specifically:
  • the distance H1 is greater than the single-class radius corresponding to the single-class center, it is determined that the current operational behavior is abnormal, and the excess single abnormality index is calculated according to the distance H1 and the single-class radius.
  • the current operation behavior data that the user operates on the word document is input into the single cluster model, and the single class center closest to the current operation behavior data in the model is found, and the distance between the current operation behavior and the single class center is calculated.
  • H1 21
  • Step S22 Input the current operation behavior data into the group clustering model to obtain an analysis result of whether the operation behavior is abnormal, and if the abnormality is obtained, obtain the group abnormality index.
  • Step S22 is specifically:
  • the excess group abnormality index is calculated according to the distance H2 and the group class radius.
  • the current operation behavior data of the user operating the word document is input into the group clustering model, and the group center center closest to the current operation behavior data is found, and the distance between the current operation behavior and the group center is calculated.
  • H2 20
  • a is the exponential coefficient
  • score_single is the single anomaly index
  • score_community is the group anomaly index.
  • the remote server sends the current operational behavior data and the analysis result to the management terminal.
  • the management personnel finds that the company's confidential file is copied, which may result in the disclosure of the confidential file, so as to collect the solution in time.
  • the obtained current operational behavior data is input into the single clustering model, and the deviation of the current operational behavior from the historical operation behavior of the single user is used to detect whether the operational behavior is abnormal;
  • the obtained current operational behavior data is input into the cluster model, and the deviation of the current operational behavior from the historical operational behavior of the group user is used to detect whether the operational behavior is abnormal.
  • the weighting algorithm is used to synthesize the two, and then the operational behavior is comprehensively evaluated. .
  • This embodiment is capable of monitoring and judging whether the file operation behavior is abnormal, and has incomparable automaticness, timeliness, and accuracy compared to the prior art.
  • This embodiment has clustering anomaly detection, which can not only identify whether an abnormality is but also recognize the degree of abnormality.
  • This embodiment not only clusters from the behavior patterns of a single end user, but also clusters the behavior patterns of the group users, thereby improving the interpretability and richness of the abnormality detection of the file operation behavior, and also improving the accuracy.
  • Embodiment 2 is a diagrammatic representation of Embodiment 1:
  • the embodiment provides a system for analyzing abnormal behavior of a file by clustering, and is applicable to the method for analyzing abnormal behavior of a file by clustering according to the first embodiment, including a data acquiring unit and an abnormality analyzing unit.
  • the data acquisition unit is configured to acquire current operation behavior data for performing operations on the file.
  • a computer terminal monitors the user's operation behavior in real time, and monitors that the user opens a word document under the directory (computer D disk/company file/confidential category/development data) and copies the content of the word document.
  • the computer terminal monitors the current operational behavior data of the user's operation on the word document, and sends the operation behavior data to the remote server, and the remote server acquires the current operation data.
  • the abnormality analyzing unit is configured to input the current operational behavior data into the clustering model for analysis, to obtain an analysis result of whether the operational behavior is abnormal, and calculate an integrated abnormality index if the abnormality is abnormal.
  • the abnormality analysis unit is specifically configured to:
  • the current operational behavior data is input into the single clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, a single abnormality index is obtained.
  • the distance H1 is greater than the single-class radius corresponding to the single-class center, it is determined that the current operational behavior is abnormal, and the excess single abnormality index is calculated according to the distance H1 and the single-class radius.
  • the current operation behavior data that the user operates on the word document is input into the single cluster model, and the single class center closest to the current operation behavior data in the model is found, and the distance between the current operation behavior and the single class center is calculated.
  • H1 21
  • the current operational behavior data is input into the group clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, the group abnormality index is obtained.
  • the excess group abnormality index is calculated according to the distance H2 and the group class radius.
  • the current operation behavior data of the user operating the word document is input into the group clustering model, and the group center center closest to the current operation behavior data is found, and the distance between the current operation behavior and the group center is calculated.
  • H2 20
  • a is the exponential coefficient
  • score_single is the single anomaly index
  • score_community is the group anomaly index.
  • the remote server sends the current operational behavior data and the analysis result to the management terminal.
  • the management personnel finds that the company's confidential file is copied, which may result in the disclosure of the confidential file, so as to collect the solution in time.
  • the obtained current operational behavior data is input into the single clustering model, and the deviation of the current operational behavior from the historical operation behavior of the single user is used to detect whether the operational behavior is abnormal;
  • the obtained current operational behavior data is input into the cluster model, and the deviation of the current operational behavior from the historical operational behavior of the group user is used to detect whether the operational behavior is abnormal.
  • the weighting algorithm is used to synthesize the two, and then the operational behavior is comprehensively evaluated. .
  • This embodiment is capable of monitoring and judging whether the file operation behavior is abnormal, and has incomparable automaticness, timeliness, and accuracy compared to the prior art.
  • This embodiment has clustering anomaly detection, which can not only identify whether an abnormality is but also recognize the degree of abnormality.
  • This embodiment not only clusters from the behavior patterns of a single end user, but also clusters the behavior patterns of the group users, thereby improving the interpretability and richness of the abnormality detection of the file operation behavior, and also improving the accuracy.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • the embodiment provides a terminal for analyzing abnormal behavior of a file by clustering, comprising a processor 42, an input device 41, an output device 44, and a memory 43, the processor 42, the input device, the output device 41, and the memory 43 mutually A connection, wherein the memory 43 is for storing a computer program, the computer program comprising program instructions, the processor 42 being configured to invoke the program instructions to perform the method of the first embodiment.
  • the so-called memory 43 may include read only memory and random access memory, and provide instructions and data to the processor 42.
  • a portion of the memory 43 may also include a non-volatile random access memory.
  • the memory 43 can also store related information of the device type.
  • the processor 42 is operative to execute or execute an operating system, various software programs, and its own set of instructions stored in the internal memory 43, and to process data received from the touch input device or from other external input paths and Instructions to implement various functions.
  • Processor 42 may include, but is not limited to, a central processing unit (CPU), a general purpose image processor (GPU), a microprocessor (MCU), a digital signal processor (DSP), a field programmable logic gate array (FPGA), application specific One or more of an integrated circuit (ASIC).
  • processor 42 and memory 43 can be implemented on a single chip. In some other implementations, they can be implemented on separate chips from each other.
  • the input device 41 may include a touch panel, a fingerprint sensor (for collecting fingerprint information of the user and direction information of the fingerprint), a microphone, and the like
  • the output device 44 may include a display (LCD or the like), a speaker, and the like.
  • This embodiment is capable of monitoring and judging whether the file operation behavior is abnormal, and has incomparable automaticness, timeliness, and accuracy compared to the prior art.
  • This embodiment has clustering anomaly detection, which can not only identify whether an abnormality is but also recognize the degree of abnormality.
  • This embodiment not only clusters from the behavior patterns of a single end user, but also clusters the behavior patterns of the group users, thereby improving the interpretability and richness of the abnormality detection of the file operation behavior, and also improving the accuracy.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention belongs to the technical field of information security, and particularly relates to a method for analyzing the abnormal file operation behavior through clustering, a system and a terminal, comprising the following steps: obtaining current operation behavior data for operating a file; inputting the current operation behavior data into a clustering model for analysis to obtain an analyzing result for whether the operation behavior is abnormal, and if so, calculating a comprehensive abnormality index. The present invention can monitor and determine whether the file operation behavior is abnormal, compared with the prior art, the present invention has incomparable automaticity, timeliness and accuracy.

Description

一种通过聚类分析文件异常操作行为的方法、系统及终端Method, system and terminal for analyzing abnormal operation behavior of files by clustering 技术领域Technical field
本发明属于信息安全技术领域,具体涉及一种通过聚类分析文件异常操作行为的方法、系统及终端。The invention belongs to the technical field of information security, and particularly relates to a method, a system and a terminal for analyzing an abnormal operation behavior of a file by clustering.
背景技术Background technique
随着信息技术的发展与进步,各种资料文档通常以电子文件形式存储在各种终端或远程服务器上。对于一些敏感文件或涉密文件,为了防止没有权限的人员获取文件信息或有权限的人员进行异常操作,通常需要对文件操作行为进行监测和判断。With the development and advancement of information technology, various data documents are usually stored in electronic files on various terminals or remote servers. For some sensitive files or confidential documents, in order to prevent unauthorized persons from obtaining file information or authorized personnel to perform abnormal operations, it is usually necessary to monitor and judge the file operation behavior.
现有技术主要利用规则或策略来判断文件操作行为是否异常,但规则与策略并不能涵盖所有异常行为,因此现有技术比较机械,且会忽略或不能及时识别出新的异常行为。The prior art mainly uses rules or strategies to judge whether the file operation behavior is abnormal, but the rules and policies cannot cover all abnormal behaviors, so the prior art is mechanical, and the new abnormal behavior is ignored or cannot be recognized in time.
发明内容Summary of the invention
针对现有技术中的缺陷,本发明提供了一种通过聚类分析文件异常操作行为的方法、系统及终端,能够监测和判断文件操作行为是否异常,相比于现有技术,具有不可比拟的自动性、及时性和准确性。In view of the defects in the prior art, the present invention provides a method, system and terminal for analyzing abnormal behavior of a file by clustering, which can monitor and judge whether the file operation behavior is abnormal, which is incomparable compared with the prior art. Automated, timeliness and accuracy.
第一方面,本发明提供了一种通过聚类分析文件异常操作行为的方法,包括以下步骤:In a first aspect, the present invention provides a method for analyzing an abnormal operation behavior of a file by clustering, comprising the following steps:
获取对文件进行操作的当前操作行为数据;Get the current operational behavior data that operates on the file;
将当前操作行为数据输入聚类模型进行分析,得到操作行为是否异常的分析结果,若为异常则计算综合异常指数。The current operational behavior data is input into the clustering model for analysis, and the analysis result of whether the operation behavior is abnormal is obtained, and if it is abnormal, the comprehensive abnormality index is calculated.
优选地,所述将当前操作行为数据输入聚类模型进行分析,得到操作行为 是否异常的分析结果,若为异常则计算综合异常指数,具体为:Preferably, the current operational behavior data is input into a clustering model for analysis, to obtain an analysis result of whether the operational behavior is abnormal, and if the abnormality is, the comprehensive abnormality index is calculated, specifically:
将当前操作行为数据输入单聚类模型,得到操作行为是否异常的分析结果,若为异常则得到单异常指数;The current operational behavior data is input into the single clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, a single abnormality index is obtained;
将当前操作行为数据输入群聚类模型,得到操作行为是否异常的分析结果,若为异常则得到群异常指数;The current operational behavior data is input into the group clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, the group abnormality index is obtained;
根据单异常指数和群异常指数,通过加权计算公式计算综合异常指数。According to the single anomaly index and the group anomaly index, the comprehensive anomaly index is calculated by the weighting calculation formula.
优选地,所述单聚类模型的建立方法如下:Preferably, the method for establishing the single clustering model is as follows:
收集单台终端上对文件进行操作的历史操作行为数据;Collect historical operational behavior data for operating files on a single terminal;
对历史操作行为数据进行数据标准化预处理,得到单台终端的样本数据,计算样本数据的单距离矩阵;Data normalization preprocessing of historical operational behavior data, obtaining sample data of a single terminal, and calculating a single distance matrix of sample data;
根据单距离矩阵,利用层次聚类方法对样本数据进行聚类;According to the single distance matrix, the sample data is clustered by the hierarchical clustering method;
得到聚类结果:每个单类的单类中心和单类半径。Get clustering results: single class center and single class radius for each single class.
优选地,所述群聚类模型的建立方法如下:Preferably, the method for establishing the clustering model is as follows:
采用皮尔逊相关系数,根据若干单台终端的若干样本数据,计算群体终端之间的群距离矩阵;Using the Pearson correlation coefficient, the group distance matrix between the group terminals is calculated according to several sample data of a plurality of single terminals;
根据群距离矩阵,利用层次聚类方法对若干样本数据进行聚类;According to the group distance matrix, several sample data are clustered by hierarchical clustering method;
得到聚类结果:每个群类的群类中心和群类半径。Get clustering results: group center and group radius for each group.
优选地,所述将当前操作行为数据输入单聚类模型,得到操作行为是否异常的分析结果,若为异常则得到单异常指数,具体为:Preferably, the current operation behavior data is input into the single cluster model to obtain an analysis result of whether the operation behavior is abnormal, and if it is abnormal, a single abnormality index is obtained, specifically:
将当前操作行为数据输入单聚类模型,找出离当前操作行为数据最近的单类中心,并计算当前操作行为数据与单类中心的距离H1;Input the current operational behavior data into the single cluster model, find the nearest single center center from the current operational behavior data, and calculate the distance H1 between the current operational behavior data and the single class center;
若距离H1小于等于单类中心对应的单类半径,则判定当前的操作行为正常;If the distance H1 is less than or equal to the single class radius corresponding to the single class center, it is determined that the current operation behavior is normal;
若距离H1大于单类中心对应的单类半径,则判定当前的操作行为异常,并根据距离H1和单类半径计算超出的单异常指数。If the distance H1 is greater than the single-class radius corresponding to the single-class center, it is determined that the current operational behavior is abnormal, and the excess single abnormality index is calculated according to the distance H1 and the single-class radius.
优选地,所述将当前操作行为数据输入群聚类模型,得到操作行为是否异 常的分析结果,若为异常则得到群异常指数,具体为:Preferably, the current operation behavior data is input into the group clustering model to obtain an analysis result of whether the operation behavior is abnormal. If the abnormality is obtained, the group abnormality index is obtained, specifically:
将当前操作行为数据输入群聚类模型,找出离当前操作行为数据最近的群类中心,并计算当前操作行为数据与群类中心的距离H2;Input the current operational behavior data into the cluster model to find the group center closest to the current operational behavior data, and calculate the distance H2 between the current operational behavior data and the group center;
若距离H2小于等于群类中心对应的群类半径,则判定当前的操作行为正常;If the distance H2 is less than or equal to the group class radius corresponding to the group center, it is determined that the current operation behavior is normal;
若距离H2大于群类中心对应的群类半径,则判定当前的操作行为异常,并根据距离H2和群类半径计算超出的群异常指数。If the distance H2 is greater than the group class radius corresponding to the group center, it is determined that the current operation behavior is abnormal, and the excess group abnormality index is calculated according to the distance H2 and the group class radius.
优选地,所述加权计算公式如下:Preferably, the weighting calculation formula is as follows:
result=a*score_single+(1-a)*score_community;Result=a*score_single+(1-a)*score_community;
其中,a为指数系数,score_single为单异常指数,score_community为群异常指数。Where a is the exponential coefficient, score_single is the single anomaly index, and score_community is the group anomaly index.
优选地,所述单聚类模型和群聚类模型的建立方法均包括模型修正的步骤,所述模型修正的步骤具体为:Preferably, the method for establishing the single cluster model and the group cluster model includes the steps of model correction, and the steps of the model modification are specifically:
将做了标记的修正样本数据输入模型,若模型识别的结果与标记不同,将相应更新距修正样本数据最近的类中心和类半径。The modified sample data of the mark is input into the model. If the result of the model recognition is different from the mark, the class center and class radius closest to the corrected sample data are updated accordingly.
第二方面,本发明提供了一种通过聚类分析文件异常操作行为的系统,适用于第一方面所述的通过聚类分析文件异常操作行为的方法,包括:In a second aspect, the present invention provides a system for analyzing an abnormal operation behavior of a file by clustering, and is applicable to the method for analyzing an abnormal operation behavior of a file by clustering according to the first aspect, including:
数据获取单元,用于获取对文件进行操作的当前操作行为数据;a data acquisition unit, configured to acquire current operation behavior data for operating the file;
异常分析单元,用于将当前操作行为数据输入聚类模型进行分析,得到操作行为是否异常的分析结果,若为异常则计算综合异常指数。The abnormality analyzing unit is configured to input the current operational behavior data into the clustering model for analysis, to obtain an analysis result of whether the operational behavior is abnormal, and if the abnormality is, calculate a comprehensive abnormality index.
第三方面,本发明提供了一种通过聚类分析文件异常操作行为的终端,包括处理器、输入设备、输出设备和存储器,所述处理器、输入设备、输出设备和存储器相互连接,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行第一方面所述的方法。In a third aspect, the present invention provides a terminal for analyzing an abnormal operation behavior of a file by clustering, comprising a processor, an input device, an output device, and a memory, wherein the processor, the input device, the output device, and the memory are connected to each other, wherein The memory is for storing a computer program, the computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of the first aspect.
本发明的有益效果为:本发明能够监测和判断文件操作行为是否异常,相 比于现有技术,具有不可比拟的自动性、及时性和准确性。The invention has the beneficial effects that the invention can monitor and judge whether the file operation behavior is abnormal, and has incomparable automaticness, timeliness and accuracy compared with the prior art.
附图说明DRAWINGS
为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍。在所有附图中,类似的元件或部分一般由类似的附图标记标识。附图中,各元件或部分并不一定按照实际的比例绘制。In order to more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the specific embodiments or the description of the prior art will be briefly described below. In all the figures, like elements or parts are generally identified by like reference numerals. In the figures, elements or parts are not necessarily drawn to scale.
图1为本实施例中通过聚类分析文件异常操作行为的方法流程图;FIG. 1 is a flowchart of a method for analyzing an abnormal operation behavior of a file by clustering in the embodiment;
图2为本实施例中通过聚类分析文件异常操作行为的系统结构框图;2 is a structural block diagram of a system for analyzing an abnormal operation behavior of a file by clustering in the embodiment;
图3为本实施例中通过聚类分析文件异常操作行为的终端模块框图。FIG. 3 is a block diagram of a terminal module for analyzing an abnormal operation behavior of a file by clustering in the embodiment.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
应当理解,当在本说明书和所附权利要求书中使用时,术语“包括”和“包含”指示所描述特征、整体、步骤、操作、元素和/或组件的存在,但并不排除一个或多个其它特征、整体、步骤、操作、元素、组件和/或其集合的存在或添加。The use of the terms "comprising", "comprising", "","," The presence or addition of a plurality of other features, integers, steps, operations, elements, components, and/or collections thereof.
还应当理解,在此本发明说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本发明。如在本发明说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。It is also to be understood that the terminology of the present invention is to be construed as a The singular forms "", ",",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
具体实现中,本发明实施例中描述的终端包括但不限于诸如具有触摸敏感表面(例如,触摸屏显示器和/或触摸板)的移动电话、膝上型计算机或平板计 算机之类的其它便携式设备。还应当理解的是,在某些实施例中,所述设备并非便携式通信设备,而是具有触摸敏感表面(例如,触摸屏显示器和/或触摸板)的台式计算机。In particular implementations, the terminals described in this embodiment of the invention include, but are not limited to, other portable devices such as mobile phones, laptop computers or tablet computers having touch sensitive surfaces (e.g., touch screen displays and/or touch pads). It should also be understood that in some embodiments, the device is not a portable communication device, but a desktop computer having a touch sensitive surface (eg, a touch screen display and/or a touch pad).
实施例一:Embodiment 1:
本实施例提供了一种通过聚类分析文件异常操作行为的方法,所述方法需应用单聚类模型和群聚类模型。This embodiment provides a method for analyzing an abnormal operation behavior of a file by clustering, and the method needs to apply a single cluster model and a cluster cluster model.
其中,所述单聚类模型的建立方法如下:Wherein, the method for establishing the single clustering model is as follows:
收集单台终端上对文件进行操作的历史操作行为数据;Collect historical operational behavior data for operating files on a single terminal;
对历史操作行为数据进行数据标准化预处理,得到单台终端的样本数据,计算样本数据的单距离矩阵;Data normalization preprocessing of historical operational behavior data, obtaining sample data of a single terminal, and calculating a single distance matrix of sample data;
根据单距离矩阵,利用层次聚类方法对样本数据进行聚类;According to the single distance matrix, the sample data is clustered by the hierarchical clustering method;
得到聚类结果:每个单类的单类中心和单类半径。Get clustering results: single class center and single class radius for each single class.
本实施例中,所述操作行为包括但不限于文件的创建、发送、复制、删除等等。所述操作行为数据,如:操作者身份、操作时间、进程名、文件名、文件类型、文件所在磁盘、文件大小、读写数据大小、操作次数、每次持续时间等等。所述数据标准化预处理,如数据清理、数据集成、数据变换、数据归约等等,数据预处理后得到更高质量的样本数据。计算样本数据的单距离矩阵,本实施例的单距离矩阵即为一个包含两两样本数据之间距离的矩阵(即二维数组),再根据单距离矩阵,利用层次聚类方法对样本数据进行聚类,并得到若干个单类、每个单类的单类中心和相对应的单类半径。In this embodiment, the operation behavior includes, but is not limited to, creation, transmission, copying, deletion, and the like of a file. The operational behavior data, such as: operator identity, operation time, process name, file name, file type, disk where the file is located, file size, read and write data size, number of operations, duration of each, and the like. The data standardization preprocessing, such as data cleaning, data integration, data transformation, data reduction, etc., obtains higher quality sample data after data preprocessing. Calculating the single distance matrix of the sample data, the single distance matrix of this embodiment is a matrix containing the distance between the two sample data (ie, a two-dimensional array), and then using the hierarchical clustering method to perform sample data according to the single distance matrix. Clustering, and get a number of single-class, single-class centers of each single class and corresponding single-class radii.
其中,所述群聚类模型的建立方法如下:The method for establishing the clustering model is as follows:
采用皮尔逊相关系数,根据若干单台终端的若干样本数据,计算群体终端之间的群距离矩阵;Using the Pearson correlation coefficient, the group distance matrix between the group terminals is calculated according to several sample data of a plurality of single terminals;
根据群距离矩阵,利用层次聚类方法对若干样本数据进行聚类;According to the group distance matrix, several sample data are clustered by hierarchical clustering method;
得到聚类结果:每个群类的群类中心和群类半径。Get clustering results: group center and group radius for each group.
本实施例中,得到每台终端的样本数据后,进而得到若干台终端的样本数 据集合,并计算这若干台终端之间的群距离矩阵。同上述方法类似,进行聚类后,得到得到若干个群类、每个群类的群类中心和相对应的群类半径。In this embodiment, after the sample data of each terminal is obtained, a sample data set of a plurality of terminals is obtained, and a group distance matrix between the plurality of terminals is calculated. Similar to the above method, after clustering, several group classes, group class centers of each group class and corresponding group class radii are obtained.
为了使建立的模型更准确,所述单聚类模型和群聚类模型的建立方法均包括模型修正的步骤,所述模型修正的步骤具体为:In order to make the established model more accurate, the method for establishing the single cluster model and the group cluster model includes the steps of model correction, and the steps of the model modification are specifically:
将做了标记的修正样本数据输入模型,若模型识别的结果与标记不同,将相应更新距修正样本数据最近的类中心和类半径。The modified sample data of the mark is input into the model. If the result of the model recognition is different from the mark, the class center and class radius closest to the corrected sample data are updated accordingly.
在模型建立好后,管理人员对修正样本数据做标记,所述标记为操作行为异常或操作行为正常。修正样本数据输入模型后,模型进行识别,若模型识别的结果与标记不同,则表示该模型有误,则进行模型修正。如标记为操作行为异常,模型识别结果也为异常,则识别正确,将该操作行为归类为异常;如标记为操作行为异常,但模型识别为操作行为正常,则识别不正确,更新距修正样本数据最近的类中心和类半径,对模型进行修正。对模型输入多个做了标记的修正样本,直至模型识别的结果无误,进而提高模型识别的准确性。After the model is established, the manager marks the modified sample data, which is an abnormal operation behavior or a normal operation behavior. After the sample data input model is corrected, the model is identified. If the result of the model recognition is different from the mark, it indicates that the model is incorrect, and the model is corrected. If the marked behavior is abnormal and the model recognition result is also abnormal, the recognition is correct, and the operation behavior is classified as an abnormality; if the operation behavior is abnormal, but the model recognition is normal, the recognition is incorrect, and the update distance correction is correct. The model center is corrected by the nearest class center and class radius. Enter a plurality of modified samples marked in the model until the result of the model recognition is correct, thereby improving the accuracy of the model recognition.
本实施例中,通过聚类分析文件异常操作行为的方法包括S1和S2两个步骤:In this embodiment, the method for analyzing the abnormal operation behavior of the file by clustering includes two steps of S1 and S2:
S1,获取对文件进行操作的当前操作行为数据。例如对某电脑终端实时监测用户的操作行为,监测到用户打开了目录(电脑D盘/公司文件/保密类别/研发资料)下的一个word文档,并复制了该word文档的内容。电脑终端通过监测采集到用户对word文档进行操作的当前操作行为数据,并把操作行为数据发送给远程服务器,远程服务器进而获取了当前操作数据。S1, obtaining current operational behavior data for operating the file. For example, a computer terminal monitors the user's operation behavior in real time, and monitors that the user opens a word document under the directory (computer D disk/company file/confidential category/development data) and copies the content of the word document. The computer terminal monitors the current operational behavior data collected by the user to operate the word document, and sends the operation behavior data to the remote server, and the remote server further acquires the current operation data.
S2,将当前操作行为数据输入聚类模型进行分析,得到操作行为是否异常的分析结果,若为异常则计算综合异常指数。所述S2包括S21、S22和S23三个步骤:S2, the current operational behavior data is input into the clustering model for analysis, and the analysis result of whether the operation behavior is abnormal is obtained, and if it is abnormal, the comprehensive abnormality index is calculated. The S2 includes three steps of S21, S22 and S23:
S21,将当前操作行为数据输入单聚类模型,得到操作行为是否异常的分析结果,若为异常则得到单异常指数。步骤S21具体为:S21: Input the current operation behavior data into the single cluster model to obtain an analysis result of whether the operation behavior is abnormal, and if it is abnormal, obtain a single abnormality index. Step S21 is specifically:
将当前操作行为数据输入单聚类模型,找出离当前操作行为数据最近的单 类中心,并计算当前操作行为数据与单类中心的距离H1;Input the current operational behavior data into the single cluster model, find the nearest class center from the current operational behavior data, and calculate the distance H1 between the current operational behavior data and the single class center;
若距离H1小于等于单类中心对应的单类半径,则判定当前的操作行为正常;If the distance H1 is less than or equal to the single class radius corresponding to the single class center, it is determined that the current operation behavior is normal;
若距离H1大于单类中心对应的单类半径,则判定当前的操作行为异常,并根据距离H1和单类半径计算超出的单异常指数。If the distance H1 is greater than the single-class radius corresponding to the single-class center, it is determined that the current operational behavior is abnormal, and the excess single abnormality index is calculated according to the distance H1 and the single-class radius.
本实施例中,将用户对word文档进行操作的当前操作行为数据输入单聚类模型,找出该模型中与当前操作行为数据最近的单类中心,并计算当前操作行为与单类中心的距离H1=21,单类中心对应的单类半径为19,因距离21大于单类半径19,则判断当前的操作行为异常,且将计算单异常指数:(21-19)/19=0.105。In this embodiment, the current operation behavior data that the user operates on the word document is input into the single cluster model, and the single class center closest to the current operation behavior data in the model is found, and the distance between the current operation behavior and the single class center is calculated. H1=21, the single class center corresponds to a single class radius of 19, and because the distance 21 is greater than the single class radius 19, the current operational behavior is judged to be abnormal, and the single anomaly index is calculated: (21-19)/19=0.105.
S22,将当前操作行为数据输入群聚类模型,得到操作行为是否异常的分析结果,若为异常则得到群异常指数。步骤S22具体为:S22: Input the current operation behavior data into the group clustering model to obtain an analysis result of whether the operation behavior is abnormal, and if the abnormality is obtained, obtain the group abnormality index. Step S22 is specifically:
将当前操作行为数据输入群聚类模型,找出离当前操作行为数据最近的群类中心,并计算当前操作行为数据与群类中心的距离H2;Input the current operational behavior data into the cluster model to find the group center closest to the current operational behavior data, and calculate the distance H2 between the current operational behavior data and the group center;
若距离H2小于等于群类中心对应的群类半径,则判定当前的操作行为正常;If the distance H2 is less than or equal to the group class radius corresponding to the group center, it is determined that the current operation behavior is normal;
若距离H2大于群类中心对应的群类半径,则判定当前的操作行为异常,并根据距离H2和群类半径计算超出的群异常指数。If the distance H2 is greater than the group class radius corresponding to the group center, it is determined that the current operation behavior is abnormal, and the excess group abnormality index is calculated according to the distance H2 and the group class radius.
本实施例中,将用户对word文档进行操作的当前操作行为数据输入群聚类模型,找出该模型中与当前操作行为数据最近的群类中心,并计算当前操作行为与群类中心的距离H2=20,群类中心对应的群类半径为18,因距离20大于群类半径18,则判断当前的操作行为异常,且将计算群异常指数:(20-18)/18=0.111。单类模型和群类模型任一个识别为异常,则该操作行为异常。In this embodiment, the current operation behavior data of the user operating the word document is input into the group clustering model, and the group center center closest to the current operation behavior data is found, and the distance between the current operation behavior and the group center is calculated. H2=20, the group class radius corresponding to the group center is 18, and since the distance 20 is greater than the group radius 18, the current operational behavior is judged to be abnormal, and the group abnormality index is calculated: (20-18)/18=0.111. If any of the single class model and the group class model is recognized as an abnormality, the operation behavior is abnormal.
S23,根据单异常指数和群异常指数,通过加权计算公式计算综合异常指数。所述加权计算公式如下:S23. Calculate the comprehensive anomaly index by a weighting calculation formula according to the single anomaly index and the group anomaly index. The weighting calculation formula is as follows:
result=a*score_single+(1-a)*score_community;Result=a*score_single+(1-a)*score_community;
其中,a为指数系数,score_single为单异常指数,score_community为群异常指数。本实施例中a为根据实验和经验设置的指数系数,若a为0.6,则综合异常指数result=0.6*0.105+(1-0.6)*0.111=0.063+0.0444=0.107。因此通过分析得到该用户对word文档的操作行为异常,且异常指数为0.107。远程服务器将当前操作行为数据和分析的结果发送给管理终端,管理人员发现公司的保密文件被复制,有可能导致保密文件泄密,从而及时采集解决措施。Where a is the exponential coefficient, score_single is the single anomaly index, and score_community is the group anomaly index. In the present embodiment, a is an exponential coefficient set according to experiments and experience. If a is 0.6, the comprehensive abnormality index is=0.6*0.105+(1-0.6)*0.111=0.063+0.0444=0.107. Therefore, the user's operation behavior on the word document is abnormal through analysis, and the abnormality index is 0.107. The remote server sends the current operational behavior data and the analysis result to the management terminal. The management personnel finds that the company's confidential file is copied, which may result in the disclosure of the confidential file, so as to collect the solution in time.
一般情况下,可以确定的是大部分的操作行为,都应该是属于正常的操作行为,只有特定的或者是少量的操作行为,属于异常的操作行为,可能涉及到泄密的问题。本实施例建立好单聚类模型和群聚类模型后,将获取的当前操作行为数据输入单聚类模型,通过当前操作行为与单用户的历史操作行为的偏差来检测操作行为是否异常;将获取的当前操作行为数据输入群聚类模型,通过当前操作行为与群体用户的历史操作行为的偏差来检测操作行为是否异常;最后采用加权算法将两者综合,进而对操作行为作出综合性的评价。Under normal circumstances, it can be determined that most of the operational behaviors should be normal operational behaviors, only specific or a small number of operational behaviors, which are abnormal operational behaviors, which may involve leaking problems. After the single clustering model and the group clustering model are established in this embodiment, the obtained current operational behavior data is input into the single clustering model, and the deviation of the current operational behavior from the historical operation behavior of the single user is used to detect whether the operational behavior is abnormal; The obtained current operational behavior data is input into the cluster model, and the deviation of the current operational behavior from the historical operational behavior of the group user is used to detect whether the operational behavior is abnormal. Finally, the weighting algorithm is used to synthesize the two, and then the operational behavior is comprehensively evaluated. .
本实施例能够监测和判断文件操作行为是否异常,相比于现有技术,具有不可比拟的自动性、及时性和准确性。本实施例具有聚类的异常检测,不但能识别是否异常,还能识别出异常的程度。本实施例不但从单个终端用户的行为模式聚类,还从群体用户的行为模式聚类,进而提高了文件操作行为异常检测的可解释性和丰富性,同时也提高了准确率。This embodiment is capable of monitoring and judging whether the file operation behavior is abnormal, and has incomparable automaticness, timeliness, and accuracy compared to the prior art. This embodiment has clustering anomaly detection, which can not only identify whether an abnormality is but also recognize the degree of abnormality. This embodiment not only clusters from the behavior patterns of a single end user, but also clusters the behavior patterns of the group users, thereby improving the interpretability and richness of the abnormality detection of the file operation behavior, and also improving the accuracy.
实施例二:Embodiment 2:
本实施例提供了一种通过聚类分析文件异常操作行为的系统,适用于实施例一所述的通过聚类分析文件异常操作行为的方法,包括数据获取单元和异常分析单元等。The embodiment provides a system for analyzing abnormal behavior of a file by clustering, and is applicable to the method for analyzing abnormal behavior of a file by clustering according to the first embodiment, including a data acquiring unit and an abnormality analyzing unit.
所述数据获取单元,用于获取对文件进行操作的当前操作行为数据。例如对某电脑终端实时监测用户的操作行为,监测到用户打开了目录(电脑D盘/公司文件/保密类别/研发资料)下的一个word文档,并复制了该word文档的内容。电脑终端通过监测采集到用户对word文档进行操作的当前操作行为数 据,并把操作行为数据发送给远程服务器,远程服务器进而获取了当前操作数据。The data acquisition unit is configured to acquire current operation behavior data for performing operations on the file. For example, a computer terminal monitors the user's operation behavior in real time, and monitors that the user opens a word document under the directory (computer D disk/company file/confidential category/development data) and copies the content of the word document. The computer terminal monitors the current operational behavior data of the user's operation on the word document, and sends the operation behavior data to the remote server, and the remote server acquires the current operation data.
所述异常分析单元,用于将当前操作行为数据输入聚类模型进行分析,得到操作行为是否异常的分析结果,若为异常则计算综合异常指数。The abnormality analyzing unit is configured to input the current operational behavior data into the clustering model for analysis, to obtain an analysis result of whether the operational behavior is abnormal, and calculate an integrated abnormality index if the abnormality is abnormal.
所述异常分析单元具体用于:The abnormality analysis unit is specifically configured to:
A,将当前操作行为数据输入单聚类模型,得到操作行为是否异常的分析结果,若为异常则得到单异常指数。A. The current operational behavior data is input into the single clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, a single abnormality index is obtained.
将当前操作行为数据输入单聚类模型,找出离当前操作行为数据最近的单类中心,并计算当前操作行为数据与单类中心的距离H1;Input the current operational behavior data into the single cluster model, find the nearest single center center from the current operational behavior data, and calculate the distance H1 between the current operational behavior data and the single class center;
若距离H1小于等于单类中心对应的单类半径,则判定当前的操作行为正常;If the distance H1 is less than or equal to the single class radius corresponding to the single class center, it is determined that the current operation behavior is normal;
若距离H1大于单类中心对应的单类半径,则判定当前的操作行为异常,并根据距离H1和单类半径计算超出的单异常指数。If the distance H1 is greater than the single-class radius corresponding to the single-class center, it is determined that the current operational behavior is abnormal, and the excess single abnormality index is calculated according to the distance H1 and the single-class radius.
本实施例中,将用户对word文档进行操作的当前操作行为数据输入单聚类模型,找出该模型中与当前操作行为数据最近的单类中心,并计算当前操作行为与单类中心的距离H1=21,单类中心对应的单类半径为19,因距离21大于单类半径19,则判断当前的操作行为异常,且将计算单异常指数:(21-19)/19=0.105。In this embodiment, the current operation behavior data that the user operates on the word document is input into the single cluster model, and the single class center closest to the current operation behavior data in the model is found, and the distance between the current operation behavior and the single class center is calculated. H1=21, the single class center corresponds to a single class radius of 19, and because the distance 21 is greater than the single class radius 19, the current operational behavior is judged to be abnormal, and the single anomaly index is calculated: (21-19)/19=0.105.
B,将当前操作行为数据输入群聚类模型,得到操作行为是否异常的分析结果,若为异常则得到群异常指数。B. The current operational behavior data is input into the group clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, the group abnormality index is obtained.
将当前操作行为数据输入群聚类模型,找出离当前操作行为数据最近的群类中心,并计算当前操作行为数据与群类中心的距离H2;Input the current operational behavior data into the cluster model to find the group center closest to the current operational behavior data, and calculate the distance H2 between the current operational behavior data and the group center;
若距离H2小于等于群类中心对应的群类半径,则判定当前的操作行为正常;If the distance H2 is less than or equal to the group class radius corresponding to the group center, it is determined that the current operation behavior is normal;
若距离H2大于群类中心对应的群类半径,则判定当前的操作行为异常,并根据距离H2和群类半径计算超出的群异常指数。If the distance H2 is greater than the group class radius corresponding to the group center, it is determined that the current operation behavior is abnormal, and the excess group abnormality index is calculated according to the distance H2 and the group class radius.
本实施例中,将用户对word文档进行操作的当前操作行为数据输入群聚类模型,找出该模型中与当前操作行为数据最近的群类中心,并计算当前操作行为与群类中心的距离H2=20,群类中心对应的群类半径为18,因距离20大于群类半径18,则判断当前的操作行为异常,且将计算群异常指数:(20-18)/18=0.111。单类模型和群类模型任一个识别为异常,则该操作行为异常。In this embodiment, the current operation behavior data of the user operating the word document is input into the group clustering model, and the group center center closest to the current operation behavior data is found, and the distance between the current operation behavior and the group center is calculated. H2=20, the group class radius corresponding to the group center is 18, and since the distance 20 is greater than the group radius 18, the current operational behavior is judged to be abnormal, and the group abnormality index is calculated: (20-18)/18=0.111. If any of the single class model and the group class model is recognized as an abnormality, the operation behavior is abnormal.
C,根据单异常指数和群异常指数,通过加权计算公式计算综合异常指数。所述加权计算公式如下:C. Calculate the comprehensive anomaly index by weighting calculation formula according to the single anomaly index and the group anomaly index. The weighting calculation formula is as follows:
result=a*score_single+(1-a)*score_community;Result=a*score_single+(1-a)*score_community;
其中,a为指数系数,score_single为单异常指数,score_community为群异常指数。本实施例中a为根据实验和经验设置的指数系数,若a为0.6,则综合异常指数result=0.6*0.105+(1-0.6)*0.111=0.063+0.0444=0.107。因此通过分析得到该用户对word文档的操作行为异常,且异常指数为0.107。远程服务器将当前操作行为数据和分析的结果发送给管理终端,管理人员发现公司的保密文件被复制,有可能导致保密文件泄密,从而及时采集解决措施。Where a is the exponential coefficient, score_single is the single anomaly index, and score_community is the group anomaly index. In the present embodiment, a is an exponential coefficient set according to experiments and experience. If a is 0.6, the comprehensive abnormality index is=0.6*0.105+(1-0.6)*0.111=0.063+0.0444=0.107. Therefore, the user's operation behavior on the word document is abnormal through analysis, and the abnormality index is 0.107. The remote server sends the current operational behavior data and the analysis result to the management terminal. The management personnel finds that the company's confidential file is copied, which may result in the disclosure of the confidential file, so as to collect the solution in time.
一般情况下,可以确定的是大部分的操作行为,都应该是属于正常的操作行为,只有特定的或者是少量的操作行为,属于异常的操作行为,可能涉及到泄密的问题。本实施例建立好单聚类模型和群聚类模型后,将获取的当前操作行为数据输入单聚类模型,通过当前操作行为与单用户的历史操作行为的偏差来检测操作行为是否异常;将获取的当前操作行为数据输入群聚类模型,通过当前操作行为与群体用户的历史操作行为的偏差来检测操作行为是否异常;最后采用加权算法将两者综合,进而对操作行为作出综合性的评价。Under normal circumstances, it can be determined that most of the operational behaviors should be normal operational behaviors, only specific or a small number of operational behaviors, which are abnormal operational behaviors, which may involve leaking problems. After the single clustering model and the group clustering model are established in this embodiment, the obtained current operational behavior data is input into the single clustering model, and the deviation of the current operational behavior from the historical operation behavior of the single user is used to detect whether the operational behavior is abnormal; The obtained current operational behavior data is input into the cluster model, and the deviation of the current operational behavior from the historical operational behavior of the group user is used to detect whether the operational behavior is abnormal. Finally, the weighting algorithm is used to synthesize the two, and then the operational behavior is comprehensively evaluated. .
本实施例能够监测和判断文件操作行为是否异常,相比于现有技术,具有不可比拟的自动性、及时性和准确性。本实施例具有聚类的异常检测,不但能识别是否异常,还能识别出异常的程度。本实施例不但从单个终端用户的行为模式聚类,还从群体用户的行为模式聚类,进而提高了文件操作行为异常检测的可解释性和丰富性,同时也提高了准确率。This embodiment is capable of monitoring and judging whether the file operation behavior is abnormal, and has incomparable automaticness, timeliness, and accuracy compared to the prior art. This embodiment has clustering anomaly detection, which can not only identify whether an abnormality is but also recognize the degree of abnormality. This embodiment not only clusters from the behavior patterns of a single end user, but also clusters the behavior patterns of the group users, thereby improving the interpretability and richness of the abnormality detection of the file operation behavior, and also improving the accuracy.
实施例三:Embodiment 3:
本实施例提供了一种通过聚类分析文件异常操作行为的终端,包括处理器42、输入设备41、输出设备44和存储器43,所述处理器42、输入设备、输出设备41和存储器43相互连接,其中,所述存储器43用于存储计算机程序,所述计算机程序包括程序指令,所述处理器42被配置用于调用所述程序指令,执行实施例一所述的方法。The embodiment provides a terminal for analyzing abnormal behavior of a file by clustering, comprising a processor 42, an input device 41, an output device 44, and a memory 43, the processor 42, the input device, the output device 41, and the memory 43 mutually A connection, wherein the memory 43 is for storing a computer program, the computer program comprising program instructions, the processor 42 being configured to invoke the program instructions to perform the method of the first embodiment.
应当理解,在本发明实施例中,所称存储器43可以包括只读存储器和随机存取存储器,并向处理器42提供指令和数据。存储器43的一部分还可以包括非易失性随机存取存储器。例如,存储器43还可以存储有设备类型的相关信息。It should be understood that in the embodiments of the present invention, the so-called memory 43 may include read only memory and random access memory, and provide instructions and data to the processor 42. A portion of the memory 43 may also include a non-volatile random access memory. For example, the memory 43 can also store related information of the device type.
处理器42用于运行或执行被存储在内部存储器43中的操作系统,各种软件程序,以及自身的指令集,并用于处理来自于触摸式输入装置或自其它外部输入途径接收到的数据和指令,以实现各种功能。处理器42可以包括但不限于中央处理器(CPU)、通用图像处理器(GPU)、微处理器(MCU)、数字信号处理器(DSP)、现场可编程逻辑门阵列(FPGA),应用专用集成电路(ASIC)中的一种或多种。在一些实施例中,处理器42和存储器43可在单个芯片上实现。在一些其他实施方案中,它们可分别在彼此独立的芯片上实现。The processor 42 is operative to execute or execute an operating system, various software programs, and its own set of instructions stored in the internal memory 43, and to process data received from the touch input device or from other external input paths and Instructions to implement various functions. Processor 42 may include, but is not limited to, a central processing unit (CPU), a general purpose image processor (GPU), a microprocessor (MCU), a digital signal processor (DSP), a field programmable logic gate array (FPGA), application specific One or more of an integrated circuit (ASIC). In some embodiments, processor 42 and memory 43 can be implemented on a single chip. In some other implementations, they can be implemented on separate chips from each other.
输入设备41可以包括触控板、指纹采传感器(用于采集用户的指纹信息和指纹的方向信息)、麦克风等,输出设备44可以包括显示器(LCD等)、扬声器等。The input device 41 may include a touch panel, a fingerprint sensor (for collecting fingerprint information of the user and direction information of the fingerprint), a microphone, and the like, and the output device 44 may include a display (LCD or the like), a speaker, and the like.
本实施例能够监测和判断文件操作行为是否异常,相比于现有技术,具有不可比拟的自动性、及时性和准确性。本实施例具有聚类的异常检测,不但能识别是否异常,还能识别出异常的程度。本实施例不但从单个终端用户的行为模式聚类,还从群体用户的行为模式聚类,进而提高了文件操作行为异常检测的可解释性和丰富性,同时也提高了准确率。This embodiment is capable of monitoring and judging whether the file operation behavior is abnormal, and has incomparable automaticness, timeliness, and accuracy compared to the prior art. This embodiment has clustering anomaly detection, which can not only identify whether an abnormality is but also recognize the degree of abnormality. This embodiment not only clusters from the behavior patterns of a single end user, but also clusters the behavior patterns of the group users, thereby improving the interpretability and richness of the abnormality detection of the file operation behavior, and also improving the accuracy.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示 例的单元及方法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art will appreciate that the elements and method steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software or a combination of both, in order to clearly illustrate hardware and software. Interchangeability, the composition and steps of the various examples have been generally described in terms of function in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
在本申请所提供的几个实施例中,应该理解到,所描述的系统和方法,可以通过其它的方式实现。例如,以上所描述的系统实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。In the several embodiments provided herein, it should be understood that the described systems and methods can be implemented in other ways. For example, the system embodiment described above is merely illustrative. For example, the division of the unit is only a logical function division, and the actual implementation may have another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围,其均应涵盖在本发明的权利要求和说明书的范围当中。Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the foregoing embodiments may be modified, or some or all of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present invention. The scope is intended to be included within the scope of the claims and the description of the invention.

Claims (10)

  1. 一种通过聚类分析文件异常操作行为的方法,其特征在于,包括以下步骤:A method for analyzing an abnormal operation behavior of a file by clustering, comprising the steps of:
    获取对文件进行操作的当前操作行为数据;Get the current operational behavior data that operates on the file;
    将当前操作行为数据输入聚类模型进行分析,得到操作行为是否异常的分析结果,若为异常则计算综合异常指数。The current operational behavior data is input into the clustering model for analysis, and the analysis result of whether the operation behavior is abnormal is obtained, and if it is abnormal, the comprehensive abnormality index is calculated.
  2. 根据权利要求1所述的一种通过聚类分析文件异常操作行为的方法,其特征在于,所述将当前操作行为数据输入聚类模型进行分析,得到操作行为是否异常的分析结果,若为异常则计算综合异常指数,具体为:The method for analyzing an abnormal operation behavior of a file by clustering according to claim 1, wherein the current operation behavior data is input into a cluster model for analysis, and an analysis result of whether the operation behavior is abnormal is obtained, and if the abnormality is Then calculate the comprehensive anomaly index, specifically:
    将当前操作行为数据输入单聚类模型,得到操作行为是否异常的分析结果,若为异常则得到单异常指数;The current operational behavior data is input into the single clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, a single abnormality index is obtained;
    将当前操作行为数据输入群聚类模型,得到操作行为是否异常的分析结果,若为异常则得到群异常指数;The current operational behavior data is input into the group clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if it is abnormal, the group abnormality index is obtained;
    根据单异常指数和群异常指数,通过加权计算公式计算综合异常指数。According to the single anomaly index and the group anomaly index, the comprehensive anomaly index is calculated by the weighting calculation formula.
  3. 根据权利要求2所述的一种通过聚类分析文件异常操作行为的方法,其特征在于,所述单聚类模型的建立方法如下:The method for analyzing abnormal behavior of a file by clustering according to claim 2, wherein the method for establishing the single clustering model is as follows:
    收集单台终端上对文件进行操作的历史操作行为数据;Collect historical operational behavior data for operating files on a single terminal;
    对历史操作行为数据进行数据标准化预处理,得到单台终端的样本数据,计算样本数据的单距离矩阵;Data normalization preprocessing of historical operational behavior data, obtaining sample data of a single terminal, and calculating a single distance matrix of sample data;
    根据单距离矩阵,利用层次聚类方法对样本数据进行聚类;According to the single distance matrix, the sample data is clustered by the hierarchical clustering method;
    得到聚类结果:每个单类的单类中心和单类半径。Get clustering results: single class center and single class radius for each single class.
  4. 根据权利要求3所述的一种通过聚类分析文件异常操作行为的方法,其特征在于,所述群聚类模型的建立方法如下:The method for analyzing abnormal behavior of a file by clustering according to claim 3, wherein the method for establishing the clustering model is as follows:
    采用皮尔逊相关系数,根据若干单台终端的若干样本数据,计算群体终端之间的群距离矩阵;Using the Pearson correlation coefficient, the group distance matrix between the group terminals is calculated according to several sample data of a plurality of single terminals;
    根据群距离矩阵,利用层次聚类方法对若干样本数据进行聚类;According to the group distance matrix, several sample data are clustered by hierarchical clustering method;
    得到聚类结果:每个群类的群类中心和群类半径。Get clustering results: group center and group radius for each group.
  5. 根据权利要求4所述的一种通过聚类分析文件异常操作行为的方法,其特征在于,所述将当前操作行为数据输入单聚类模型,得到操作行为是否异常的分析结果,若为异常则得到单异常指数,具体为:The method for analyzing an abnormal operation behavior of a file by clustering according to claim 4, wherein the current operation behavior data is input into a single cluster model to obtain an analysis result of whether the operation behavior is abnormal, and if the abnormality is Get a single anomaly index, specifically:
    将当前操作行为数据输入单聚类模型,找出离当前操作行为数据最近的单类中心,并计算当前操作行为数据与单类中心的距离H1;Input the current operational behavior data into the single cluster model, find the nearest single center center from the current operational behavior data, and calculate the distance H1 between the current operational behavior data and the single class center;
    若距离H1小于等于单类中心对应的单类半径,则判定当前的操作行为正常;If the distance H1 is less than or equal to the single class radius corresponding to the single class center, it is determined that the current operation behavior is normal;
    若距离H1大于单类中心对应的单类半径,则判定当前的操作行为异常,并根据距离H1和单类半径计算超出的单异常指数。If the distance H1 is greater than the single-class radius corresponding to the single-class center, it is determined that the current operational behavior is abnormal, and the excess single abnormality index is calculated according to the distance H1 and the single-class radius.
  6. 根据权利要求5所述的一种通过聚类分析文件异常操作行为的方法,其特征在于,所述将当前操作行为数据输入群聚类模型,得到操作行为是否异常的分析结果,若为异常则得到群异常指数,具体为:The method for analyzing abnormal behavior of a file by clustering according to claim 5, wherein the current operational behavior data is input into a clustering model to obtain an analysis result of whether the operational behavior is abnormal, and if the abnormality is Get the group anomaly index, specifically:
    将当前操作行为数据输入群聚类模型,找出离当前操作行为数据最近的群类中心,并计算当前操作行为数据与群类中心的距离H2;Input the current operational behavior data into the cluster model to find the group center closest to the current operational behavior data, and calculate the distance H2 between the current operational behavior data and the group center;
    若距离H2小于等于群类中心对应的群类半径,则判定当前的操作行为正常;If the distance H2 is less than or equal to the group class radius corresponding to the group center, it is determined that the current operation behavior is normal;
    若距离H2大于群类中心对应的群类半径,则判定当前的操作行为异常,并根据距离H2和群类半径计算超出的群异常指数。If the distance H2 is greater than the group class radius corresponding to the group center, it is determined that the current operation behavior is abnormal, and the excess group abnormality index is calculated according to the distance H2 and the group class radius.
  7. 根据权利要求6所述的一种通过聚类分析文件异常操作行为的方法,其特征在于,所述加权计算公式如下:A method for analyzing an abnormal operation behavior of a file by clustering according to claim 6, wherein the weighting calculation formula is as follows:
    result=a*score_single+(1-a)*score_community;Result=a*score_single+(1-a)*score_community;
    其中,a为指数系数,score_single为单异常指数,score_community为群异常指数。Where a is the exponential coefficient, score_single is the single anomaly index, and score_community is the group anomaly index.
  8. 根据权利要求6所述的一种通过聚类分析文件异常操作行为的方法, 其特征在于,所述单聚类模型和群聚类模型的建立方法均包括模型修正的步骤,所述模型修正的步骤具体为:The method for analyzing abnormal behavior of a file by clustering according to claim 6, wherein the method for establishing the single cluster model and the cluster cluster model includes steps of model correction, and the model is modified. The steps are specifically as follows:
    将做了标记的修正样本数据输入模型,若模型识别的结果与标记不同,将相应更新距修正样本数据最近的类中心和类半径。The modified sample data of the mark is input into the model. If the result of the model recognition is different from the mark, the class center and class radius closest to the corrected sample data are updated accordingly.
  9. 一种通过聚类分析文件异常操作行为的系统,适用于权利要求1-8任一项所述的通过聚类分析文件异常操作行为的方法,其特征在于,包括:A system for analyzing an abnormal operation behavior of a file by clustering, the method for analyzing an abnormal operation behavior of a file by clustering according to any one of claims 1-8, comprising:
    数据获取单元,用于获取对文件进行操作的当前操作行为数据;a data acquisition unit, configured to acquire current operation behavior data for operating the file;
    异常分析单元,用于将当前操作行为数据输入聚类模型进行分析,得到操作行为是否异常的分析结果,若为异常则计算综合异常指数。The abnormality analyzing unit is configured to input the current operational behavior data into the clustering model for analysis, to obtain an analysis result of whether the operational behavior is abnormal, and if the abnormality is, calculate a comprehensive abnormality index.
  10. 一种通过聚类分析文件异常操作行为的终端,包括处理器、输入设备、输出设备和存储器,所述处理器、输入设备、输出设备和存储器相互连接,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行如权利要求1-8任一项所述的方法。A terminal for analyzing a file abnormal operation behavior by clustering, comprising a processor, an input device, an output device, and a memory, wherein the processor, the input device, the output device, and the memory are connected to each other, wherein the memory is used to store a computer program The computer program includes program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-8.
PCT/CN2019/085190 2018-05-11 2019-04-30 Method for analyzing abnormal file operation behavior through clustering, system and terminal WO2019214511A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810448874.1A CN108717510A (en) 2018-05-11 2018-05-11 A kind of method, system and terminal by clustering file abnormal operation behavior
CN201810448874.1 2018-05-11

Publications (1)

Publication Number Publication Date
WO2019214511A1 true WO2019214511A1 (en) 2019-11-14

Family

ID=63899690

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/085190 WO2019214511A1 (en) 2018-05-11 2019-04-30 Method for analyzing abnormal file operation behavior through clustering, system and terminal

Country Status (2)

Country Link
CN (1) CN108717510A (en)
WO (1) WO2019214511A1 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108717510A (en) * 2018-05-11 2018-10-30 深圳市联软科技股份有限公司 A kind of method, system and terminal by clustering file abnormal operation behavior
CN110874310B (en) * 2018-12-21 2023-09-12 北京安天网络安全技术有限公司 Terminal behavior monitoring method and device, electronic equipment and storage medium
CN110008082B (en) * 2019-03-16 2022-06-17 平安科技(深圳)有限公司 Abnormal task intelligent monitoring method, device, equipment and storage medium
CN111723118A (en) * 2019-03-18 2020-09-29 顺丰科技有限公司 Waybill inquiry abnormal behavior detection method and device
CN111723825A (en) * 2019-03-18 2020-09-29 顺丰科技有限公司 Method and device for detecting abnormal behavior of customer information query
CN111159231A (en) * 2019-12-03 2020-05-15 深圳市智微智能软件开发有限公司 Data tracking query method and system
CN112035507B (en) * 2020-08-06 2024-04-12 杭州安恒信息技术股份有限公司 Abnormal inquiry personnel early warning method and device, electronic equipment and readable storage medium
CN112764957A (en) * 2021-01-15 2021-05-07 中国工商银行股份有限公司 Application fault delimiting method and device
CN113486366A (en) * 2021-06-08 2021-10-08 贵州电网有限责任公司 Web illegal operation behavior detection method based on cluster analysis
CN114819565B (en) * 2022-04-14 2024-03-22 中国南方电网有限责任公司 Verification method of system specification description file, control equipment and intelligent substation
CN116702229B (en) * 2023-08-04 2023-11-21 四川蓉城蕾茗科技有限公司 Safety house information safety control method and system
CN117478441B (en) * 2023-12-28 2024-03-12 云南建投物流有限公司 Dynamic access control method and system based on intelligent analysis of user behaviors

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014150787A1 (en) * 2013-03-15 2014-09-25 Shape Security Inc. Detecting the introduction of alien content
CN106101116A (en) * 2016-06-29 2016-11-09 东北大学 A kind of user behavior abnormality detection system based on principal component analysis and method
CN106713341A (en) * 2017-01-04 2017-05-24 成都四方伟业软件股份有限公司 Network security early-warning method and system based on big data
CN106778259A (en) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 A kind of abnormal behaviour based on big data machine learning finds method and system
CN107122669A (en) * 2017-04-28 2017-09-01 北京北信源软件股份有限公司 A kind of method and apparatus for assessing leaking data risk
CN108717510A (en) * 2018-05-11 2018-10-30 深圳市联软科技股份有限公司 A kind of method, system and terminal by clustering file abnormal operation behavior

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1328876C (en) * 2004-06-24 2007-07-25 西安交通大学 Method for self-adapting testing access of abnormal files
CN105653427B (en) * 2016-03-04 2019-02-22 上海交通大学 The log monitoring method of Behavior-based control abnormality detection
CN105825242B (en) * 2016-05-06 2019-08-27 南京大学 The real-time method for detecting abnormality in cluster communication terminal track and system based on hybrid grid hierarchical cluster

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014150787A1 (en) * 2013-03-15 2014-09-25 Shape Security Inc. Detecting the introduction of alien content
CN106101116A (en) * 2016-06-29 2016-11-09 东北大学 A kind of user behavior abnormality detection system based on principal component analysis and method
CN106778259A (en) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 A kind of abnormal behaviour based on big data machine learning finds method and system
CN106713341A (en) * 2017-01-04 2017-05-24 成都四方伟业软件股份有限公司 Network security early-warning method and system based on big data
CN107122669A (en) * 2017-04-28 2017-09-01 北京北信源软件股份有限公司 A kind of method and apparatus for assessing leaking data risk
CN108717510A (en) * 2018-05-11 2018-10-30 深圳市联软科技股份有限公司 A kind of method, system and terminal by clustering file abnormal operation behavior

Also Published As

Publication number Publication date
CN108717510A (en) 2018-10-30

Similar Documents

Publication Publication Date Title
WO2019214511A1 (en) Method for analyzing abnormal file operation behavior through clustering, system and terminal
US11651084B2 (en) Methods and systems for determining software risk scores
US10776463B2 (en) Active authentication of users
US11055789B1 (en) Systems and methods for insurance fraud detection
CN101751535B (en) Data loss protection through application data access classification
US11651083B2 (en) Methods and systems for reducing false positive findings
JP6630276B2 (en) Measuring User Behavior and Involvement Using User Interface on Terminal Devices
US10817287B2 (en) Code quality evaluation and user interfaces
TWI726749B (en) Method for diagnosing whether network system is breached by hackers and related method for generating multiple associated data frames
CN112148613A (en) Method and device for generating intelligent contract for testing block chain service
CN108717516B (en) File labeling method, terminal and medium
WO2021196935A1 (en) Data checking method and apparatus, electronic device, and storage medium
US11328058B2 (en) Methods and systems for multi-tool orchestration
WO2021223629A1 (en) Method and device for analyzing image material
US11113406B2 (en) Methods and systems for de-duplication of findings
WO2016138611A1 (en) Monitoring and reporting transmission and completeness of data upload from a source location to a destination location
CN113192639A (en) Training method, device and equipment of information prediction model and storage medium
Gong et al. Incorporating Android Code Smells into Java Static Code Metrics for Security Risk Prediction of Android Applications
US20220261480A1 (en) Methods and systems for multi-tool orchestration
CN111858279A (en) Method and device for tracking user behaviors of browser
CN113868438B (en) Information reliability calibration method and device, computer equipment and storage medium
CN110008706B (en) Host security state management method and device and terminal equipment
AU2022204469B2 (en) Large pose facial recognition based on 3D facial model
US20240073347A1 (en) Systems and methods for measuring document legibility
CN113986705A (en) Customer behavior fingerprint generation method based on buried point technology

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19799924

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 13.04.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19799924

Country of ref document: EP

Kind code of ref document: A1