WO2021056731A1 - Procédé, appareil, un dispositif et un support de détection de comportement basé sur une analyse de données de journal. - Google Patents

Procédé, appareil, un dispositif et un support de détection de comportement basé sur une analyse de données de journal. Download PDF

Info

Publication number
WO2021056731A1
WO2021056731A1 PCT/CN2019/117530 CN2019117530W WO2021056731A1 WO 2021056731 A1 WO2021056731 A1 WO 2021056731A1 CN 2019117530 W CN2019117530 W CN 2019117530W WO 2021056731 A1 WO2021056731 A1 WO 2021056731A1
Authority
WO
WIPO (PCT)
Prior art keywords
functional node
access
combination
log data
frequency
Prior art date
Application number
PCT/CN2019/117530
Other languages
English (en)
Chinese (zh)
Inventor
秦威
王智浩
杨冬艳
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021056731A1 publication Critical patent/WO2021056731A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3636Software debugging by tracing the execution of the program
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3644Software debugging by instrumenting at runtime
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Definitions

  • This application relates to the technical field of security protection, and in particular to a behavior detection method, device, equipment, and medium based on log data analysis.
  • the isolated forest algorithm is usually used to detect whether the user behavior is abnormal.
  • the isolated forest algorithm has extremely high requirements on the number of samples, the samples are not easy to obtain.
  • the isolated forest algorithm only corrects the number of visits. User behavior detection is low accuracy.
  • a behavior detection method based on log data analysis includes: when a behavior detection instruction is received, the first log data of each functional node of the person to be detected in a preset system is obtained through the burying technique; according to the First log data, calculate the first visit frequency of each functional node of the person to be tested; call the target visit frequency of each functional node; compare the first visit frequency of each functional node with the target of each functional node Access frequency; when the first access frequency of a functional node is greater than the target access frequency, determine the order of access to the functional node by the person to be detected from the first log data; establish the access sequence based on the access sequence The first queue of the functional node; split the first queue to obtain the first combination for the person to be tested to access the functional node; retrieve the pre-configured reference combination; combine the first combination with the The benchmark combination is matched; when there is a combination failure in the first combination, it is determined that the behavior of the person to be detected is abnormal.
  • a behavior detection device based on log data analysis comprising: an acquisition unit, configured to obtain the first log of each functional node of a person to be detected in a preset system through a point-buried technique when a behavior detection instruction is received Data; a calculation unit, used to calculate the first access frequency of each functional node of the person to be tested according to the first log data; a retrieval unit, used to retrieve the target access frequency of each functional node; comparison Unit, used to compare the first access frequency of each functional node with the target access frequency of each functional node; determining unit, used to read from the first log when the first access frequency of the functional node is greater than the target access frequency
  • the data determines the order in which the person to be tested visits the functional node; the establishment unit is configured to establish the first queue of the functional node based on the access order; the splitting unit is configured to split the first queue The queue is used to obtain the first combination of access to the functional node by the person to be tested; the call unit is also used to call a pre-configured reference combination;
  • An electronic device comprising: a memory storing at least one instruction;
  • the processor executes the instructions stored in the memory to implement the behavior detection method based on log data analysis.
  • a non-volatile readable storage medium stores at least one instruction, and the at least one instruction is executed by a processor in an electronic device to implement the log data analysis-based Behavior detection methods.
  • Fig. 1 is a flowchart of a preferred embodiment of a behavior detection method based on log data analysis according to the present application.
  • Fig. 2 is a functional module diagram of a preferred embodiment of a behavior detection device based on log data analysis according to the present application.
  • FIG. 3 is a schematic structural diagram of an electronic device implementing a preferred embodiment of a behavior detection method based on log data analysis according to the present application.
  • FIG. 1 it is a flowchart of a preferred embodiment of the behavior detection method based on log data analysis of the present application. According to different needs, the order of the steps in the flowchart can be changed, and some steps can be omitted.
  • the behavior detection method based on log data analysis is applied to one or more electronic devices.
  • the electronic device is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions.
  • Hardware includes, but is not limited to, microprocessors, application specific integrated circuits (ASICs), programmable gate arrays (Field-Programmable Gate Array, FPGA), digital processors (Digital Signal Processor, DSP), embedded devices, etc. .
  • the electronic device may be any electronic product that can perform human-computer interaction with the user, such as a personal computer, a tablet computer, a smart phone, a personal digital assistant (PDA), a game console, an interactive network television ( Internet Protocol Television, IPTV), smart wearable devices, etc.
  • a personal computer a tablet computer
  • a smart phone a personal digital assistant (PDA)
  • PDA personal digital assistant
  • IPTV interactive network television
  • smart wearable devices etc.
  • the electronic device may also include a network device and/or user equipment.
  • the network device includes, but is not limited to, a single network server, a server group composed of multiple network servers, or a cloud composed of a large number of hosts or network servers based on cloud computing.
  • the network where the electronic device is located includes, but is not limited to, the Internet, a wide area network, a metropolitan area network, a local area network, a virtual private network (Virtual Private Network, VPN), etc.
  • the behavior detection instruction can be triggered by the user, or can be triggered automatically when certain conditions are met, which is not limited by this application.
  • the meeting certain conditions includes, but is not limited to: meeting the first preset time, etc.
  • the first preset time may include a determined time point, or include a time period, etc., for example: the first preset time may be 7 o'clock in the morning every day.
  • the preset system is a business system corresponding to the work content of the person to be tested.
  • the functions of the business system may include marketing planning, sales, sales process management, customer service management, customer relationship management, risk prevention, etc.
  • the first log data refers to data that records a series of operations of the person to be tested on each functional node in the preset system, and the first log data plays an important role in processing tasks such as historical data.
  • the acquisition of the first log data of each functional node of the person to be detected in the preset system by using the point burying technology includes:
  • the electronic device obtains the access behavior of the person to be detected on each functional node and the first access time when the access behavior occurs through the embedded point technology. Further, the electronic device records the access behavior and The first access time obtains the first log data of each functional node.
  • the burying technology is a way of collecting data for privatized deployment, which can be understood as marking and tracking data, tracking data links, and so on.
  • the first log data may include: Person A to be detected visits functional node A at 10 o'clock, functional node B at 15:00, and functional node C at 18:00.
  • the first log data can be quickly and accurately obtained, thereby facilitating the calculation of the frequency of visits to each functional node by the person to be tested.
  • S11 Calculate the first visit frequency of each functional node of the person to be inspected according to the first log data.
  • the first visit frequency refers to the number of visits to the functional node by the person to be inspected within a unit time.
  • the unit time may include a time period, etc., for example: the unit time may be 1 hour, which is not limited in this application.
  • the electronic device calculating the first access frequency of each functional node of the person to be inspected according to the first log data includes:
  • the electronic device determines the corresponding access identifier when accessing each functional node. Further, the electronic device adopts the non-determinism Finite Automate (NFA) matching principle, from the first log data Each access identifier is identified in the, and the number of each access identifier in the unit time is calculated to obtain the first access frequency of each functional node by the person to be tested.
  • NFA Finite Automate
  • the electronic device acquires the access identifier of the functional node A as jiediana, and further, the electronic device recognizes from the first log data that the number of jiediana in one hour is 10, therefore, The first access frequency of the functional node A is 10 times/hour.
  • the frequency of visits to each functional node of the person to be detected can be accurately calculated.
  • the target access frequency is determined based on the 99.7 rule of the normal distribution curve.
  • the method before calling the target access frequency of each functional node, the method further includes:
  • the electronic device obtains the frequency of at least one user's access to each functional node as the second access frequency, and performs normal distribution processing on the second access frequency of each functional node to obtain the normal distribution curve of each functional node, from The third access frequency satisfying the 99.7 rule is obtained from the normal distribution curve, and the third access frequency with the highest frequency is determined as the target access frequency.
  • the electronic device confirms the third most frequent visit frequency of 25 times/hour as the target visit frequency of the functional node A.
  • the at least one user includes, but is not limited to: regular users with high frequency of access to each functional node, etc.
  • the second access frequency is the frequency at which the at least one user accesses each functional node.
  • the frequency of user C's access to the functional node A is 10 times/hour
  • the frequency of user D's access to the functional node A is 8 times/hour
  • the second visit frequency of user C to the functional node A is 10 Times/hour
  • the second visit frequency of user D to the functional node A is 8 times/hour.
  • the frequency of regular users' access to each functional node can be obtained, and the target access frequency of each functional node can be further determined.
  • the electronic device after comparing the first access frequency of each functional node with the target access frequency of each functional node, the electronic device obtains a comparison result, and the comparison result may include any of the following :
  • the first access frequency of a functional node is greater than the target access frequency.
  • the first access frequency of each functional node is less than the target access frequency.
  • the first visit frequency of the person under test A to visit the functional node A is 3 times/hour
  • the first visit frequency to visit the functional node B is 100 times/hour
  • the first visit frequency to visit the functional node C A visit frequency is 4 times/hour
  • the target visit frequency of the functional node A called by the electronic device is 8 times/hour
  • the target visit frequency to visit the function node B is 10 times/hour.
  • the target access frequency of the functional node C is 12 times/hour
  • the electronic device compares the first access frequency of each functional node with the target access frequency of each functional node, and obtains that the comparison result is that there is a functional node B
  • the first visit frequency is greater than the target visit frequency.
  • the comparison result of the first access frequency and the target access frequency of each functional node can be obtained, and the comparison result can be used as a necessary condition for behavior detection.
  • the access sequence refers to the sequence in which the person to be detected accesses the functional node.
  • the electronic device determining, from the first log data, the access sequence of the person to be detected to the functional node includes:
  • the electronic device uses a machine learning method to extract the access time of the functional nodes from the first log data, and sorts the functional nodes according to the order of the access time to obtain the access sequence of the functional nodes.
  • the electronic device sorts the function nodes according to the order of access time, and obtains that the order of access of the function nodes is first to visit the function node A, and then to the function node B , And finally visit the functional node C.
  • S15 Establish a first queue of the functional node based on the access sequence.
  • the first queue refers to a queue formed by the sequence in which the person to be tested visits each functional node.
  • the first queue can be established based on the access sequence, providing basic conditions for subsequent formation of the first combination.
  • the first combination is obtained by sequentially splitting the first queue.
  • the splitting of the first queue by the electronic device to obtain the first combination for the person to be inspected to access the functional node includes:
  • the electronic device obtains the number of configuration nodes in each first combination, uses the number of configuration nodes as the number of nodes in each combination, and sequentially splits all functional nodes in the first queue to obtain the to-be-detected The first combination of personnel visiting the functional node.
  • the number of configuration nodes is determined according to the number of functional nodes visited by the person to be tested, and the number of configuration nodes may be two or three, which is not limited in this application.
  • the first queue is ABCDEF
  • the number of configuration nodes acquired by the electronic device is 2
  • the number of configuration nodes 2 is used as the number of nodes in each combination, and all the nodes in the first queue are sequentially split Functional node
  • the first combination obtained by splitting includes AB, BC, CD, DE, and EF.
  • the number of configuration nodes acquired by the electronic device is 3
  • the number of configuration nodes 3 is used as the number of nodes in each combination Count
  • split all the functional nodes in the first queue in turn and the first combination obtained by splitting includes ABC, BCD, CDE, DEF.
  • the first combination of the persons to be detected can be directly obtained.
  • the reference combination is based on the number of configuration nodes, and the number of nodes retrieved from the target set is a combination of the number of configuration nodes.
  • the electronic device establishes a target set before calling a pre-configured reference combination.
  • establishing the target set by the electronic device includes:
  • the electronic device Acquiring, by the electronic device, second log data of the at least one user accessing each functional node in the preset system, and extracting the access sequence of the at least one user to the functional node from the second log data, Further, the electronic device obtains the number of target nodes, uses the number of target nodes as the number of nodes in each combination, and sequentially splits the access sequence to obtain the first access sequence of the at least one user to the functional node
  • the second combination according to the second log data, calculate the second access frequency of each second combination in the second combination, and arrange the second combination according to the second access frequency from high to low to obtain
  • the second queue integrates the combinations before the configuration bits in the second queue to obtain the target set.
  • the number of target nodes is determined according to the number of functional nodes of the preset system, and the number of target nodes may be two or five, which is not limited in this application.
  • the configuration position may be 50 or 100, which is not limited in this application.
  • the target set can be obtained, which is convenient for the electronic device to retrieve the reference combination as needed.
  • the electronic device extracting the access sequence of the at least one user to the functional node from the second log data includes:
  • the electronic device obtains the target access time for the at least one user to access each functional node from the second log data, and further, the electronic device sorts the functional nodes according to the target access time to obtain The access sequence of the at least one user to the functional node.
  • the method further includes:
  • the electronic device updates the second log data, and updates the reference combination according to the updated second log data.
  • the second preset time may be a time period, which is not limited in this application.
  • the electronic device after matching the first combination with the reference combination, the electronic device obtains a matching result, and the matching result may include any one of the following:
  • the first combination is AD, BC, CD, DE, EF
  • the reference combination is AB, BC, CD, DE, EF.
  • the first combination there is a failure to match AD with the reference combination.
  • the method further includes:
  • the electronic device obtains the first functional node with the first access frequency greater than the target access frequency, and determines whether the first functional node belongs to the target function Node, wherein the data corresponding to the target function node contains confidential information, and when the first function node belongs to the target function node, it is determined that the behavior of the person to be detected is abnormal.
  • the method further includes:
  • the electronic device controls the access authority of the person to be detected to the preset system.
  • the method further includes:
  • the electronic device obtains the first face information of the person to be detected from the monitoring device. Further, the electronic device extracts the target account for logging in to the preset system from the first log data, and obtains it from the configuration
  • the target face information corresponding to the target account is retrieved from the database, and face recognition technology is used to determine whether the first face information matches the target face information. When the first face information matches the target face information, When the facial information matching fails, the access authority of the person to be detected to the terminal device corresponding to the target facial information is controlled.
  • the monitoring equipment is composed of four parts: a camera part, a transmission part, a control part and a display part.
  • the configuration library includes target face information of the at least one user.
  • the method further includes:
  • the electronic device When it is determined that the behavior of the person to be detected is abnormal, the electronic device generates alarm information, and sends the alarm information to the configuration device of the designated contact.
  • the alarm information may include the name and ID of the person to be detected, the time when the abnormal behavior occurs, and the like.
  • the designated contact person may include a user who triggers a behavior detection instruction, and the like.
  • an alarm and reminder can be issued in time, which is beneficial to the designated contact person to take corresponding measures in time, thereby avoiding loss.
  • this application can obtain the first log data of each functional node of the person to be detected in the preset system through the burying technique when the behavior detection instruction is received, and according to the first log data, Calculate the first visit frequency of each functional node of the person to be tested, call the target visit frequency of each functional node, compare the first visit frequency of each functional node with the target visit frequency of each functional node, when there is When the first access frequency of the functional node is greater than the target access frequency, determine the access sequence of the person to be tested to the functional node from the first log data, and establish the first access sequence of the functional node based on the access sequence.
  • Queue split the first queue, obtain the first combination for the person to be tested to access the functional node, call a pre-configured benchmark combination, and match the first combination with the benchmark combination,
  • a combination matching failure in the first combination it is determined that the behavior of the person to be detected is abnormal, and the abnormal behavior can be detected more comprehensively and accurately by combining the access frequency and sequence of the functional nodes, and then remind Relevant personnel, thereby avoiding information leakage.
  • the behavior detection device 11 based on log data analysis includes an acquisition unit 110, a calculation unit 111, an retrieval unit 112, a comparison unit 113, a determination unit 114, an establishment unit 115, a split unit 116, a matching unit 117, a processing unit 118, The extraction unit 119, the arrangement unit 120, the integration unit 121, the judgment unit 122, the control unit 123, the update unit 124, the generation unit 125, and the transmission unit 126.
  • the module/unit referred to in this application refers to a series of computer-readable instruction segments that can be executed by the processor 13 and can complete fixed functions, and are stored in the memory 12.
  • the acquiring unit 110 acquires the first log data of each functional node of the person to be detected in the preset system by using the point burying technique.
  • the behavior detection instruction can be triggered by the user, or can be triggered automatically when certain conditions are met, which is not limited by this application.
  • the meeting certain conditions includes, but is not limited to: meeting the first preset time, etc.
  • the first preset time may include a determined time point, or include a time period, etc., for example: the first preset time may be 7 o'clock in the morning every day.
  • the preset system is a business system corresponding to the work content of the person to be tested.
  • the functions of the business system may include marketing planning, sales, sales process management, customer service management, customer relationship management, risk prevention, etc.
  • the first log data refers to data that records a series of operations of the person to be tested on each functional node in the preset system, and the first log data plays an important role in processing tasks such as historical data.
  • the acquiring unit 110 acquires the first log data of each functional node of the person to be tested in the preset system by using the point-buried technology includes:
  • the acquisition unit 110 acquires the access behavior of the person to be detected on each functional node and acquires the first access time when the access behavior occurs through the burying technique. Further, the acquisition unit 110 records the access The behavior and the first access time are used to obtain the first log data of each functional node.
  • the burying technology is a way of collecting data for privatized deployment, which can be understood as marking and tracking data, tracking data links, and so on.
  • the first log data may include: Person A to be detected visits functional node A at 10 o'clock, functional node B at 15:00, and functional node C at 18:00.
  • the first log data can be quickly and accurately obtained, thereby facilitating calculation of the frequency of visits to each functional node by the person to be tested.
  • the calculation unit 111 calculates the first visit frequency of each functional node of the person to be inspected.
  • the first visit frequency refers to the number of visits to the functional node by the person to be inspected within a unit time.
  • the unit time may include a time period, etc., for example: the unit time may be 1 hour, which is not limited in this application.
  • the calculation unit 111 calculating the first access frequency of each functional node of the person to be inspected according to the first log data includes:
  • the calculation unit 111 determines the corresponding access identifier when accessing each functional node. Further, the calculation unit 111 adopts the non-determinism Finite Automate (NFA) matching principle, from the first Each access identifier is identified in the log data, and the number of each access identifier per unit time is calculated to obtain the first access frequency of each functional node by the person to be tested.
  • NFA Finite Automate
  • the computing unit 111 acquires the access identifier of the functional node A as jiediana, and further, the computing unit 111 recognizes from the first log data that the number of jiediana in one hour is 10, so , The first access frequency to the functional node A is 10 times/hour.
  • the frequency of visits to each functional node of the person to be detected can be accurately calculated.
  • the retrieval unit 112 retrieves the target access frequency of each functional node.
  • the target access frequency is determined based on the 99.7 rule of the normal distribution curve.
  • the acquiring unit 110 acquires the frequency of at least one user's access to each functional node as the second access frequency. Further, the processing unit 118 performs normal distribution processing on the second access frequency of each functional node to obtain each functional node Further, the obtaining unit 110 obtains a third access frequency satisfying the 99.7 rule from the normal distribution curve, and the determining unit 114 determines the third access frequency with the highest frequency as the target access frequency.
  • the expected value for the at least one user to access the functional node A is 20 times/hour, and 99.7% of the at least one user visits the functional node A with a third visit frequency ranging from 15 times/hour to 25 Times/hour, therefore, the determining unit 114 confirms the third visit frequency with the highest frequency of 25 times/hour as the target visit frequency of the functional node A.
  • the at least one user includes, but is not limited to: regular users with high frequency of access to each functional node, etc.
  • the second access frequency is the frequency at which the at least one user accesses each functional node.
  • the frequency of user C's access to the functional node A is 10 times/hour
  • the frequency of user D's access to the functional node A is 8 times/hour
  • the second visit frequency of user C to the functional node A is 10 Times/hour
  • the second visit frequency of user D to the functional node A is 8 times/hour.
  • the frequency of regular users' access to each functional node can be obtained, and the target access frequency of each functional node can be further determined.
  • the comparison unit 113 compares the first access frequency of each functional node with the target access frequency of each functional node.
  • the obtaining unit 110 after comparing the first access frequency of each functional node with the target access frequency of each functional node, obtains a comparison result, and the comparison result may include any one of the following Species:
  • the first access frequency of a functional node is greater than the target access frequency.
  • the first access frequency of each functional node is less than the target access frequency.
  • the first visit frequency of the person under test A to the functional node A is 3 times/hour
  • the first visit frequency of the functional node B is 100 times/hour
  • the first visit frequency of the functional node C is 100 times/hour.
  • a visit frequency is 4 times/hour
  • the retrieved target visit frequency of the function node A is 8 times/hour
  • the target visit frequency to visit the function node B is 10 times/hour
  • the target visit frequency of C is 12 times/hour
  • the comparison unit 113 compares the first visit frequency of each functional node with the target visit frequency of each functional node, and the comparison result is that there is the first visit of functional node B
  • the frequency is greater than the target visit frequency.
  • the comparison result of the first access frequency and the target access frequency of each functional node can be obtained, and the comparison result can be used as a necessary condition for behavior detection.
  • the determining unit 114 determines the order in which the person to be detected visits the functional node from the first log data.
  • the access sequence refers to the sequence in which the person to be detected accesses the functional node.
  • the determining unit 114 determining, from the first log data, the access sequence of the person to be detected to the functional node includes:
  • the determining unit 114 uses a machine learning method to extract the access time of the functional nodes from the first log data, and sorts the functional nodes in the order of the access time to obtain the access sequence of the functional nodes .
  • the function nodes are sorted according to the order of access time, and the access order of the function nodes is obtained by first visiting the function node A, then visiting the function node B, and finally visiting all the function nodes.
  • the function node C it is obtained from the first log data that the access time of the functional node A is 7 o'clock this morning, the access time of the functional node B is 7:30 this morning, and the access time of the functional node C is At 8 o’clock this morning, further, the function nodes are sorted according to the order of access time, and the access order of the function nodes is obtained by first visiting the function node A, then visiting the function node B, and finally visiting all the function nodes. The function node C.
  • the establishment unit 115 Based on the access sequence, the establishment unit 115 establishes the first queue of the functional node.
  • the first queue refers to a queue formed by the sequence in which the person to be tested visits each functional node.
  • the first queue can be established based on the access sequence, providing basic conditions for subsequent formation of the first combination.
  • the splitting unit 116 splits the first queue to obtain the first combination for the person to be tested to access the functional node.
  • the first combination is obtained by sequentially splitting the first queue.
  • the splitting unit 116 splits the first queue, and obtains the first combination for the person to be tested to access the functional node, including:
  • the splitting unit 116 obtains the number of configuration nodes in each first combination, uses the number of configuration nodes as the number of nodes in each combination, and sequentially splits all functional nodes in the first queue to obtain the The first combination for the person to be tested to visit the functional node.
  • the number of configuration nodes is determined according to the number of functional nodes visited by the person to be tested, and the number of configuration nodes may be two or three, which is not limited in this application.
  • the first queue is ABCDEF
  • the number of configuration nodes acquired by the splitting unit 116 is 2, the number of configuration nodes 2 is used as the number of nodes in each combination, and the first queue is sequentially split
  • the first combination obtained by splitting includes AB, BC, CD, DE, and EF. If the number of configuration nodes acquired by the splitting unit 116 is 3, the number of configuration nodes 3 is used as each
  • the number of combined nodes is divided into all functional nodes in the first queue in turn, and the first combination obtained by the division includes ABC, BCD, CDE, and DEF.
  • the first combination of the persons to be detected can be directly obtained.
  • the retrieval unit 112 retrieves a pre-configured reference combination.
  • the reference combination is based on the number of configuration nodes, and the number of nodes retrieved from the target set is a combination of the number of configuration nodes.
  • the target set is established before the pre-configured benchmark combination is retrieved.
  • establishing the target set includes:
  • the acquiring unit 110 acquires the second log data of the at least one user's access to each functional node in the preset system, and the extracting unit 119 extracts the at least one user's response to the functional node from the second log data. Further, the acquiring unit 110 acquires the number of target nodes, and the splitting unit 116 uses the number of target nodes as the number of nodes in each combination to sequentially split the access sequence to obtain the at least According to the second log data, the calculation unit 111 calculates the second access frequency of each second combination in the second combination, and the arrangement unit 120 calculates the second combination of access to the functional node by a user. The second combination is arranged according to the second access frequency from high to low to obtain a second queue, and the integration unit 121 integrates the combinations before the positions in the second queue to obtain the target set.
  • the number of target nodes is determined according to the number of functional nodes of the preset system, and the number of target nodes may be two or five, which is not limited in this application.
  • the configuration position may be 50 or 100, which is not limited in this application.
  • the target set can be obtained, so that the retrieval unit 112 can retrieve the reference combination as needed.
  • the establishment unit 115 extracting the access sequence of the at least one user to the functional node from the second log data includes:
  • the establishing unit 115 obtains the target access time of the at least one user to each functional node from the second log data, and further, the establishing unit 115 sorts the functional nodes according to the target access time To obtain the access sequence of the at least one user to the functional node.
  • the update unit 124 updates the second log data every second preset time, and the update unit 124 updates the reference combination according to the updated second log data.
  • the second preset time may be a time period, which is not limited in this application.
  • the matching unit 117 matches the first combination with the reference combination.
  • the obtaining unit 110 after matching the first combination with the reference combination, obtains a matching result, and the matching result may include any one of the following:
  • the first combination is AD, BC, CD, DE, EF
  • the reference combination is AB, BC, CD, DE, EF.
  • the first combination there is a failure to match AD with the reference combination.
  • the acquiring unit 110 acquires the first functional node whose first access frequency is greater than the target access frequency
  • the judging unit 122 judges whether the first functional node belongs to the target functional node, wherein the data corresponding to the target functional node contains confidential information, and when the first functional node belongs to the target functional node, the determining unit 114 It is determined that the behavior of the person to be detected is abnormal.
  • the determining unit 114 determines that the behavior of the person to be detected is abnormal.
  • the control unit 123 controls the behavior of the person to be detected on the preset system access permission.
  • the acquiring unit 110 acquires the first face information of the person to be detected from the monitoring device, and further, the extraction The unit 119 extracts the target account that logs in to the preset system from the first log data, the retrieval unit 112 retrieves the target face information corresponding to the target account from the configuration library, and the judgment unit 122 uses The face recognition technology determines whether the first face information matches the target face information, and when the first face information matches the target face information, the control unit 123 controls the waiting Detecting personnel's access authority to the terminal device corresponding to the target face information.
  • the monitoring equipment is composed of four parts: a camera part, a transmission part, a control part and a display part.
  • the configuration library includes target face information of the at least one user.
  • the generating unit 125 after determining that the behavior of the person to be detected is abnormal, when it is determined that the behavior of the person to be detected is abnormal, the generating unit 125 generates alarm information, and further, the sending unit 126 transmits the The alert information is sent to the configuration device of the designated contact.
  • the alarm information may include the name and ID of the person to be detected, the time when the abnormal behavior occurs, and the like.
  • the designated contact person may include a user who triggers a behavior detection instruction, and the like.
  • an alarm and reminder can be issued in time, which is beneficial to the designated contact person to take corresponding measures in time, thereby avoiding loss.
  • the present application can detect abnormal behaviors more comprehensively and accurately by combining the access frequency and access sequence of the functional nodes, and then alert relevant personnel to avoid information leakage.
  • FIG. 3 it is a schematic structural diagram of an electronic device according to a preferred embodiment of the application for realizing a behavior detection method based on log data analysis.
  • the electronic device includes a processor 13 and a memory 12.
  • the processor 13 executes the operating system of the electronic device 1 and various installed applications.
  • the processor 13 executes the application program to implement the steps in the above embodiments of the behavior detection method based on log data analysis, such as steps S10, S11, S12, S13, S14, S15, S16, S17 shown in FIG. , S18, S19.
  • steps S10, S11, S12, S13, S14, S15, S16, S17 shown in FIG. , S18, S19 Alternatively, when the processor 13 executes the computer-readable instructions, the functions of the modules/units in the foregoing device embodiments are implemented.
  • the computer-readable instructions may be divided into one or more modules/units, and the one or more modules/units are stored in the memory 12 and executed by the processor 13 to Complete this application.
  • the one or more modules/units may be a series of computer-readable instruction segments capable of completing specific functions, and the instruction segments are used to describe the execution process of the computer-readable instructions in the electronic device 1.
  • the computer-readable instructions may be divided into units in FIG. 2.
  • the memory 12 may be used to store the computer-readable instructions and/or modules.
  • the processor 13 runs or executes the computer-readable instructions and/or modules stored in the memory 12 and calls the computer-readable instructions and/or modules stored in the memory 12
  • the data inside realizes various functions of the electronic device 1.
  • the memory 12 may mainly include a storage program area and a storage data area.
  • the storage program area may store an operating system, an application program required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may Store data created based on the use of electronic devices.
  • the memory 12 may include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, a flash memory card (Flash Card), At least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device.
  • non-volatile memory such as a hard disk, a memory, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, a flash memory card (Flash Card), At least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device.
  • the memory 12 may be an external memory and/or an internal memory of the electronic device 1. Further, the memory 12 may be a circuit with a storage function that does not have a physical form in an integrated circuit, such as FIFO (First In First Out) and so on. Alternatively, the memory 12 may also be a memory in a physical form, such as a memory stick, a TF card (Trans-flash Card), and so on.
  • FIFO First In First Out
  • TF card Trans-flash Card
  • the integrated module/unit of the electronic device 1 is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a non-volatile computer readable storage medium.
  • this application implements all or part of the processes in the above-mentioned embodiments and methods, and can also be completed by instructing relevant hardware through computer-readable instructions.
  • the computer-readable instructions may be stored in a non-volatile memory. In the storage medium, when the computer-readable instructions are executed by the processor, the steps of the foregoing method embodiments can be implemented.
  • the computer-readable instruction code may be in the form of source code, object code, executable file, or some intermediate form, etc.
  • the computer-readable medium may include: any entity or device capable of carrying the computer-readable instruction code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM, Read-Only Memory).

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un procédé, un appareil, un dispositif et un support de détection de comportement basé sur une analyse de données de journal. Le procédé permet : l'obtention de premières données de journal de chaque nœud fonctionnel d'une personne à détecter dans un système prédéfini ; le calcul d'une première fréquence d'accès de chaque nœud fonctionnel de la personne à détecter, la récupération de la fréquence d'accès cible de chaque nœud fonctionnel, et la réalisation d'une comparaison ; si la première fréquence d'accès d'un nœud fonctionnel est supérieure à la fréquence d'accès cible, alors, à partir des premières données de journal, la détermination de la séquence d'accès au nœud fonctionnel par la personne à détecter, l'établissement d'une première file d'attente du nœud fonctionnel, et la division de la première file d'attente pour obtenir un premier groupe ; la récupération d'un groupe de référence prédéfini, et la mise en correspondance du premier groupe avec le groupe de référence ; s'il y a un échec de mise en correspondance de groupe dans ledit premier groupe, alors la réalisation d'une protection de sécurité, la détermination du fait que le comportement de la personne à détecter est anormal, la détection de comportements anormaux de manière plus complète et plus précise, et l'alerte du personnel pertinent.
PCT/CN2019/117530 2019-09-23 2019-11-12 Procédé, appareil, un dispositif et un support de détection de comportement basé sur une analyse de données de journal. WO2021056731A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910900782.7A CN111221722B (zh) 2019-09-23 2019-09-23 行为检测方法、装置、电子设备及存储介质
CN201910900782.7 2019-09-23

Publications (1)

Publication Number Publication Date
WO2021056731A1 true WO2021056731A1 (fr) 2021-04-01

Family

ID=70828939

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/117530 WO2021056731A1 (fr) 2019-09-23 2019-11-12 Procédé, appareil, un dispositif et un support de détection de comportement basé sur une analyse de données de journal.

Country Status (2)

Country Link
CN (1) CN111221722B (fr)
WO (1) WO2021056731A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113419890A (zh) * 2021-06-30 2021-09-21 中国银行股份有限公司 异常类型检测方法、装置、服务器及介质
CN113568967A (zh) * 2021-07-29 2021-10-29 掌阅科技股份有限公司 时序指标数据动态提取方法、电子设备及存储介质

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640507B (zh) * 2022-02-28 2024-03-12 天翼安全科技有限公司 一种WebShell的检测方法、装置及存储介质
CN114650187B (zh) * 2022-04-29 2024-02-23 深信服科技股份有限公司 一种异常访问检测方法、装置、电子设备及存储介质
CN115659377B (zh) * 2022-12-13 2023-03-31 闪捷信息科技有限公司 接口异常访问识别方法、装置、电子设备和存储介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050216561A1 (en) * 2000-05-02 2005-09-29 International Business Machines Corporation System and method for a computer based cooperative work system
CN106027577A (zh) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 一种异常访问行为检测方法及装置
CN107370628A (zh) * 2017-08-17 2017-11-21 阿里巴巴集团控股有限公司 基于埋点的日志处理方法及系统
CN108055281A (zh) * 2017-12-27 2018-05-18 百度在线网络技术(北京)有限公司 账户异常检测方法、装置、服务器及存储介质
CN109241711A (zh) * 2018-08-22 2019-01-18 平安科技(深圳)有限公司 基于预测模型的用户行为识别方法及装置
CN109522190A (zh) * 2018-10-12 2019-03-26 中国平安人寿保险股份有限公司 异常用户行为识别方法及装置、电子设备、存储介质

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000148276A (ja) * 1998-11-05 2000-05-26 Fujitsu Ltd セキュリティ監視装置,セキュリティ監視方法およびセキュリティ監視用プログラム記録媒体
CN106650433B (zh) * 2016-12-15 2018-09-04 咪咕数字传媒有限公司 一种异常行为检测方法及系统
CN107341095B (zh) * 2017-06-27 2020-07-28 北京优特捷信息技术有限公司 一种智能分析日志数据的方法及装置
CN110019318A (zh) * 2017-09-11 2019-07-16 阿里巴巴集团控股有限公司 一种日志匹配处理方法、装置以及电子设备
CN109976930A (zh) * 2017-12-28 2019-07-05 腾讯科技(深圳)有限公司 异常数据的检测方法、系统及存储介质
CN108304723A (zh) * 2018-01-17 2018-07-20 链家网(北京)科技有限公司 一种异常行为检测方法及装置
CN109688097B (zh) * 2018-09-07 2023-03-24 平安科技(深圳)有限公司 网站防护方法、网站防护装置、网站防护设备及存储介质
CN109450879A (zh) * 2018-10-25 2019-03-08 中国移动通信集团海南有限公司 用户访问行为监控方法、电子装置和计算机可读存储介质

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050216561A1 (en) * 2000-05-02 2005-09-29 International Business Machines Corporation System and method for a computer based cooperative work system
CN106027577A (zh) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 一种异常访问行为检测方法及装置
CN107370628A (zh) * 2017-08-17 2017-11-21 阿里巴巴集团控股有限公司 基于埋点的日志处理方法及系统
CN108055281A (zh) * 2017-12-27 2018-05-18 百度在线网络技术(北京)有限公司 账户异常检测方法、装置、服务器及存储介质
CN109241711A (zh) * 2018-08-22 2019-01-18 平安科技(深圳)有限公司 基于预测模型的用户行为识别方法及装置
CN109522190A (zh) * 2018-10-12 2019-03-26 中国平安人寿保险股份有限公司 异常用户行为识别方法及装置、电子设备、存储介质

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113419890A (zh) * 2021-06-30 2021-09-21 中国银行股份有限公司 异常类型检测方法、装置、服务器及介质
CN113568967A (zh) * 2021-07-29 2021-10-29 掌阅科技股份有限公司 时序指标数据动态提取方法、电子设备及存储介质

Also Published As

Publication number Publication date
CN111221722A (zh) 2020-06-02
CN111221722B (zh) 2024-01-30

Similar Documents

Publication Publication Date Title
WO2021056731A1 (fr) Procédé, appareil, un dispositif et un support de détection de comportement basé sur une analyse de données de journal.
US11916920B2 (en) Account access security using a distributed ledger and/or a distributed file system
CN110099059B (zh) 一种域名识别方法、装置及存储介质
CN111370139B (zh) 传染病的溯源方法、装置、电子设备及存储介质
AU2014237406B2 (en) Method and apparatus for substitution scheme for anonymizing personally identifiable information
CN101751535B (zh) 通过应用程序数据访问分类进行的数据损失保护
CN109842628A (zh) 一种异常行为检测方法及装置
CN111694840A (zh) 数据同步方法、装置、服务器及存储介质
US20190121969A1 (en) Graph Model for Alert Interpretation in Enterprise Security System
US10097569B2 (en) System and method for tracking malware route and behavior for defending against cyberattacks
CN111638908A (zh) 接口文档生成方法、装置、电子设备及介质
CN113050900B (zh) 屏幕分享方法、装置、设备及存储介质
CN113259197A (zh) 一种资产探测方法、装置及电子设备
US20200342095A1 (en) Rule generaton apparatus and computer readable medium
JP2019053381A (ja) 画像処理装置、情報処理装置、方法およびプログラム
US20240095289A1 (en) Data enrichment systems and methods for abbreviated domain name classification
WO2016095716A1 (fr) Procédé de traitement d'informations de défaillance et dispositif correspondant
KR102367546B1 (ko) 스트리밍 분석 및 배치 분석을 이용하는 이기종 간 하이브리드 상관 분석 방법 및 이를 지원하는 장치
US11763014B2 (en) Production protection correlation engine
US11853173B1 (en) Log file manipulation detection
US11797707B2 (en) Non-transitory computer-readable recording medium having stored therein information processing program, information processing method, and information processing apparatus
US10296990B2 (en) Verifying compliance of a land parcel to an approved usage
CN113973014B (zh) 一种网络设备弱口令漏洞的监控方法、装置及设备
US20210224423A1 (en) Non-transitory computer-readable recording medium having stored therein information processing program, information processing method, and information processing apparatus
CN114710354B (zh) 异常事件检测方法及装置、存储介质及电子设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19946561

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19946561

Country of ref document: EP

Kind code of ref document: A1