CN107222472A - A kind of user behavior method for detecting abnormality under Hadoop clusters - Google Patents
A kind of user behavior method for detecting abnormality under Hadoop clusters Download PDFInfo
- Publication number
- CN107222472A CN107222472A CN201710384599.7A CN201710384599A CN107222472A CN 107222472 A CN107222472 A CN 107222472A CN 201710384599 A CN201710384599 A CN 201710384599A CN 107222472 A CN107222472 A CN 107222472A
- Authority
- CN
- China
- Prior art keywords
- user
- data
- user behavior
- matrix
- hadoop clusters
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/182—Distributed file systems
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses the user behavior method for detecting abnormality under a kind of Hadoop clusters, this method is by gathering and analyzing user behavior data, got off with logged, characteristic vector is formed according to the behavioural characteristic of user, utilize parallel Principal Component Analysis Algorithm processing feature vector set, the efficient behavior pattern for obtaining user, by contrasting the abnormal behaviour problem for finding that user produces when accessing HDFS with historical pattern, the security threat hidden under Hadoop clusters is found simultaneously, reaches the effect for ensureing HDFS safety.Effective monitoring is set up in data access behavior of the present invention not only to user, timely note abnormalities behavior, the data safety of Hadoop clusters is ensured, model training efficiency is also improved by parallelization Principal Component Analysis Algorithm, the problem of conventional model training effectiveness is low is solved.
Description
Technical field
The present invention relates to a kind of user behavior method for detecting abnormality, user's row under especially a kind of cluster based on Hadoop
For method for detecting abnormality.
Background technology
In recent years, Hadoop platform is as an outstanding distributed computing system, in large-scale data processing side of enterprise
Face plays more and more important role.However, because Hadoop does not consider safety factor at the beginning of exploitation, although follow-up to add
Entered some security mechanisms, but Hadoop Security Auditing Mechanism, access control mechanisms and ID authentication mechanism etc. belong to by
Dynamic static security technology, it is impossible to be monitored to user behavior activity, this, which is resulted in, is subject to hiding security attack.Than
Such as:Disabled user steals the account and password of validated user, obtains associated rights unauthorized access data;In malicious intrusions, maintenance
Leaking data problem is easily produced when being lost with medium, the data safety of cluster is difficult to be protected.Data are the carriers of information,
Once meeting with data disaster, immeasurable loss may be caused to user.Accordingly, it would be desirable to which the data access behavior to user is built
Vertical effective monitoring, timely note abnormalities behavior, ensures the data safety of Hadoop clusters.
In terms of the monitoring based on user behavior activity, studies in China is relatively fewer.Ashish Kamra et al. are proposed
A kind of method for detecting abnormality for relevant database access module, it is the SQL query daily record based on user, but this side
Method is not suitable for the user behavior monitoring of big data platform just for relational database;Mohiuddin Solaimani et al. are carried
A kind of virtual machine performance abnormality detection framework based on Spark is gone out, it is therefore an objective to by being found to virtual machine performance abnormality detection
Which user occupancy ample resources, causes the shared unbalanced influence cluster operational efficiency of resource, but Spark is based on internal memory
Calculate, when data scale can not just be handled when very big or intermediate result exceedes memory size;Liu Peng proposes one for number
According to the abstract architecture and general unusual checking solution in storehouse, but specific algorithm is not provided;Fredrik
Valeur et al. proposes a kind of SQL attack detection methods based on machine learning, but just for network rear end
Database.
Traditional user behavior method for detecting abnormality is mainly in terms of database and clustering performance exception.Database one
As be that for relevant database etc., can not be applicable under the cluster distributed environment of Hadoop, and clustering performance is abnormal exists
Under the mechanism such as the load balancing of Hadoop platform in itself, performance is not protruded, and the result correctness of abnormality detection is not high.In addition,
Data scale under Hadoop clusters is generally very big, the model training algorithm based on traditional principal component analysis, and efficiency is relatively
It is low.
Therefore the data access behavior to user is set up effective monitoring by the optimization method of the present invention, is timely found different
Chang Hangwei, ensures the data safety of Hadoop clusters, and also improves model training by parallelization Principal Component Analysis Algorithm and imitate
Rate, solves the problem of conventional model training effectiveness is low.
The content of the invention
It is an object of the invention to overcome existing technical deficiency abnormal there is provided the user behavior under a kind of Hadoop clusters
Detection method, can not only solve to access the abnormal behaviour monitoring problem of HDFS data for user under Hadoop clusters, and
And parallelization processing has also been carried out to traditional Principal Component Analysis Algorithm, solve the problem of model training is less efficient.
The purpose of the present invention is achieved through the following technical solutions:A kind of user behavior under Hadoop clusters is abnormal
Detection method, comprises the following steps:
S1:User behavior data is gathered:Obtained by Hadoop log managements service (Log4j) from cluster NameNode nodes
Obtain HDFS audit log and be stored in database;
S2:Data prediction;
S3:Model training:The Partial Feature vector set of one of user is extracted as training data and sample is configured to
Data matrix, carries out dimension-reduction treatment to sample data based on parallel Principal Component Analysis Algorithm proposed by the present invention, obtains sample standard deviation
Value and transformation matrix, are stored in the user model storehouse.The model training method of other users is identical.Wherein transformation matrix is mainly completed
Sample by former space reflection to principal component subspace function;
S4:User behavior abnormality detection:For some user, the current behavior pattern of the user (characteristic vector) with
The historical behavior pattern that user model training is obtained is matched, if it does not match, being abnormal behaviour.
Described user behavior data collection, is, using Hadoop log managements service, and to give tacit consent to Hadoop and collected
Into Apache open source projects Log4j, obtain HDFS's from cluster NameNode nodes by Log4j log managements service
Audit log is simultaneously stored in database;
Described user behavior data be user access HDFS behaviors when record of the audit, record include access the date and when
Between, user's mark, file manipulation command, client ip address;
Described data prediction, comprises the following steps:
S21:Extract and statistics, record of the audit is read from database, for the record of the audit of each user, base
In a time window, the number of times that each file manipulation command occurs in the time is counted;
S22:Constitutive characteristic vector.
Described characteristic vector is to construct characteristic vector, this feature vector x=(x based on frequency-domain attribute1,x2,…,x13)
To represent, this feature vector one has 13 kinds of file manipulation commands, and a kind of file manipulation command is represented at this per one-dimensional value
Between the number of times that occurs in window, a set of eigenvectors is just obtained successively, wherein, 13 dimension correspondence HDFS file manipulation commands
Species number.This feature vector set not only as model training data but also can be used as test data;
Described model training includes following sub-step:
S31:According to the model training data of extraction, sample data matrix is constructed;
S32:Based on parallelization principal component analysis, variance matrix and sample average are asked, horizontal segmentation is carried out to sample matrix
It is divided into N blocks, sample average and covariance matrix is tried to achieve based on MapReduce computation module;
S33:The characteristic value and corresponding characteristic vector of covariance matrix are calculated, number of principal components is determined according to variance contribution ratio
Measure k;
S34:Principal component and tectonic transition matrix are determined according to variance contribution ratio, according to the corresponding feature of the big characteristic values of preceding k
The product of vectorial tectonic transition matrix, sample matrix and transformation matrix is principal component matrix;
S35:Obtained sample average and transformation matrix is stored in model database, used for abnormality detection.
Described user behavior abnormality detection includes following sub-step:
S41:For some user, a characteristic vector is extracted from test data, average adjustment processing is carried out;
S42:The Euclidean distance between the vector by average adjustment processing and the vectorial principal component reconstruct is calculated, if
Distance is more than threshold value set in advance, then is abnormal behaviour;Otherwise, it is normal behaviour;
Described reconstructs through the adjusted vectorial principal component of average, is that the adjusted vector of average is obtained by training
Transformation matrix, re-maps principal component subspace, and followed by the transposition of transformation matrix, the new vector reconstruction after mapping is returned original
The vector that the space come is obtained;
Described user behavior method for detecting abnormality, is divided into two kinds of situations by the abnormality detection of user behavior and is tested:
(1) if to test the false drop rate of detection method, the characteristic vector data of a user is extracted partial data
As training data, remaining part is used as test data;
(2) if to test the verification and measurement ratio of detection method, the characteristic vector data of a user is extracted partial data
As training data, the part for extracting other other users is used as test data.
The beneficial effects of the invention are as follows:Behavior, which is accessed, for the HDFS file datas under Hadoop clusters provides one kind effectively
, correct anomaly detection method, the method overcome traditional method for detecting abnormality uncomfortable under Hadoop cluster environment
With the problem of, and the Principal Component Analysis Algorithm used this method carried out parallelization improvement processing, improve model training
Efficiency.
Brief description of the drawings
Fig. 1 is flow chart of the invention;
Fig. 2 is model training flow chart of the invention;
Fig. 3 is user behavior abnormality detection flow chart of the invention;
Fig. 4 is principal component analysis parallelization processing procedure figure of the invention.
Embodiment
Technical scheme is described in further detail below in conjunction with the accompanying drawings, but protection scope of the present invention is not limited to
It is as described below.
As shown in figure 1, the user behavior method for detecting abnormality under a kind of Hadoop clusters, comprises the following steps:
S1:User behavior data is gathered, and Hadoop gives tacit consent to the open source projects Log4j for being integrated with Apache, passes through Log4j days
Will management service obtains HDFS audit log from cluster NameNode nodes and is stored in database;
S2:The pretreatment of data.Record of the audit is read from database, for the record of the audit of each user, is based on
One time window, counts the number of times that each file manipulation command occurs in the time, and combines one characteristic vector of composition, should
Characteristic vector x=(x1,x2,…,x13) represent, one have 13 kinds of file manipulation commands, is represented per one-dimensional value a kind of literary
The number of times that part operational order occurs in the time window, is just obtained a set of eigenvectors, i.e., pattern to be detected successively.
This feature vector set can be used as model training data and test data;
S3:Model training:The Partial Feature vector set of one of user is extracted as training data and sample is configured to
Data matrix, carries out dimension-reduction treatment to sample data based on parallel Principal Component Analysis Algorithm proposed by the present invention, obtains sample standard deviation
Value and transformation matrix, are stored in the user model storehouse.The model training method of other users is identical.Wherein transformation matrix is mainly completed
Sample by former space reflection to principal component subspace function;
S4:User behavior abnormality detection:For some user, the current behavior pattern of the user (characteristic vector) with
The historical behavior pattern that user model training is obtained is matched, if it does not match, being abnormal behaviour.
As shown in Fig. 2 the step of model training is:
S31:According to the model training data (set of eigenvectors) of extraction, sample data matrix is constructed;
S32:As shown in figure 4, based on parallelization principal component analysis, asking variance matrix and sample average, sample matrix being entered
Row horizontal segmentation is divided into N blocks, and sample average and covariance matrix are tried to achieve based on MapReduce computation module;Extract one of them
The Partial Feature vector set of user is as training data and is configured to sample data matrix, based on it is proposed by the present invention it is parallel it is main into
Divide parser to carry out dimension-reduction treatment to sample data, obtain sample average and transformation matrix, be stored in the user model storehouse.Other
The model training method of user is identical.Wherein transformation matrix is mainly completed sample by former space reflection to principal component subspace
Function;
Specifically parallelization principal component analysis formula is:Obtain eigenvectors matrix Xi,Xi=[X1, X2 ..., X13]T, X's
Mean Matrix and covariance matrix are designated as μ=E (X) and Σ=D (X) respectively.
S33:The characteristic value and corresponding characteristic vector of covariance matrix are calculated, number of principal components is determined according to variance contribution ratio
Measure k;
S34:Principal component and tectonic transition matrix are determined according to variance contribution ratio, according to the corresponding feature of the big characteristic values of preceding k
The product of vectorial tectonic transition matrix, sample matrix and transformation matrix is principal component matrix;
S35:Principal component matrix is obtained according to transformation matrix, obtained sample average and transformation matrix is stored in model data
Storehouse, is used for abnormality detection.
As shown in figure 3, user behavior abnormality detection, for some user, the current behavior pattern (feature of the user
Vector) train obtained historical behavior pattern to match with the user model, if it does not match, be abnormal behaviour, specific step
It is rapid as follows:
S41:It assign the behavioural characteristic vector of active user as test data;
S42:Under MapReduce frameworks, by the behavioural characteristic vector of active user, simultaneously average is adjusted to data to be tested;
S43:Calculate the distance between characteristic vector after characteristic vector to be detected and principal component reconstruct;
S44:Judgment threshold:If apart from more than threshold value, active user's behavior being incorporated into and recorded for abnormal behaviour, not less than threshold
Value, then incorporate active user's behavior for normal behaviour into;
S45:Judge whether also there is test data:If also there is test data, average adjustment is re-started, when not having
There is end test in the presence of test data.
Described above is only the preferred embodiment of the present invention, it should be understood that the present invention is not limited to described herein
Form, is not to be taken as the exclusion to other embodiment, and available for various other combinations, modification and environment, and can be at this
In the text contemplated scope, it is modified by the technology or knowledge of above-mentioned teaching or association area.And those skilled in the art are entered
Capable change and change does not depart from the spirit and scope of the present invention, then all should appended claims of the present invention protection domain
It is interior.
Claims (10)
1. the user behavior method for detecting abnormality under a kind of Hadoop clusters, it is characterised in that it comprises the following steps:
S1:User behavior data is gathered, and the user behavior data includes the record of the audit that user accesses Hadoop clusters HDFS;
S2:Data prediction, for the record of the audit of each user, based on a time window, is counted in the time window
User behavior feature, constitute a characteristic vector, then apply to different users and different time windows successively, just obtain
Set of eigenvectors comprising multiple users and its different periods behavioural characteristic;
S3:Model training, extracts the Partial Feature vector set of each user as training data and is configured to sample data respectively
Matrix, dimension-reduction treatment is carried out to sample data, obtains sample average and transformation matrix, and described transformation matrix is empty by original sample
Between be mapped to principal component subspace;
S4:User behavior abnormality detection.
2. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute
The record of the audit stated includes accessing date and time, user's mark, file manipulation command, client ip address;Described audit
Record is obtained by Hadoop log managements service from cluster NameNode nodes.
3. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute
In the user behavior feature stated, including some log recordings of the user in the time window, every kind of file operation life
Make the number of times occurred.
4. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 4, it is characterised in that institute
The characteristic vector that the user behavior feature stated is constituted is expressed as x=(x1,x2,…,xn), wherein n is file manipulation command sum,
Every one-dimensional value of characteristic vector represents the number of times that a kind of file manipulation command occurs in the time window.
5. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute
The sample data dimension-reduction treatment stated, including following sub-step:
S21:Extract and statistics, record of the audit is read from database, for the record of the audit of each user, based on one
Individual time window, counts the number of times that each file manipulation command occurs in the time;
S22:Constitutive characteristic vector.
6. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 5, it is characterised in that should
Characteristic vector is to construct characteristic vector based on frequency-domain attribute, and this feature vector one has 13 kinds of file manipulation commands, per one-dimensional
Value represents the number of times that a kind of file manipulation command occurs in the time window, wherein, 13 dimension correspondence HDFS file manipulation commands
Species number, this feature vector set not only as model training data but also can be used as test data.
7. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute
The model training stated includes following sub-step:
S31:According to the model training data of extraction, sample data matrix is constructed;
S32:Variance matrix and sample average are asked based on parallelization principal component analysis, carrying out horizontal segmentation to sample matrix is divided into N
Block, sample average and covariance matrix are tried to achieve based on MapReduce computation module;
S33:The characteristic value and corresponding characteristic vector of covariance matrix are calculated, principal component quantity k is determined according to variance contribution ratio;
S34:According to the corresponding characteristic vector tectonic transition matrix of the big characteristic values of preceding k, the product of sample matrix and transformation matrix is
For main component matrix;
S35:Obtained sample average and transformation matrix is stored in model database, used for abnormality detection.
8. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute
The user behavior abnormality detection stated includes following sub-step:
S41:For some user, a characteristic vector is extracted from test data, average adjustment processing is carried out;
S42:The Euclidean distance between the vector by average adjustment processing and the vectorial principal component reconstruct is calculated, if distance
Then it is abnormal behaviour more than threshold value set in advance;Otherwise, it is normal behaviour.
9. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 6, it is characterised in that institute
That states reconstructs through the adjusted vectorial principal component of average, is that the adjusted vector of average is passed through training to obtain transformation matrix,
Principal component subspace is re-mapped, followed by the transposition of transformation matrix, the new vector reconstruction after mapping is gone back to original space
Obtained vector.
10. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that
It is divided into two kinds of situations to the abnormality detection of user behavior to test:
(1) if to test the false drop rate of detection method, the characteristic vector data of user is extracted partial data as
Training data, remaining part is used as test data;
(2) if to test the verification and measurement ratio of detection method, the characteristic vector data of user is extracted partial data as
Training data, the part for extracting other other users is used as test data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710384599.7A CN107222472A (en) | 2017-05-26 | 2017-05-26 | A kind of user behavior method for detecting abnormality under Hadoop clusters |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710384599.7A CN107222472A (en) | 2017-05-26 | 2017-05-26 | A kind of user behavior method for detecting abnormality under Hadoop clusters |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107222472A true CN107222472A (en) | 2017-09-29 |
Family
ID=59945516
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710384599.7A Pending CN107222472A (en) | 2017-05-26 | 2017-05-26 | A kind of user behavior method for detecting abnormality under Hadoop clusters |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107222472A (en) |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108040052A (en) * | 2017-12-13 | 2018-05-15 | 北京明朝万达科技股份有限公司 | A kind of network security threats analysis method and system based on Netflow daily record datas |
CN108173818A (en) * | 2017-12-13 | 2018-06-15 | 北京明朝万达科技股份有限公司 | A kind of network security threats analysis method and system based on Proxy daily record datas |
CN108399700A (en) * | 2018-01-31 | 2018-08-14 | 上海乐愚智能科技有限公司 | Theft preventing method and smart machine |
CN108596738A (en) * | 2018-05-08 | 2018-09-28 | 新华三信息安全技术有限公司 | A kind of user behavior detection method and device |
CN108881194A (en) * | 2018-06-07 | 2018-11-23 | 郑州信大先进技术研究院 | Enterprises user anomaly detection method and device |
CN109033889A (en) * | 2018-08-13 | 2018-12-18 | 杭州安恒信息技术股份有限公司 | A kind of invasive biology method, apparatus and intelligent terminal based on space-time collision |
CN109657803A (en) * | 2018-03-23 | 2019-04-19 | 新华三大数据技术有限公司 | The building of machine learning model |
CN109688166A (en) * | 2019-02-28 | 2019-04-26 | 新华三信息安全技术有限公司 | A kind of exception outgoing behavioral value method and device |
CN110427971A (en) * | 2019-07-05 | 2019-11-08 | 五八有限公司 | Recognition methods, device, server and the storage medium of user and IP |
CN110830450A (en) * | 2019-10-18 | 2020-02-21 | 平安科技(深圳)有限公司 | Abnormal flow monitoring method, device and equipment based on statistics and storage medium |
CN111163097A (en) * | 2019-12-31 | 2020-05-15 | 新浪网技术(中国)有限公司 | Web application firewall implementation system and method |
CN112306835A (en) * | 2020-11-02 | 2021-02-02 | 平安科技(深圳)有限公司 | User data monitoring and analyzing method, device, equipment and medium |
CN112579728A (en) * | 2020-12-18 | 2021-03-30 | 成都民航西南凯亚有限责任公司 | Behavior abnormity identification method and device based on mass data full-text retrieval |
CN113011476A (en) * | 2021-03-05 | 2021-06-22 | 桂林电子科技大学 | User behavior safety detection method based on self-adaptive sliding window GAN |
CN113821794A (en) * | 2021-09-14 | 2021-12-21 | 北京八分量信息科技有限公司 | Distributed trusted computing system and method |
CN117834299A (en) * | 2024-03-04 | 2024-04-05 | 福建银数信息技术有限公司 | Network security intelligent supervision and management method and system |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150227809A1 (en) * | 2014-02-12 | 2015-08-13 | International Business Machines Corporation | Anomaly detection in medical imagery |
CN105024877A (en) * | 2015-06-01 | 2015-11-04 | 北京理工大学 | Hadoop malicious node detection system based on network behavior analysis |
CN106101116A (en) * | 2016-06-29 | 2016-11-09 | 东北大学 | A kind of user behavior abnormality detection system based on principal component analysis and method |
-
2017
- 2017-05-26 CN CN201710384599.7A patent/CN107222472A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150227809A1 (en) * | 2014-02-12 | 2015-08-13 | International Business Machines Corporation | Anomaly detection in medical imagery |
CN105024877A (en) * | 2015-06-01 | 2015-11-04 | 北京理工大学 | Hadoop malicious node detection system based on network behavior analysis |
CN106101116A (en) * | 2016-06-29 | 2016-11-09 | 东北大学 | A kind of user behavior abnormality detection system based on principal component analysis and method |
Non-Patent Citations (2)
Title |
---|
侯咏佳等: "主成分分析算法的FPGA实现", 《机电工程》 * |
贺婷: "面向Hadoop的云计算平台安全监测技术研究", 《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》 * |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108173818A (en) * | 2017-12-13 | 2018-06-15 | 北京明朝万达科技股份有限公司 | A kind of network security threats analysis method and system based on Proxy daily record datas |
CN108040052A (en) * | 2017-12-13 | 2018-05-15 | 北京明朝万达科技股份有限公司 | A kind of network security threats analysis method and system based on Netflow daily record datas |
CN108399700A (en) * | 2018-01-31 | 2018-08-14 | 上海乐愚智能科技有限公司 | Theft preventing method and smart machine |
CN109657803A (en) * | 2018-03-23 | 2019-04-19 | 新华三大数据技术有限公司 | The building of machine learning model |
CN109657803B (en) * | 2018-03-23 | 2020-04-03 | 新华三大数据技术有限公司 | Construction of machine learning models |
CN108596738A (en) * | 2018-05-08 | 2018-09-28 | 新华三信息安全技术有限公司 | A kind of user behavior detection method and device |
CN108881194B (en) * | 2018-06-07 | 2020-12-11 | 中国人民解放军战略支援部队信息工程大学 | Method and device for detecting abnormal behaviors of users in enterprise |
CN108881194A (en) * | 2018-06-07 | 2018-11-23 | 郑州信大先进技术研究院 | Enterprises user anomaly detection method and device |
CN109033889A (en) * | 2018-08-13 | 2018-12-18 | 杭州安恒信息技术股份有限公司 | A kind of invasive biology method, apparatus and intelligent terminal based on space-time collision |
CN109033889B (en) * | 2018-08-13 | 2020-12-18 | 杭州安恒信息技术股份有限公司 | Intrusion identification method and device based on space-time collision and intelligent terminal |
CN109688166B (en) * | 2019-02-28 | 2021-06-04 | 新华三信息安全技术有限公司 | Abnormal outgoing behavior detection method and device |
CN109688166A (en) * | 2019-02-28 | 2019-04-26 | 新华三信息安全技术有限公司 | A kind of exception outgoing behavioral value method and device |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
CN110427971A (en) * | 2019-07-05 | 2019-11-08 | 五八有限公司 | Recognition methods, device, server and the storage medium of user and IP |
CN110830450A (en) * | 2019-10-18 | 2020-02-21 | 平安科技(深圳)有限公司 | Abnormal flow monitoring method, device and equipment based on statistics and storage medium |
CN111163097A (en) * | 2019-12-31 | 2020-05-15 | 新浪网技术(中国)有限公司 | Web application firewall implementation system and method |
WO2022088632A1 (en) * | 2020-11-02 | 2022-05-05 | 平安科技(深圳)有限公司 | User data monitoring and analysis method, apparatus, device, and medium |
CN112306835A (en) * | 2020-11-02 | 2021-02-02 | 平安科技(深圳)有限公司 | User data monitoring and analyzing method, device, equipment and medium |
CN112306835B (en) * | 2020-11-02 | 2024-05-28 | 平安科技(深圳)有限公司 | User data monitoring and analyzing method, device, equipment and medium |
CN112579728A (en) * | 2020-12-18 | 2021-03-30 | 成都民航西南凯亚有限责任公司 | Behavior abnormity identification method and device based on mass data full-text retrieval |
CN113011476A (en) * | 2021-03-05 | 2021-06-22 | 桂林电子科技大学 | User behavior safety detection method based on self-adaptive sliding window GAN |
CN113011476B (en) * | 2021-03-05 | 2022-11-11 | 桂林电子科技大学 | User behavior safety detection method based on self-adaptive sliding window GAN |
CN113821794A (en) * | 2021-09-14 | 2021-12-21 | 北京八分量信息科技有限公司 | Distributed trusted computing system and method |
CN113821794B (en) * | 2021-09-14 | 2023-08-18 | 北京八分量信息科技有限公司 | Distributed trusted computing system and method |
CN117834299A (en) * | 2024-03-04 | 2024-04-05 | 福建银数信息技术有限公司 | Network security intelligent supervision and management method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107222472A (en) | A kind of user behavior method for detecting abnormality under Hadoop clusters | |
US9479518B1 (en) | Low false positive behavioral fraud detection | |
US20200012933A1 (en) | Systems and methods for synthetic data generation | |
CN105827594B (en) | A kind of dubiety detection method based on domain name readability and domain name mapping behavior | |
CN110958136A (en) | Deep learning-based log analysis early warning method | |
CN107493277B (en) | Large data platform online anomaly detection method based on maximum information coefficient | |
CN106778253A (en) | Threat context aware information security Initiative Defense model based on big data | |
CN105637519A (en) | Cognitive information security using a behavior recognition system | |
Roschke et al. | A flexible and efficient alert correlation platform for distributed ids | |
US11595416B2 (en) | Method, product, and system for maintaining an ensemble of hierarchical machine learning models for detection of security risks and breaches in a network | |
CN110378124A (en) | A kind of network security threats analysis method and system based on LDA machine learning | |
CN111046022A (en) | Database auditing method based on big data technology | |
CN107402957A (en) | The structure and user behavior method for detecting abnormality, system in user behavior pattern storehouse | |
CN107733902A (en) | A kind of monitoring method and device of target data diffusion process | |
CN116957049B (en) | Unsupervised internal threat detection method based on countermeasure self-encoder | |
CN106951776A (en) | A kind of Host Anomaly Detection method and system | |
CN115883213B (en) | APT detection method and system based on continuous time dynamic heterogeneous graph neural network | |
CN110188015A (en) | A kind of host access relation abnormal behaviour self-adapting detecting device and its monitoring method | |
CN115021997A (en) | Network intrusion detection system based on machine learning | |
CN106657065A (en) | Network abnormality detection method based on data mining | |
CN104579782A (en) | Hotspot security event identification method and system | |
CN107659560A (en) | A kind of abnormal auditing method for mass network data flow log processing | |
Sönmez et al. | Anomaly detection using data mining methods in it systems: a decision support application | |
Sun et al. | LogPal: A generic anomaly detection scheme of heterogeneous logs for network systems | |
WO2024027487A1 (en) | Health degree evaluation method and apparatus based on intelligent operations and maintenance scene |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170929 |
|
RJ01 | Rejection of invention patent application after publication |