CN107222472A - A kind of user behavior method for detecting abnormality under Hadoop clusters - Google Patents

A kind of user behavior method for detecting abnormality under Hadoop clusters Download PDF

Info

Publication number
CN107222472A
CN107222472A CN201710384599.7A CN201710384599A CN107222472A CN 107222472 A CN107222472 A CN 107222472A CN 201710384599 A CN201710384599 A CN 201710384599A CN 107222472 A CN107222472 A CN 107222472A
Authority
CN
China
Prior art keywords
user
data
user behavior
matrix
hadoop clusters
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710384599.7A
Other languages
Chinese (zh)
Inventor
郝玉洁
钟德建
王芷若
崔建鹏
陆文斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201710384599.7A priority Critical patent/CN107222472A/en
Publication of CN107222472A publication Critical patent/CN107222472A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses the user behavior method for detecting abnormality under a kind of Hadoop clusters, this method is by gathering and analyzing user behavior data, got off with logged, characteristic vector is formed according to the behavioural characteristic of user, utilize parallel Principal Component Analysis Algorithm processing feature vector set, the efficient behavior pattern for obtaining user, by contrasting the abnormal behaviour problem for finding that user produces when accessing HDFS with historical pattern, the security threat hidden under Hadoop clusters is found simultaneously, reaches the effect for ensureing HDFS safety.Effective monitoring is set up in data access behavior of the present invention not only to user, timely note abnormalities behavior, the data safety of Hadoop clusters is ensured, model training efficiency is also improved by parallelization Principal Component Analysis Algorithm, the problem of conventional model training effectiveness is low is solved.

Description

A kind of user behavior method for detecting abnormality under Hadoop clusters
Technical field
The present invention relates to a kind of user behavior method for detecting abnormality, user's row under especially a kind of cluster based on Hadoop For method for detecting abnormality.
Background technology
In recent years, Hadoop platform is as an outstanding distributed computing system, in large-scale data processing side of enterprise Face plays more and more important role.However, because Hadoop does not consider safety factor at the beginning of exploitation, although follow-up to add Entered some security mechanisms, but Hadoop Security Auditing Mechanism, access control mechanisms and ID authentication mechanism etc. belong to by Dynamic static security technology, it is impossible to be monitored to user behavior activity, this, which is resulted in, is subject to hiding security attack.Than Such as:Disabled user steals the account and password of validated user, obtains associated rights unauthorized access data;In malicious intrusions, maintenance Leaking data problem is easily produced when being lost with medium, the data safety of cluster is difficult to be protected.Data are the carriers of information, Once meeting with data disaster, immeasurable loss may be caused to user.Accordingly, it would be desirable to which the data access behavior to user is built Vertical effective monitoring, timely note abnormalities behavior, ensures the data safety of Hadoop clusters.
In terms of the monitoring based on user behavior activity, studies in China is relatively fewer.Ashish Kamra et al. are proposed A kind of method for detecting abnormality for relevant database access module, it is the SQL query daily record based on user, but this side Method is not suitable for the user behavior monitoring of big data platform just for relational database;Mohiuddin Solaimani et al. are carried A kind of virtual machine performance abnormality detection framework based on Spark is gone out, it is therefore an objective to by being found to virtual machine performance abnormality detection Which user occupancy ample resources, causes the shared unbalanced influence cluster operational efficiency of resource, but Spark is based on internal memory Calculate, when data scale can not just be handled when very big or intermediate result exceedes memory size;Liu Peng proposes one for number According to the abstract architecture and general unusual checking solution in storehouse, but specific algorithm is not provided;Fredrik Valeur et al. proposes a kind of SQL attack detection methods based on machine learning, but just for network rear end Database.
Traditional user behavior method for detecting abnormality is mainly in terms of database and clustering performance exception.Database one As be that for relevant database etc., can not be applicable under the cluster distributed environment of Hadoop, and clustering performance is abnormal exists Under the mechanism such as the load balancing of Hadoop platform in itself, performance is not protruded, and the result correctness of abnormality detection is not high.In addition, Data scale under Hadoop clusters is generally very big, the model training algorithm based on traditional principal component analysis, and efficiency is relatively It is low.
Therefore the data access behavior to user is set up effective monitoring by the optimization method of the present invention, is timely found different Chang Hangwei, ensures the data safety of Hadoop clusters, and also improves model training by parallelization Principal Component Analysis Algorithm and imitate Rate, solves the problem of conventional model training effectiveness is low.
The content of the invention
It is an object of the invention to overcome existing technical deficiency abnormal there is provided the user behavior under a kind of Hadoop clusters Detection method, can not only solve to access the abnormal behaviour monitoring problem of HDFS data for user under Hadoop clusters, and And parallelization processing has also been carried out to traditional Principal Component Analysis Algorithm, solve the problem of model training is less efficient.
The purpose of the present invention is achieved through the following technical solutions:A kind of user behavior under Hadoop clusters is abnormal Detection method, comprises the following steps:
S1:User behavior data is gathered:Obtained by Hadoop log managements service (Log4j) from cluster NameNode nodes Obtain HDFS audit log and be stored in database;
S2:Data prediction;
S3:Model training:The Partial Feature vector set of one of user is extracted as training data and sample is configured to Data matrix, carries out dimension-reduction treatment to sample data based on parallel Principal Component Analysis Algorithm proposed by the present invention, obtains sample standard deviation Value and transformation matrix, are stored in the user model storehouse.The model training method of other users is identical.Wherein transformation matrix is mainly completed Sample by former space reflection to principal component subspace function;
S4:User behavior abnormality detection:For some user, the current behavior pattern of the user (characteristic vector) with The historical behavior pattern that user model training is obtained is matched, if it does not match, being abnormal behaviour.
Described user behavior data collection, is, using Hadoop log managements service, and to give tacit consent to Hadoop and collected Into Apache open source projects Log4j, obtain HDFS's from cluster NameNode nodes by Log4j log managements service Audit log is simultaneously stored in database;
Described user behavior data be user access HDFS behaviors when record of the audit, record include access the date and when Between, user's mark, file manipulation command, client ip address;
Described data prediction, comprises the following steps:
S21:Extract and statistics, record of the audit is read from database, for the record of the audit of each user, base In a time window, the number of times that each file manipulation command occurs in the time is counted;
S22:Constitutive characteristic vector.
Described characteristic vector is to construct characteristic vector, this feature vector x=(x based on frequency-domain attribute1,x2,…,x13) To represent, this feature vector one has 13 kinds of file manipulation commands, and a kind of file manipulation command is represented at this per one-dimensional value Between the number of times that occurs in window, a set of eigenvectors is just obtained successively, wherein, 13 dimension correspondence HDFS file manipulation commands Species number.This feature vector set not only as model training data but also can be used as test data;
Described model training includes following sub-step:
S31:According to the model training data of extraction, sample data matrix is constructed;
S32:Based on parallelization principal component analysis, variance matrix and sample average are asked, horizontal segmentation is carried out to sample matrix It is divided into N blocks, sample average and covariance matrix is tried to achieve based on MapReduce computation module;
S33:The characteristic value and corresponding characteristic vector of covariance matrix are calculated, number of principal components is determined according to variance contribution ratio Measure k;
S34:Principal component and tectonic transition matrix are determined according to variance contribution ratio, according to the corresponding feature of the big characteristic values of preceding k The product of vectorial tectonic transition matrix, sample matrix and transformation matrix is principal component matrix;
S35:Obtained sample average and transformation matrix is stored in model database, used for abnormality detection.
Described user behavior abnormality detection includes following sub-step:
S41:For some user, a characteristic vector is extracted from test data, average adjustment processing is carried out;
S42:The Euclidean distance between the vector by average adjustment processing and the vectorial principal component reconstruct is calculated, if Distance is more than threshold value set in advance, then is abnormal behaviour;Otherwise, it is normal behaviour;
Described reconstructs through the adjusted vectorial principal component of average, is that the adjusted vector of average is obtained by training Transformation matrix, re-maps principal component subspace, and followed by the transposition of transformation matrix, the new vector reconstruction after mapping is returned original The vector that the space come is obtained;
Described user behavior method for detecting abnormality, is divided into two kinds of situations by the abnormality detection of user behavior and is tested:
(1) if to test the false drop rate of detection method, the characteristic vector data of a user is extracted partial data As training data, remaining part is used as test data;
(2) if to test the verification and measurement ratio of detection method, the characteristic vector data of a user is extracted partial data As training data, the part for extracting other other users is used as test data.
The beneficial effects of the invention are as follows:Behavior, which is accessed, for the HDFS file datas under Hadoop clusters provides one kind effectively , correct anomaly detection method, the method overcome traditional method for detecting abnormality uncomfortable under Hadoop cluster environment With the problem of, and the Principal Component Analysis Algorithm used this method carried out parallelization improvement processing, improve model training Efficiency.
Brief description of the drawings
Fig. 1 is flow chart of the invention;
Fig. 2 is model training flow chart of the invention;
Fig. 3 is user behavior abnormality detection flow chart of the invention;
Fig. 4 is principal component analysis parallelization processing procedure figure of the invention.
Embodiment
Technical scheme is described in further detail below in conjunction with the accompanying drawings, but protection scope of the present invention is not limited to It is as described below.
As shown in figure 1, the user behavior method for detecting abnormality under a kind of Hadoop clusters, comprises the following steps:
S1:User behavior data is gathered, and Hadoop gives tacit consent to the open source projects Log4j for being integrated with Apache, passes through Log4j days Will management service obtains HDFS audit log from cluster NameNode nodes and is stored in database;
S2:The pretreatment of data.Record of the audit is read from database, for the record of the audit of each user, is based on One time window, counts the number of times that each file manipulation command occurs in the time, and combines one characteristic vector of composition, should Characteristic vector x=(x1,x2,…,x13) represent, one have 13 kinds of file manipulation commands, is represented per one-dimensional value a kind of literary The number of times that part operational order occurs in the time window, is just obtained a set of eigenvectors, i.e., pattern to be detected successively. This feature vector set can be used as model training data and test data;
S3:Model training:The Partial Feature vector set of one of user is extracted as training data and sample is configured to Data matrix, carries out dimension-reduction treatment to sample data based on parallel Principal Component Analysis Algorithm proposed by the present invention, obtains sample standard deviation Value and transformation matrix, are stored in the user model storehouse.The model training method of other users is identical.Wherein transformation matrix is mainly completed Sample by former space reflection to principal component subspace function;
S4:User behavior abnormality detection:For some user, the current behavior pattern of the user (characteristic vector) with The historical behavior pattern that user model training is obtained is matched, if it does not match, being abnormal behaviour.
As shown in Fig. 2 the step of model training is:
S31:According to the model training data (set of eigenvectors) of extraction, sample data matrix is constructed;
S32:As shown in figure 4, based on parallelization principal component analysis, asking variance matrix and sample average, sample matrix being entered Row horizontal segmentation is divided into N blocks, and sample average and covariance matrix are tried to achieve based on MapReduce computation module;Extract one of them The Partial Feature vector set of user is as training data and is configured to sample data matrix, based on it is proposed by the present invention it is parallel it is main into Divide parser to carry out dimension-reduction treatment to sample data, obtain sample average and transformation matrix, be stored in the user model storehouse.Other The model training method of user is identical.Wherein transformation matrix is mainly completed sample by former space reflection to principal component subspace Function;
Specifically parallelization principal component analysis formula is:Obtain eigenvectors matrix Xi,Xi=[X1, X2 ..., X13]T, X's Mean Matrix and covariance matrix are designated as μ=E (X) and Σ=D (X) respectively.
S33:The characteristic value and corresponding characteristic vector of covariance matrix are calculated, number of principal components is determined according to variance contribution ratio Measure k;
S34:Principal component and tectonic transition matrix are determined according to variance contribution ratio, according to the corresponding feature of the big characteristic values of preceding k The product of vectorial tectonic transition matrix, sample matrix and transformation matrix is principal component matrix;
S35:Principal component matrix is obtained according to transformation matrix, obtained sample average and transformation matrix is stored in model data Storehouse, is used for abnormality detection.
As shown in figure 3, user behavior abnormality detection, for some user, the current behavior pattern (feature of the user Vector) train obtained historical behavior pattern to match with the user model, if it does not match, be abnormal behaviour, specific step It is rapid as follows:
S41:It assign the behavioural characteristic vector of active user as test data;
S42:Under MapReduce frameworks, by the behavioural characteristic vector of active user, simultaneously average is adjusted to data to be tested;
S43:Calculate the distance between characteristic vector after characteristic vector to be detected and principal component reconstruct;
S44:Judgment threshold:If apart from more than threshold value, active user's behavior being incorporated into and recorded for abnormal behaviour, not less than threshold Value, then incorporate active user's behavior for normal behaviour into;
S45:Judge whether also there is test data:If also there is test data, average adjustment is re-started, when not having There is end test in the presence of test data.
Described above is only the preferred embodiment of the present invention, it should be understood that the present invention is not limited to described herein Form, is not to be taken as the exclusion to other embodiment, and available for various other combinations, modification and environment, and can be at this In the text contemplated scope, it is modified by the technology or knowledge of above-mentioned teaching or association area.And those skilled in the art are entered Capable change and change does not depart from the spirit and scope of the present invention, then all should appended claims of the present invention protection domain It is interior.

Claims (10)

1. the user behavior method for detecting abnormality under a kind of Hadoop clusters, it is characterised in that it comprises the following steps:
S1:User behavior data is gathered, and the user behavior data includes the record of the audit that user accesses Hadoop clusters HDFS;
S2:Data prediction, for the record of the audit of each user, based on a time window, is counted in the time window User behavior feature, constitute a characteristic vector, then apply to different users and different time windows successively, just obtain Set of eigenvectors comprising multiple users and its different periods behavioural characteristic;
S3:Model training, extracts the Partial Feature vector set of each user as training data and is configured to sample data respectively Matrix, dimension-reduction treatment is carried out to sample data, obtains sample average and transformation matrix, and described transformation matrix is empty by original sample Between be mapped to principal component subspace;
S4:User behavior abnormality detection.
2. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute The record of the audit stated includes accessing date and time, user's mark, file manipulation command, client ip address;Described audit Record is obtained by Hadoop log managements service from cluster NameNode nodes.
3. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute In the user behavior feature stated, including some log recordings of the user in the time window, every kind of file operation life Make the number of times occurred.
4. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 4, it is characterised in that institute The characteristic vector that the user behavior feature stated is constituted is expressed as x=(x1,x2,…,xn), wherein n is file manipulation command sum, Every one-dimensional value of characteristic vector represents the number of times that a kind of file manipulation command occurs in the time window.
5. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute The sample data dimension-reduction treatment stated, including following sub-step:
S21:Extract and statistics, record of the audit is read from database, for the record of the audit of each user, based on one Individual time window, counts the number of times that each file manipulation command occurs in the time;
S22:Constitutive characteristic vector.
6. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 5, it is characterised in that should Characteristic vector is to construct characteristic vector based on frequency-domain attribute, and this feature vector one has 13 kinds of file manipulation commands, per one-dimensional Value represents the number of times that a kind of file manipulation command occurs in the time window, wherein, 13 dimension correspondence HDFS file manipulation commands Species number, this feature vector set not only as model training data but also can be used as test data.
7. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute The model training stated includes following sub-step:
S31:According to the model training data of extraction, sample data matrix is constructed;
S32:Variance matrix and sample average are asked based on parallelization principal component analysis, carrying out horizontal segmentation to sample matrix is divided into N Block, sample average and covariance matrix are tried to achieve based on MapReduce computation module;
S33:The characteristic value and corresponding characteristic vector of covariance matrix are calculated, principal component quantity k is determined according to variance contribution ratio;
S34:According to the corresponding characteristic vector tectonic transition matrix of the big characteristic values of preceding k, the product of sample matrix and transformation matrix is For main component matrix;
S35:Obtained sample average and transformation matrix is stored in model database, used for abnormality detection.
8. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that institute The user behavior abnormality detection stated includes following sub-step:
S41:For some user, a characteristic vector is extracted from test data, average adjustment processing is carried out;
S42:The Euclidean distance between the vector by average adjustment processing and the vectorial principal component reconstruct is calculated, if distance Then it is abnormal behaviour more than threshold value set in advance;Otherwise, it is normal behaviour.
9. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 6, it is characterised in that institute That states reconstructs through the adjusted vectorial principal component of average, is that the adjusted vector of average is passed through training to obtain transformation matrix, Principal component subspace is re-mapped, followed by the transposition of transformation matrix, the new vector reconstruction after mapping is gone back to original space Obtained vector.
10. the user behavior method for detecting abnormality under a kind of Hadoop clusters according to claim 1, it is characterised in that It is divided into two kinds of situations to the abnormality detection of user behavior to test:
(1) if to test the false drop rate of detection method, the characteristic vector data of user is extracted partial data as Training data, remaining part is used as test data;
(2) if to test the verification and measurement ratio of detection method, the characteristic vector data of user is extracted partial data as Training data, the part for extracting other other users is used as test data.
CN201710384599.7A 2017-05-26 2017-05-26 A kind of user behavior method for detecting abnormality under Hadoop clusters Pending CN107222472A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710384599.7A CN107222472A (en) 2017-05-26 2017-05-26 A kind of user behavior method for detecting abnormality under Hadoop clusters

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710384599.7A CN107222472A (en) 2017-05-26 2017-05-26 A kind of user behavior method for detecting abnormality under Hadoop clusters

Publications (1)

Publication Number Publication Date
CN107222472A true CN107222472A (en) 2017-09-29

Family

ID=59945516

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710384599.7A Pending CN107222472A (en) 2017-05-26 2017-05-26 A kind of user behavior method for detecting abnormality under Hadoop clusters

Country Status (1)

Country Link
CN (1) CN107222472A (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108040052A (en) * 2017-12-13 2018-05-15 北京明朝万达科技股份有限公司 A kind of network security threats analysis method and system based on Netflow daily record datas
CN108173818A (en) * 2017-12-13 2018-06-15 北京明朝万达科技股份有限公司 A kind of network security threats analysis method and system based on Proxy daily record datas
CN108399700A (en) * 2018-01-31 2018-08-14 上海乐愚智能科技有限公司 Theft preventing method and smart machine
CN108596738A (en) * 2018-05-08 2018-09-28 新华三信息安全技术有限公司 A kind of user behavior detection method and device
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device
CN109033889A (en) * 2018-08-13 2018-12-18 杭州安恒信息技术股份有限公司 A kind of invasive biology method, apparatus and intelligent terminal based on space-time collision
CN109657803A (en) * 2018-03-23 2019-04-19 新华三大数据技术有限公司 The building of machine learning model
CN109688166A (en) * 2019-02-28 2019-04-26 新华三信息安全技术有限公司 A kind of exception outgoing behavioral value method and device
CN110427971A (en) * 2019-07-05 2019-11-08 五八有限公司 Recognition methods, device, server and the storage medium of user and IP
CN110830450A (en) * 2019-10-18 2020-02-21 平安科技(深圳)有限公司 Abnormal flow monitoring method, device and equipment based on statistics and storage medium
CN111163097A (en) * 2019-12-31 2020-05-15 新浪网技术(中国)有限公司 Web application firewall implementation system and method
CN112306835A (en) * 2020-11-02 2021-02-02 平安科技(深圳)有限公司 User data monitoring and analyzing method, device, equipment and medium
CN112579728A (en) * 2020-12-18 2021-03-30 成都民航西南凯亚有限责任公司 Behavior abnormity identification method and device based on mass data full-text retrieval
CN113011476A (en) * 2021-03-05 2021-06-22 桂林电子科技大学 User behavior safety detection method based on self-adaptive sliding window GAN
CN113821794A (en) * 2021-09-14 2021-12-21 北京八分量信息科技有限公司 Distributed trusted computing system and method
CN117834299A (en) * 2024-03-04 2024-04-05 福建银数信息技术有限公司 Network security intelligent supervision and management method and system
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150227809A1 (en) * 2014-02-12 2015-08-13 International Business Machines Corporation Anomaly detection in medical imagery
CN105024877A (en) * 2015-06-01 2015-11-04 北京理工大学 Hadoop malicious node detection system based on network behavior analysis
CN106101116A (en) * 2016-06-29 2016-11-09 东北大学 A kind of user behavior abnormality detection system based on principal component analysis and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150227809A1 (en) * 2014-02-12 2015-08-13 International Business Machines Corporation Anomaly detection in medical imagery
CN105024877A (en) * 2015-06-01 2015-11-04 北京理工大学 Hadoop malicious node detection system based on network behavior analysis
CN106101116A (en) * 2016-06-29 2016-11-09 东北大学 A kind of user behavior abnormality detection system based on principal component analysis and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
侯咏佳等: "主成分分析算法的FPGA实现", 《机电工程》 *
贺婷: "面向Hadoop的云计算平台安全监测技术研究", 《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》 *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108173818A (en) * 2017-12-13 2018-06-15 北京明朝万达科技股份有限公司 A kind of network security threats analysis method and system based on Proxy daily record datas
CN108040052A (en) * 2017-12-13 2018-05-15 北京明朝万达科技股份有限公司 A kind of network security threats analysis method and system based on Netflow daily record datas
CN108399700A (en) * 2018-01-31 2018-08-14 上海乐愚智能科技有限公司 Theft preventing method and smart machine
CN109657803A (en) * 2018-03-23 2019-04-19 新华三大数据技术有限公司 The building of machine learning model
CN109657803B (en) * 2018-03-23 2020-04-03 新华三大数据技术有限公司 Construction of machine learning models
CN108596738A (en) * 2018-05-08 2018-09-28 新华三信息安全技术有限公司 A kind of user behavior detection method and device
CN108881194B (en) * 2018-06-07 2020-12-11 中国人民解放军战略支援部队信息工程大学 Method and device for detecting abnormal behaviors of users in enterprise
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device
CN109033889A (en) * 2018-08-13 2018-12-18 杭州安恒信息技术股份有限公司 A kind of invasive biology method, apparatus and intelligent terminal based on space-time collision
CN109033889B (en) * 2018-08-13 2020-12-18 杭州安恒信息技术股份有限公司 Intrusion identification method and device based on space-time collision and intelligent terminal
CN109688166B (en) * 2019-02-28 2021-06-04 新华三信息安全技术有限公司 Abnormal outgoing behavior detection method and device
CN109688166A (en) * 2019-02-28 2019-04-26 新华三信息安全技术有限公司 A kind of exception outgoing behavioral value method and device
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications
CN110427971A (en) * 2019-07-05 2019-11-08 五八有限公司 Recognition methods, device, server and the storage medium of user and IP
CN110830450A (en) * 2019-10-18 2020-02-21 平安科技(深圳)有限公司 Abnormal flow monitoring method, device and equipment based on statistics and storage medium
CN111163097A (en) * 2019-12-31 2020-05-15 新浪网技术(中国)有限公司 Web application firewall implementation system and method
WO2022088632A1 (en) * 2020-11-02 2022-05-05 平安科技(深圳)有限公司 User data monitoring and analysis method, apparatus, device, and medium
CN112306835A (en) * 2020-11-02 2021-02-02 平安科技(深圳)有限公司 User data monitoring and analyzing method, device, equipment and medium
CN112306835B (en) * 2020-11-02 2024-05-28 平安科技(深圳)有限公司 User data monitoring and analyzing method, device, equipment and medium
CN112579728A (en) * 2020-12-18 2021-03-30 成都民航西南凯亚有限责任公司 Behavior abnormity identification method and device based on mass data full-text retrieval
CN113011476A (en) * 2021-03-05 2021-06-22 桂林电子科技大学 User behavior safety detection method based on self-adaptive sliding window GAN
CN113011476B (en) * 2021-03-05 2022-11-11 桂林电子科技大学 User behavior safety detection method based on self-adaptive sliding window GAN
CN113821794A (en) * 2021-09-14 2021-12-21 北京八分量信息科技有限公司 Distributed trusted computing system and method
CN113821794B (en) * 2021-09-14 2023-08-18 北京八分量信息科技有限公司 Distributed trusted computing system and method
CN117834299A (en) * 2024-03-04 2024-04-05 福建银数信息技术有限公司 Network security intelligent supervision and management method and system

Similar Documents

Publication Publication Date Title
CN107222472A (en) A kind of user behavior method for detecting abnormality under Hadoop clusters
US9479518B1 (en) Low false positive behavioral fraud detection
US20200012933A1 (en) Systems and methods for synthetic data generation
CN105827594B (en) A kind of dubiety detection method based on domain name readability and domain name mapping behavior
CN110958136A (en) Deep learning-based log analysis early warning method
CN107493277B (en) Large data platform online anomaly detection method based on maximum information coefficient
CN106778253A (en) Threat context aware information security Initiative Defense model based on big data
CN105637519A (en) Cognitive information security using a behavior recognition system
Roschke et al. A flexible and efficient alert correlation platform for distributed ids
US11595416B2 (en) Method, product, and system for maintaining an ensemble of hierarchical machine learning models for detection of security risks and breaches in a network
CN110378124A (en) A kind of network security threats analysis method and system based on LDA machine learning
CN111046022A (en) Database auditing method based on big data technology
CN107402957A (en) The structure and user behavior method for detecting abnormality, system in user behavior pattern storehouse
CN107733902A (en) A kind of monitoring method and device of target data diffusion process
CN116957049B (en) Unsupervised internal threat detection method based on countermeasure self-encoder
CN106951776A (en) A kind of Host Anomaly Detection method and system
CN115883213B (en) APT detection method and system based on continuous time dynamic heterogeneous graph neural network
CN110188015A (en) A kind of host access relation abnormal behaviour self-adapting detecting device and its monitoring method
CN115021997A (en) Network intrusion detection system based on machine learning
CN106657065A (en) Network abnormality detection method based on data mining
CN104579782A (en) Hotspot security event identification method and system
CN107659560A (en) A kind of abnormal auditing method for mass network data flow log processing
Sönmez et al. Anomaly detection using data mining methods in it systems: a decision support application
Sun et al. LogPal: A generic anomaly detection scheme of heterogeneous logs for network systems
WO2024027487A1 (en) Health degree evaluation method and apparatus based on intelligent operations and maintenance scene

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170929

RJ01 Rejection of invention patent application after publication