CN107306252B - A kind of data analysing method and system - Google Patents
A kind of data analysing method and system Download PDFInfo
- Publication number
- CN107306252B CN107306252B CN201610249798.2A CN201610249798A CN107306252B CN 107306252 B CN107306252 B CN 107306252B CN 201610249798 A CN201610249798 A CN 201610249798A CN 107306252 B CN107306252 B CN 107306252B
- Authority
- CN
- China
- Prior art keywords
- user behavior
- track
- user
- behavior track
- fitting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the present invention provides a kind of data analysing method and system, obtains user behavior data;According to the incidence relation in the user behavior data, drafting obtains user behavior track;The user behavior track is carried out track fitting with site maps to compare, obtains comparison result;If the comparison result is that the user behavior track does not fit on the network map, determine that the user behavior track is abnormal behaviour track.
Description
Technical field
The present invention relates to computer network security technology field more particularly to a kind of data analysing method and systems.
Background technique
With the rapid development of Internet, being based on Browser/Server Mode (Browser/Server, B/S) framework system
System has been widely used the every field of life and work.In order to solve above-mentioned related system safety problem, invasion
System of defense/intruding detection system (Intrusion Prevention System/Intrusion Detection System,
IPS/IDS) and the protection methods such as firewall find broad application.
However, existing IPS/IDS, the protection methods such as firewall are only capable of anti-to playing between local area network and internet
Shield effect;For the B/S framework based on hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) access
System, server end trusts the total data that browser end is sent, and the data packet that browser end is sent is often by malice
It distorts, subjects the servers to unauthorized access, cross-site scripting attack, structured query language (Structured Query
Language, SQL) injection etc. internets attack, to carry out great challenge to system safety and user information protection band.
Based on this, user behavior analysis system can be accomplished by way of carrying out analytical auditing to User operation log
Subsequent alarm attack.But since user journal amount is huge, therefore fully relying on manual analysis audit is that part can not be accomplished
Thing.Moreover, because of the disaggregated model that do not fix, therefore can not abnormal user accurately be identified from normal users operation behavior
Operation.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of data analysing method and system in order to solve the above problem.
In order to achieve the above objectives, the technical solution of the embodiment of the present invention is achieved in that
The embodiment of the present invention provides a kind of data analysing method, which comprises
Obtain user behavior data;
According to the incidence relation in the user behavior data, drafting obtains user behavior track;
The user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
If the comparison result is that the user behavior track does not fit on the network map, user's row is determined
It is abnormal behaviour track for track.
In above scheme, after drafting obtains user behavior track, the method also includes:
Detect whether the user behavior track meets the first preset condition, first preset condition is described for showing
Time in user behavior track between the residence time in same uniform resource position mark URL and normal working time threshold value
Interval is less than preset threshold;
If the user behavior track meets the first preset condition, it is determined that the user behavior track corresponds to user behavior
For attack.
In above scheme, the method also includes:
If the user behavior track is unsatisfactory for the first preset condition, continue to test whether the user behavior track meets
Second preset condition, second preset condition are used to show the upload data in the user behavior track on same URL
It is different;
If the user behavior track is unsatisfactory for the second preset condition, continue to execute the user behavior track and net
The processing operation of map of standing progress track fitting comparison;
If the user behavior track meets the second preset condition, it is determined that the user behavior track corresponds to user behavior
For attack.
In above scheme, the method also includes:
If the comparison result is that the user behavior track can be fitted on the network map, by user's row
Judgement processing is fitted for track and user right map;
If the fitting judging result shows the user behavior track beyond user right boundary, it is determined that the user
Action trail corresponds to user behavior and goes beyond one's commission attack.
In above scheme, the method also includes:
If the fitting judging result shows the user behavior track without departing from user right boundary, to user's row
Cluster judgement is carried out for track, obtains cluster judging result;
If the cluster judging result shows that the user behavior track is most users behavior, it is determined that user's row
It is normal users track for track, records and add the user behavior track to user right map;
If the cluster judging result shows that the user behavior track is a few users behavior, it is determined that user's row
It is abnormal behaviour track for track.
In above scheme, the determination user behavior track be abnormal behaviour track after, the method also includes:
To the user behavior track carry out manual audit's analysis, with further judge the user behavior track whether be
Attack;
If it is determined that the user behavior track is attack, then records and add the user behavior track and weighed to user
Limit map.
The embodiment of the present invention also provides a kind of data analysis system, and the system comprises obtain module, drafting module, fitting
Comparison module and determining module;
The acquisition module, for obtaining user behavior data;
The drafting module, for according to the incidence relation in the user behavior data, drafting to obtain user behavior rail
Mark;
The fitting comparison module is compared for the user behavior track to be carried out track fitting with site maps, is obtained
To comparison result;
The determining module, if being that the user behavior track does not fit to the network map for the comparison result
On, determine that the user behavior track is abnormal behaviour track.
In above scheme, the system also includes detection modules;
The detection module, for detecting whether the user behavior track meets the first preset condition, described first is pre-
If condition is used to show the residence time and normal operating in the user behavior track in same uniform resource position mark URL
Time interval between time threshold is less than preset threshold;
The determining module, if being also used to the user behavior track meets the first preset condition, it is determined that the user
It is attack that action trail, which corresponds to user behavior,.
In above scheme, the detection module, if being also used to the user behavior track is unsatisfactory for the first preset condition, after
Whether the continuous detection user behavior track meets the second preset condition, and second preset condition is for showing user's row
It is different for the upload data in track on same URL;
Correspondingly, the fitting comparison module, if being also used to the user behavior track is unsatisfactory for the second preset condition,
It continues to execute and the user behavior track and site maps is subjected to the processing operation that track fitting compares;
The determining module, if being also used to the user behavior track meets the second preset condition, it is determined that the user
It is attack that action trail, which corresponds to user behavior,.
In above scheme, the system also includes fitting judgment modules;
The fitting judgment module, if being that the user behavior track can be fitted to the net for the comparison result
On network map, the user behavior track and user right map are fitted judgement processing;
The determining module shows the user behavior track beyond user right if being also used to the fitting judging result
Boundary, it is determined that the user behavior track corresponds to user behavior and goes beyond one's commission attack.
In above scheme, the system also includes cluster judgment modules;
The cluster judgment module, if showing the user behavior track without departing from user for the fitting judging result
Permission boundary carries out cluster judgement to the user behavior track, obtains cluster judging result;
The determining module, if being also used to the cluster judging result shows that the user behavior track is most users row
For, it is determined that the user behavior track is normal users track, records and adds the user behavior track to user right
Map;If being also used to the cluster judging result shows that the user behavior track is a few users behavior, it is determined that the use
Family action trail is abnormal behaviour track.
In above scheme, the system also includes manual audit's analysis modules;
Manual audit's analysis module, for carrying out manual audit's analysis to the user behavior track, with further
Judge whether the user behavior track is attack;If it is determined that the user behavior track is attack, then record simultaneously
The user behavior track is added to user right map.
In the embodiment of the present invention, user behavior data is obtained;According to the incidence relation in the user behavior data, draw
Obtain user behavior track;The user behavior track is carried out track fitting with site maps to compare, obtains comparison result;If
The comparison result is that the user behavior track does not fit on the network map, determines that the user behavior track is different
Normal action trail.In this way, passing through the fitting of site maps and user behavior track, note abnormalities attack to the greatest extent,
To avoid the mode that can not fully rely on manual analysis audit in the biggish situation of user journal amount from carrying out abnormal behaviour point
The problem of analysis.
Detailed description of the invention
Fig. 1 is the implementation process schematic diagram one of data analysing method of the embodiment of the present invention;
Fig. 2 is the architecture diagram of user behavior analysis system of the embodiment of the present invention;
Fig. 3 is the implementation process schematic diagram two of data analysing method of the embodiment of the present invention;
Fig. 4 is the implementation process schematic diagram three of data analysing method of the embodiment of the present invention;
Fig. 5 is the implementation process schematic diagram four of data analysing method of the embodiment of the present invention;
Fig. 6 is the specific implementation flow schematic diagram of data analysing method of the embodiment of the present invention;
Fig. 7 is the composed structure schematic diagram of data analysis system of the embodiment of the present invention.
Specific embodiment
With reference to the accompanying drawing and specific embodiment the present invention is further described in more detail.
Embodiment one
Fig. 1 is the implementation process schematic diagram one of data analysing method of the embodiment of the present invention, as shown in Figure 1, the present invention is implemented
Example data analysing method include:
Step 101, user behavior data is obtained;
Wherein, the user behavior data includes landing time, user's unique identification, uniform resource locator (Uniform
Resource Locator, URL), the residence time, upload the information such as data.
Specifically, the user day in conjunction with user behavior analysis system as shown in Figure 2, in the user behavior analysis system
Will logger is the important sources for obtaining user behavior data;Therefore user behavior number can be obtained directly from user writer
According to.
Step 102, according to the incidence relation in the user behavior data, drafting obtains user behavior track;
Here, landing time included in the user behavior data, user's unique identification, URL, the residence time, on
There are relevant between the information such as biography data.Correspondingly, as shown in Fig. 2, user in the user behavior analysis system
Action trail plotter is realized the truth the incidence relation in data according to the user, for example, using the unique identification of user as area
Not, with the context between landing time association user log, user is obtained from logging in website to describe, it is complete to website is left
The user behavior track of process.
Step 103, the user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
Wherein, the site maps are to utilize web crawlers technology to drawing net by site maps renderer as shown in Figure 2
Incidence relation between station structure tree, and each link, thus the train of thought map of the entire website formed.Here, user is being just
Normal operation behavior should be on map sequential transformations between adjacent connection.As jump conversion occurs in user's operation behavior or occurs
Some websites place outside assigned permission can be identified as aggression.Therefore, as shown in Fig. 2, site maps
There is connections between renderer and track fitting determining device, normal behaviour ranker, abnormal behaviour ranker.Site maps are drawn
Device processed provides basic map service for latter three, is the basis that latter three does Activity recognition judgement.
Step 104, if the comparison result is that the user behavior track does not fit on the network map, institute is determined
Stating user behavior track is abnormal behaviour track.
The step 103 in conjunction with described in the embodiment of the present invention~104, as shown in Fig. 2, the use in the Users'Data Analysis system
Family action trail plotter is connected with track fitting determining device, provides user behavior track for track fitting determining device.Specifically,
Track fitting device is to compare comparison for the site maps for generating the action trail of user and site maps renderer;If rail
Mark appropriate can be fitted on site maps, then this track is transferred to normal behaviour ranker, for analysis;For that can not intend
The user trajectory on site maps is closed, abnormal user behavior is defined as, is transferred to abnormal behaviour ranker.
Data analysing method described in the embodiment of the present invention obtains user behavior data;According in the user behavior data
Incidence relation, drafting obtain user behavior track;The user behavior track is carried out track fitting with site maps to compare,
Obtain comparison result;If the comparison result is that the user behavior track does not fit on the network map, described in determination
User behavior track is abnormal behaviour track.In this way, passing through the fitting of site maps and user behavior track, send out to the greatest extent
Existing abnormal aggression behavior, to avoid the side that can not fully rely on manual analysis audit in the biggish situation of user journal amount
Formula carries out the problem of abnormal behaviour analysis.
Embodiment two
Fig. 3 is the implementation process schematic diagram two of data analysing method of the embodiment of the present invention, as shown in figure 3, the present invention is implemented
Example data analysing method include:
Step 301, user behavior data is obtained;
Wherein, the user behavior data includes landing time, user's unique identification, URL, the residence time, uploads data
Etc. information.
Specifically, the user day in conjunction with user behavior analysis system as shown in Figure 2, in the user behavior analysis system
Will logger is the important sources for obtaining user behavior data;Therefore user behavior number can be obtained directly from user writer
According to.
Step 302, according to the incidence relation in the user behavior data, drafting obtains user behavior track;
Here, landing time included in the user behavior data, user's unique identification, URL, the residence time, on
There are relevant between the information such as biography data.Correspondingly, as shown in Fig. 2, user in the user behavior analysis system
Action trail plotter is realized the truth the incidence relation in data according to the user, for example, using the unique identification of user as area
Not, with the context between landing time association user log, user is obtained from logging in website to describe, it is complete to website is left
The user behavior track of process.
Step 303, detect whether the user behavior track meets the first preset condition;
Wherein, first preset condition is for showing in the user behavior track in same uniform resource locator
Time interval between residence time on URL and normal working time threshold value is less than preset threshold.
Step 304, if the user behavior track meets the first preset condition, it is determined that the user behavior track is corresponding
User behavior is attack.
Step 305, if the user behavior track is unsatisfactory for the first preset condition, the user behavior track is continued to test
Whether second preset condition is met;
Wherein, second preset condition is used to show the upload data in the user behavior track on same URL
It is different.
Step 306, if the user behavior track meets the second preset condition, it is determined that the user behavior track is corresponding
User behavior is attack.
Here, in conjunction with step 302~306 of the embodiment of the present invention, while describing user behavior track, to user behavior
Make preliminary analysis, wherein can be by the way that residence time is compared with thinking between normal working time threshold value on same URL, discrimination
Operation still comes from automation tools from artificial out.And as standard, tentatively identify what attack automation tools generated
Attack.But also it can be by the difference of data being uploaded between different upload data and front and back track, into one to same URL
Step excavates and identifies possible attack.
Step 307, if the user behavior track is unsatisfactory for the second preset condition, continue the user behavior track
Track fitting is carried out with site maps to compare, and obtains comparison result;
Wherein, the site maps are to utilize web crawlers technology to drawing net by site maps renderer as shown in Figure 2
Incidence relation between station structure tree, and each link, thus the train of thought map of the entire website formed.Here, user is being just
Normal operation behavior should be on map sequential transformations between adjacent connection.As jump conversion occurs in user's operation behavior or occurs
Some websites place outside assigned permission can be identified as aggression.Therefore, as shown in Fig. 2, site maps
There is connections between renderer and track fitting determining device, normal behaviour ranker, abnormal behaviour ranker.Site maps are drawn
Device processed provides basic map service for latter three, is the basis that latter three does Activity recognition judgement.
Step 308, if the comparison result is that the user behavior track does not fit on the network map, institute is determined
Stating user behavior track is abnormal behaviour track.
The step 307 in conjunction with described in the embodiment of the present invention~308, as shown in Fig. 2, the use in the Users'Data Analysis system
Family action trail plotter is connected with track fitting determining device, provides user behavior track for track fitting determining device.Specifically,
Track fitting device is to compare comparison for the site maps for generating the action trail of user and site maps renderer;If rail
Mark appropriate can be fitted on site maps, then this track is transferred to normal behaviour ranker, for analysis;For that can not intend
The user trajectory on site maps is closed, abnormal user behavior is defined as, is transferred to abnormal behaviour ranker.
The data analysing method through the embodiment of the present invention, by the fitting of site maps and user behavior track, most
The attack that notes abnormalities of big degree can not fully rely on artificial point to avoid in the biggish situation of user journal amount
The problem of mode of analysis audit carries out abnormal behaviour analysis.
Embodiment three
Fig. 4 is the implementation process schematic diagram three of data analysing method of the embodiment of the present invention, as shown in figure 4, the present invention is implemented
Example data analysing method include:
Step 401, user behavior data is obtained;
Wherein, the user behavior data includes landing time, user's unique identification, URL, the residence time, uploads data
Etc. information.
Specifically, the user day in conjunction with user behavior analysis system as shown in Figure 2, in the user behavior analysis system
Will logger is the important sources for obtaining user behavior data;Therefore user behavior number can be obtained directly from user writer
According to.
Step 402, according to the incidence relation in the user behavior data, drafting obtains user behavior track;
Here, landing time included in the user behavior data, user's unique identification, URL, the residence time, on
There are relevant between the information such as biography data.Correspondingly, as shown in Fig. 2, user in the user behavior analysis system
Action trail plotter is realized the truth the incidence relation in data according to the user, for example, using the unique identification of user as area
Not, with the context between landing time association user log, user is obtained from logging in website to describe, it is complete to website is left
The user behavior track of process.
Step 403, the user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
Wherein, the site maps are to utilize web crawlers technology to drawing net by site maps renderer as shown in Figure 2
Incidence relation between station structure tree, and each link, thus the train of thought map of the entire website formed.Here, user is being just
Normal operation behavior should be on map sequential transformations between adjacent connection.As jump conversion occurs in user's operation behavior or occurs
Some websites place outside assigned permission can be identified as aggression.Therefore, as shown in Fig. 2, site maps
There is connections between renderer and track fitting determining device, normal behaviour ranker, abnormal behaviour ranker.Site maps are drawn
Device processed provides basic map service for latter three, is the basis that latter three does Activity recognition judgement.
The step 402 in conjunction with described in the embodiment of the present invention~403, as shown in Fig. 2, the use in the Users'Data Analysis system
Family action trail plotter is connected with track fitting determining device, provides user behavior track for track fitting determining device.Specifically,
Track fitting device is to compare comparison for the site maps for generating the action trail of user and site maps renderer;If rail
Mark appropriate can be fitted on site maps, then this track is transferred to normal behaviour ranker, for analysis.
Step 404, if the comparison result is that the user behavior track can be fitted on the network map, by institute
It states user behavior track and user right map is fitted judgement processing;
Step 405, if the fitting judging result shows the user behavior track beyond user right boundary, it is determined that
The user behavior track corresponds to user behavior and goes beyond one's commission attack.
Step 406, if the fitting judging result shows the user behavior track without departing from user right boundary, to institute
It states user behavior track and carries out cluster judgement, obtain cluster judging result;
Step 407, if the cluster judging result shows that the user behavior track is most users behavior, it is determined that institute
Stating user behavior track is normal users track, records and adds the user behavior track to user right map;
Step 408, if the cluster judging result shows that the user behavior track is a few users behavior, it is determined that institute
Stating user behavior track is abnormal behaviour track.
Here, as shown in Fig. 2, in conjunction with step 404~408 of the embodiment of the present invention, for the use of site maps can be fitted to
Family action trail, the method that normal behaviour ranker will be clustered using pattern-recognition, user behavior track is sorted out.With website
Most users behavior is normal operating, and abnormal aggression behavior is only a small number of operations as foundation is distinguished, is identified just common
The operation trace of family behavior.And this operation trace is fed back into track fitting device, to identify normal behaviour.For that can not be referred to
The track of normal behaviour is transferred to abnormal behaviour ranker.
The data analysing method through the embodiment of the present invention, by the fitting of site maps and user behavior track, most
The attack that notes abnormalities of big degree can not fully rely on artificial point to avoid in the biggish situation of user journal amount
The problem of mode of analysis audit carries out abnormal behaviour analysis;Further, use can be recognized by normal behaviour ranker automatically
The normal operating behavior at family, the manual audit being significantly reduced analyze the workload of work.
Example IV
Fig. 5 is the implementation process schematic diagram four of data analysing method of the embodiment of the present invention, as shown in figure 5, the present invention is implemented
Example data analysing method include:
Step 501, user behavior data is obtained;
Wherein, the user behavior data includes landing time, user's unique identification, URL, the residence time, uploads data
Etc. information.
Specifically, the user day in conjunction with user behavior analysis system as shown in Figure 2, in the user behavior analysis system
Will logger is the important sources for obtaining user behavior data;Therefore user behavior number can be obtained directly from user writer
According to.
Step 502, according to the incidence relation in the user behavior data, drafting obtains user behavior track;
Here, landing time included in the user behavior data, user's unique identification, URL, the residence time, on
There are relevant between the information such as biography data.Correspondingly, as shown in Fig. 2, user in the user behavior analysis system
Action trail plotter is realized the truth the incidence relation in data according to the user, for example, using the unique identification of user as area
Not, with the context between landing time association user log, user is obtained from logging in website to describe, it is complete to website is left
The user behavior track of process.
Step 503, the user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
Wherein, the site maps are to utilize web crawlers technology to drawing net by site maps renderer as shown in Figure 2
Incidence relation between station structure tree, and each link, thus the train of thought map of the entire website formed.Here, user is being just
Normal operation behavior should be on map sequential transformations between adjacent connection.As jump conversion occurs in user's operation behavior or occurs
Some websites place outside assigned permission can be identified as aggression.Therefore, as shown in Fig. 2, site maps
There is connections between renderer and track fitting determining device, normal behaviour ranker, abnormal behaviour ranker.Site maps are drawn
Device processed provides basic map service for latter three, is the basis that latter three does Activity recognition judgement.
The step 502 in conjunction with described in the embodiment of the present invention~503, as shown in Fig. 2, the use in the Users'Data Analysis system
Family action trail plotter is connected with track fitting determining device, provides user behavior track for track fitting determining device.Specifically,
Track fitting device is to compare comparison for the site maps for generating the action trail of user and site maps renderer;If rail
Mark appropriate can be fitted on site maps, then this track is transferred to normal behaviour ranker, for analysis.
Step 504, if the comparison result is that the user behavior track can be fitted on the network map, by institute
It states user behavior track and user right map is fitted judgement processing;
Step 505, if the fitting judging result shows the user behavior track beyond user right boundary, it is determined that
The user behavior track corresponds to user behavior and goes beyond one's commission attack.
Step 506, if the fitting judging result shows the user behavior track without departing from user right boundary, to institute
It states user behavior track and carries out cluster judgement, obtain cluster judging result;
Step 507, if the cluster judging result shows that the user behavior track is most users behavior, it is determined that institute
Stating user behavior track is normal users track, records and adds the user behavior track to user right map;
Step 508, if the cluster judging result shows that the user behavior track is a few users behavior, it is determined that institute
Stating user behavior track is abnormal behaviour track;
Here, as shown in Fig. 2, in conjunction with step 504~508 of the embodiment of the present invention, for the use of site maps can be fitted to
Family action trail, the method that normal behaviour ranker will be clustered using pattern-recognition, user behavior track is sorted out.With website
Most users behavior is normal operating, and abnormal aggression behavior is only a small number of operations as foundation is distinguished, is identified just common
The operation trace of family behavior.And this operation trace is fed back into track fitting device, to identify normal behaviour.For that can not be referred to
The track of normal behaviour is transferred to abnormal behaviour ranker.
Step 509, manual audit's analysis is carried out to the user behavior track, further to judge the user behavior rail
Whether mark is attack;
Step 510, however, it is determined that the user behavior track is attack, then records and add the user behavior track
To user right map.
Here, as shown in Fig. 2, in conjunction with step 509~510, the abnormal behaviour in the user behavior analysis system is sorted out
Device will submit to manual audit to analyze the action trail that can not be fitted and the track that cannot be referred to normal behaviour.It will knot
Fruit records and feeds back track fitting determining device, increases automatic identification judgement sample, user behavior analysis is made to work to form closed loop
Processing.By analyzing behavior, iteration optimization work promotes user behavior analysis working efficiency.
The data analysing method through the embodiment of the present invention, by the fitting of site maps and user behavior track, most
The attack that notes abnormalities of big degree can not fully rely on artificial point to avoid in the biggish situation of user journal amount
The problem of mode of analysis audit carries out abnormal behaviour analysis;Further, use can be recognized by normal behaviour ranker automatically
The normal operating behavior at family, the manual audit being significantly reduced analyze the workload of work;Moreover, by track fitting determining device,
Normal behaviour ranker and abnormal behaviour ranker three have done closed-loop process to user behavior analysis, so as to pass through analysis
Behavior, iteration optimization work, effectively promotes user behavior analysis working efficiency.
Embodiment five
Fig. 6 is the specific implementation flow schematic diagram of data analysing method of the embodiment of the present invention, as shown in fig. 6, the present invention is real
Applying a data analysing method includes:
Step 601, site maps renderer draws site maps using crawler technology;
Step 602, user accesses website, and user journal logger records user behavior data;
Step 603, the user behavior data that user behavior plotter utilizes step 602 to generate, passes through unique mark of user
Know ID, URL, access time, upload the incidence relation between the information such as data, draws user behavior track;
Step 604, user behavior plotter is thought between operating time threshold value using residence time on same URL and normally
Comparison, determine whether time interval is less than preset threshold;
Here, if time interval is less than preset threshold, 605 are gone to step;Otherwise, 606 are gone to step;
Step 605, assert that access from automation tools, and as standard, identifies attack automation tools and produces
Raw attack, does alarming processing.
Step 606, to same URL, whether upload data are identical, do and determine.
Here, if same URL, difference uploads data and goes to step 607, otherwise goes to step 608;
Step 607, same to URL, difference upload data, then are the different test load of attack tool load, are judged to attacking
Alarming processing is done in behavior.
Step 608, fitting comparison processing is done in user behavior track and site maps by track fitting device.If cannot be in map
On search out continuous continual access track, then go to step 609, otherwise go to step 610;
Step 609, because there is jumps for user behavior track, it is determined as abnormal behaviour, goes to step 613.
Step 610, user trajectory is fitted with user right map, sees if fall out user right boundary.If exceeding
User right boundary then goes to step 611, otherwise goes to step 612;
Step 611, user exceeds permission boundary, and alarming processing is done in attack of going beyond one's commission.
Step 612, it can be fitted to the user trajectory of site maps, normal behaviour ranker is submitted to come to user behavior rail
Mark carries out cluster judgement.
Here, normal behaviour ranker thinks that, by user behavior plotter, the filtering of track fitting device, remaining behavior is big
Majority is normal operation behavior, and attack is only minority.Therefore threshold value is distinguished by normal behaviour, to user's row after classification
Sort out judgement to do, i.e. cluster judgement.If user belongs to most behaviors, it is determined as normal users track, keep a record processing, and
Determine to use for user behavior fitting device fitting;If belonging to a small number of behaviors, 613 are gone to step;
Step 613, artificial audit analysis is done to a small number of user behaviors is belonged to by abnormal behaviour ranker, determined whether
For attack, if it is determined that being attack, then keep a record processing, and determines to use for user behavior fitting device fitting, to
Identify abnormal aggression behavior.
The embodiment of the present invention passes through the fitting of site maps and user behavior track, notes abnormalities attack row to the greatest extent
For;By normal behaviour ranker come the normal operating behavior of automatic discriminating user, the manual audit being significantly reduced analyzes work
The workload of work;Moreover, by track fitting determining device, normal behaviour ranker and abnormal behaviour ranker three to user's row
Closed-loop process is done for analysis, so as to which by analysis behavior, iteration optimization work effectively promotes user behavior analysis work effect
Rate.
Embodiment six
Fig. 7 is the composed structure schematic diagram of data analysis system of the embodiment of the present invention, as shown in fig. 7, the data are analyzed
System 70 includes obtaining module 701, drafting module 702, fitting comparison module 703 and determining module 704;
The acquisition module 701, for obtaining user behavior data;
The drafting module 702, for according to the incidence relation in the user behavior data, drafting to obtain user behavior
Track;
The fitting comparison module 703 is compared for the user behavior track to be carried out track fitting with site maps,
Obtain comparison result;
The determining module 704, if being that the user behavior track does not fit to the network for the comparison result
On map, determine that the user behavior track is abnormal behaviour track.
In one embodiment, as shown in fig. 7, the system also includes detection modules 705;
Whether the detection module 705 meets the first preset condition for detecting the user behavior track, and described first
Preset condition is used to show residence time and normal behaviour in the user behavior track in same uniform resource position mark URL
The time interval made between time threshold is less than preset threshold;
The determining module 704, if being also used to the user behavior track meets the first preset condition, it is determined that the use
It is attack that family action trail, which corresponds to user behavior,.
In one embodiment, as shown in fig. 7, the detection module 705, is discontented with if being also used to the user behavior track
The first preset condition of foot, continues to test whether the user behavior track meets the second preset condition, second preset condition
For showing that the upload data in the user behavior track on same URL are different;
Correspondingly, the fitting comparison module 703, if being also used to the user behavior track is unsatisfactory for the second default item
Part then continues to execute the user behavior track and site maps carrying out the processing operation that track fitting compares;
The determining module 704, if being also used to the user behavior track meets the second preset condition, it is determined that the use
It is attack that family action trail, which corresponds to user behavior,.
In one embodiment, as shown in fig. 7, the system also includes fitting judgment modules 706;
The fitting judgment module 706, if institute can be fitted to for the comparison result for the user behavior track
It states on network map, the user behavior track and user right map is fitted judgement processing;
The determining module 704 shows the user behavior track beyond user if being also used to the fitting judging result
Permission boundary, it is determined that the user behavior track corresponds to user behavior and goes beyond one's commission attack.
In one embodiment, as shown in fig. 7, the system also includes cluster judgment modules 707;
The cluster judgment module 707, if for the fitting judging result show the user behavior track without departing from
User right boundary carries out cluster judgement to the user behavior track, obtains cluster judging result;
The determining module 704, if being also used to the cluster judging result shows that the user behavior track is used to be most
Family behavior, it is determined that the user behavior track is normal users track, records and adds the user behavior track to user
Permission map;If being also used to the cluster judging result shows that the user behavior track is a few users behavior, it is determined that institute
Stating user behavior track is abnormal behaviour track.
In one embodiment, as shown in fig. 7, the system also includes manual audit's analysis modules 708;
Manual audit's analysis module 708, for carrying out manual audit's analysis to the user behavior track, with into one
Step judges whether the user behavior track is attack;If it is determined that the user behavior track is attack, then record
And the user behavior track is added to user right map.
In practical applications, each module in data analysis system described in the embodiment of the present invention and its each module can lead to
The processor crossed in the data analysis system is realized, can also be realized by specific logic circuit;For example, in practical application
In, it can be by central processing unit (CPU), the microprocessor (MPU), digital signal processor positioned at the data processing equipment
(DSP) or field programmable gate array (FPGA) etc. is realized.In addition, in conjunction with user behavior analysis system of the embodiment of the present invention
Framework, the acquisition module 701 in data analysis system described in the embodiment of the present invention can be by user journal logger Lai real
It is existing;The drafting module 702 and detection module 705 can be realized by user behavior track plotter;The fitting compares mould
Block 703 and determining module 704 can be by site maps renderer and track fitting determining devices in conjunction with realizing;The fitting judgement
Module 706 and cluster judgment module 707 can be realized by normal behaviour ranker;Manual audit's analysis module 708 can
To be realized by abnormal behaviour ranker.
Data analysis system described in the embodiment of the present invention six provides specific implementation for method described in embodiment one to five
Hardware, can be for realizing technical solution any described in embodiment one to five, likewise, site maps and use can be passed through
The fitting of family action trail, note abnormalities attack to the greatest extent;By normal behaviour ranker come automatic discriminating user
Normal operating behavior, the manual audit that is significantly reduced analyzes the workload of work;Moreover, by track fitting determining device, just
Chang Hangwei ranker and abnormal behaviour ranker three have done closed-loop process to user behavior analysis, so as to pass through analysis row
For iteration optimization work effectively promotes user behavior analysis working efficiency.
In several embodiments provided herein, it should be understood that disclosed system and method can pass through it
Its mode is realized.System embodiment described above is only schematical, for example, the division of the unit, only
A kind of logical function partition, there may be another division manner in actual implementation, such as: multiple units or components can combine, or
It is desirably integrated into another system, or some features can be ignored or not executed.In addition, shown or discussed each composition portion
Mutual coupling or direct-coupling or communication connection is divided to can be through some interfaces, the INDIRECT COUPLING of equipment or unit
Or communication connection, it can be electrical, mechanical or other forms.
Above-mentioned unit as illustrated by the separation member, which can be or may not be, to be physically separated, aobvious as unit
The component shown can be or may not be physical unit;Both it can be located in one place, and may be distributed over multiple network lists
In member;Some or all of units can be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated in one processing unit, it can also
To be each unit individually as a unit, can also be integrated in one unit with two or more units;It is above-mentioned
Integrated unit both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, which exists
When execution, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: movable storage device, read-only deposits
Reservoir (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or
The various media that can store program code such as CD.
If alternatively, the above-mentioned integrated unit of the present invention is realized in the form of software function module and as independent product
When selling or using, it also can store in a computer readable storage medium.Based on this understanding, the present invention is implemented
Substantially the part that contributes to existing technology can be embodied in the form of software products the technical solution of example in other words,
The computer software product is stored in a storage medium, including some instructions are used so that computer equipment (can be with
It is personal computer, server or network equipment etc.) execute all or part of each embodiment the method for the present invention.
And storage medium above-mentioned includes: that movable storage device, ROM, RAM, magnetic or disk etc. are various can store program code
Medium.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (12)
1. a kind of data analysing method, which is characterized in that the described method includes:
Obtain user behavior data;
According to the incidence relation in the user behavior data, drafting obtains user behavior track;
The user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
If the comparison result is that the user behavior track does not fit on the site maps, the user behavior rail is determined
Mark is abnormal behaviour track;
Wherein, the user behavior data includes at least two in following:
Login time, uniform resource position mark URL, the residence time, uploads data at user's unique identification.
2. the method according to claim 1, wherein after drafting obtains user behavior track, the method
Further include:
Detect whether the user behavior track meets the first preset condition, first preset condition is for showing the user
Time interval in action trail between the residence time in same uniform resource position mark URL and normal working time threshold value
Less than preset threshold;
If the user behavior track meets the first preset condition, it is determined that it is to attack that the user behavior track, which corresponds to user behavior,
Hit behavior.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
If the user behavior track is unsatisfactory for the first preset condition, continue to test whether the user behavior track meets second
Preset condition, second preset condition are used to show that the upload data in the user behavior track on same URL to be different;
If the user behavior track is unsatisfactory for the second preset condition, continue to execute by the user behavior track and website
Figure carries out the processing operation of track fitting comparison;
If the user behavior track meets the second preset condition, it is determined that it is to attack that the user behavior track, which corresponds to user behavior,
Hit behavior.
4. the method according to claim 1, wherein the method also includes:
If the comparison result is that the user behavior track can be fitted on the site maps, by the user behavior rail
Mark and user right map are fitted judgement processing;
If the fitting judging result shows the user behavior track beyond user right boundary, it is determined that the user behavior
Track corresponds to user behavior and goes beyond one's commission attack.
5. according to the method described in claim 4, it is characterized in that, the method also includes:
If the fitting judging result shows the user behavior track without departing from user right boundary, to the user behavior rail
Mark carries out cluster judgement, obtains cluster judging result;
If the cluster judging result shows that the user behavior track is most users behavior, it is determined that the user behavior rail
Mark is normal users track, records and adds the user behavior track to user right map;
If the cluster judging result shows that the user behavior track is a few users behavior, it is determined that the user behavior rail
Mark is abnormal behaviour track.
6. method according to any one of claims 1 to 5, which is characterized in that the determination user behavior track is
After abnormal behaviour track, the method also includes:
Manual audit's analysis is carried out to the user behavior track, further to judge whether the user behavior track is attack
Behavior;
If it is determined that the user behavior track is attack, then records and add the user behavior track with arriving user right
Figure.
7. a kind of data analysis system, which is characterized in that the system comprises obtain module, drafting module, fitting comparison module
And determining module;
The acquisition module, for obtaining user behavior data;
The drafting module, for according to the incidence relation in the user behavior data, drafting to obtain user behavior track;
The fitting comparison module compares for the user behavior track to be carried out track fitting with site maps, is compared
To result;
The determining module, if being that the user behavior track does not fit to the site maps for the comparison result,
Determine that the user behavior track is abnormal behaviour track;
Wherein, the user behavior data includes at least two in following:
Landing time, uniform resource position mark URL, the residence time, uploads data at user's unique identification.
8. system according to claim 7, which is characterized in that the system also includes detection modules;
The detection module, for detecting whether the user behavior track meets the first preset condition, the first default item
Part is used to show the residence time and normal working time in the user behavior track in same uniform resource position mark URL
Time interval between threshold value is less than preset threshold;
The determining module, if being also used to the user behavior track meets the first preset condition, it is determined that the user behavior
It is attack that track, which corresponds to user behavior,.
9. system according to claim 8, which is characterized in that
The detection module continues to test the user if being also used to the user behavior track is unsatisfactory for the first preset condition
Whether action trail meets the second preset condition, and second preset condition is for showing in the user behavior track same
Upload data on URL are different;
Correspondingly, the fitting comparison module continues if being also used to the user behavior track is unsatisfactory for the second preset condition
It executes and the user behavior track and site maps is subjected to the processing operation that track fitting compares;
The determining module, if being also used to the user behavior track meets the second preset condition, it is determined that the user behavior
It is attack that track, which corresponds to user behavior,.
10. system according to claim 7, which is characterized in that the system also includes fitting judgment modules;
The fitting judgment module, if for the comparison result be the user behavior track with being fitted to the website
On figure, the user behavior track and user right map are fitted judgement processing;
The determining module shows the user behavior track beyond user right side if being also used to the fitting judging result
Boundary, it is determined that the user behavior track corresponds to user behavior and goes beyond one's commission attack.
11. system according to claim 10, which is characterized in that the system also includes cluster judgment modules;
The cluster judgment module, if showing the user behavior track without departing from user right for the fitting judging result
Boundary carries out cluster judgement to the user behavior track, obtains cluster judging result;
The determining module, if being also used to the cluster judging result shows that the user behavior track is most users behavior,
It then determines that the user behavior track is normal users track, records and add the user behavior track with arriving user right
Figure;If being also used to the cluster judging result shows that the user behavior track is a few users behavior, it is determined that the user
Action trail is abnormal behaviour track.
12. according to the described in any item systems of claim 7 to 11, which is characterized in that the system also includes manual audits point
Analyse module;
Manual audit's analysis module, for carrying out manual audit's analysis to the abnormal behaviour track, further to judge
Whether the user behavior track is attack;If it is determined that the user behavior track is attack, then records and add
The user behavior track is to user right map.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610249798.2A CN107306252B (en) | 2016-04-21 | 2016-04-21 | A kind of data analysing method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610249798.2A CN107306252B (en) | 2016-04-21 | 2016-04-21 | A kind of data analysing method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107306252A CN107306252A (en) | 2017-10-31 |
CN107306252B true CN107306252B (en) | 2019-11-12 |
Family
ID=60152805
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610249798.2A Active CN107306252B (en) | 2016-04-21 | 2016-04-21 | A kind of data analysing method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107306252B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111258874B (en) * | 2018-11-30 | 2023-09-05 | ***通信集团浙江有限公司 | User operation track analysis method and device based on web data |
CN112087452B (en) * | 2020-09-09 | 2022-11-15 | 北京元心科技有限公司 | Abnormal behavior detection method and device, electronic equipment and computer storage medium |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030115469A1 (en) * | 2001-12-14 | 2003-06-19 | Intel Corporation | Systems and methods for detecting and deterring rollback attacks |
CN101477552A (en) * | 2009-02-03 | 2009-07-08 | 辽宁般若网络科技有限公司 | Website user rank division method |
CN102739683B (en) * | 2012-06-29 | 2015-09-09 | 杭州迪普科技有限公司 | A kind of network attack filter method and device |
CN104883363A (en) * | 2015-05-11 | 2015-09-02 | 北京交通大学 | Method and device for analyzing abnormal access behaviors |
-
2016
- 2016-04-21 CN CN201610249798.2A patent/CN107306252B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN107306252A (en) | 2017-10-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111277578B (en) | Encrypted flow analysis feature extraction method, system, storage medium and security device | |
CN105577679B (en) | A kind of anomalous traffic detection method based on feature selecting and density peaks cluster | |
Mohammad et al. | A novel intrusion detection system by using intelligent data mining in weka environment | |
CN105208037B (en) | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection | |
CN105577440B (en) | A kind of network downtime localization method and analytical equipment | |
KR101060612B1 (en) | Audit data based web attack event extraction system and method | |
CN105024877A (en) | Hadoop malicious node detection system based on network behavior analysis | |
CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
CN107360152A (en) | A kind of Web based on semantic analysis threatens sensory perceptual system | |
US20170063892A1 (en) | Robust representation of network traffic for detecting malware variations | |
CN109525551A (en) | A method of the CC based on statistical machine learning attacks protection | |
Aung et al. | An analysis of K-means algorithm based network intrusion detection system | |
CN109120592A (en) | A kind of Web abnormality detection system based on user behavior | |
CN108540473A (en) | A kind of data analysing method and data analysis set-up | |
CN105227408A (en) | A kind of intelligent wooden horse recognition device and method | |
CN114785563A (en) | Encrypted malicious flow detection method for soft voting strategy | |
CN107306252B (en) | A kind of data analysing method and system | |
CN113660267B (en) | Botnet detection system, method and storage medium for IoT environment | |
Viegas et al. | A resilient stream learning intrusion detection mechanism for real-time analysis of network traffic | |
RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
CN103490944A (en) | Mixed P2P flow monitoring system based on BP neural network | |
CN108566392A (en) | Defence CC attacking systems based on machine learning and method | |
CN117040664A (en) | Computer system detection method based on network operation safety | |
CN112257076A (en) | Vulnerability detection method based on random detection algorithm and information aggregation | |
Tran | Network anomaly detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |