CN107306252B - A kind of data analysing method and system - Google Patents

A kind of data analysing method and system Download PDF

Info

Publication number
CN107306252B
CN107306252B CN201610249798.2A CN201610249798A CN107306252B CN 107306252 B CN107306252 B CN 107306252B CN 201610249798 A CN201610249798 A CN 201610249798A CN 107306252 B CN107306252 B CN 107306252B
Authority
CN
China
Prior art keywords
user behavior
track
user
behavior track
fitting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610249798.2A
Other languages
Chinese (zh)
Other versions
CN107306252A (en
Inventor
李佩瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Hebei Co Ltd
Original Assignee
China Mobile Group Hebei Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Hebei Co Ltd filed Critical China Mobile Group Hebei Co Ltd
Priority to CN201610249798.2A priority Critical patent/CN107306252B/en
Publication of CN107306252A publication Critical patent/CN107306252A/en
Application granted granted Critical
Publication of CN107306252B publication Critical patent/CN107306252B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the present invention provides a kind of data analysing method and system, obtains user behavior data;According to the incidence relation in the user behavior data, drafting obtains user behavior track;The user behavior track is carried out track fitting with site maps to compare, obtains comparison result;If the comparison result is that the user behavior track does not fit on the network map, determine that the user behavior track is abnormal behaviour track.

Description

A kind of data analysing method and system
Technical field
The present invention relates to computer network security technology field more particularly to a kind of data analysing method and systems.
Background technique
With the rapid development of Internet, being based on Browser/Server Mode (Browser/Server, B/S) framework system System has been widely used the every field of life and work.In order to solve above-mentioned related system safety problem, invasion System of defense/intruding detection system (Intrusion Prevention System/Intrusion Detection System, IPS/IDS) and the protection methods such as firewall find broad application.
However, existing IPS/IDS, the protection methods such as firewall are only capable of anti-to playing between local area network and internet Shield effect;For the B/S framework based on hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) access System, server end trusts the total data that browser end is sent, and the data packet that browser end is sent is often by malice It distorts, subjects the servers to unauthorized access, cross-site scripting attack, structured query language (Structured Query Language, SQL) injection etc. internets attack, to carry out great challenge to system safety and user information protection band.
Based on this, user behavior analysis system can be accomplished by way of carrying out analytical auditing to User operation log Subsequent alarm attack.But since user journal amount is huge, therefore fully relying on manual analysis audit is that part can not be accomplished Thing.Moreover, because of the disaggregated model that do not fix, therefore can not abnormal user accurately be identified from normal users operation behavior Operation.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of data analysing method and system in order to solve the above problem.
In order to achieve the above objectives, the technical solution of the embodiment of the present invention is achieved in that
The embodiment of the present invention provides a kind of data analysing method, which comprises
Obtain user behavior data;
According to the incidence relation in the user behavior data, drafting obtains user behavior track;
The user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
If the comparison result is that the user behavior track does not fit on the network map, user's row is determined It is abnormal behaviour track for track.
In above scheme, after drafting obtains user behavior track, the method also includes:
Detect whether the user behavior track meets the first preset condition, first preset condition is described for showing Time in user behavior track between the residence time in same uniform resource position mark URL and normal working time threshold value Interval is less than preset threshold;
If the user behavior track meets the first preset condition, it is determined that the user behavior track corresponds to user behavior For attack.
In above scheme, the method also includes:
If the user behavior track is unsatisfactory for the first preset condition, continue to test whether the user behavior track meets Second preset condition, second preset condition are used to show the upload data in the user behavior track on same URL It is different;
If the user behavior track is unsatisfactory for the second preset condition, continue to execute the user behavior track and net The processing operation of map of standing progress track fitting comparison;
If the user behavior track meets the second preset condition, it is determined that the user behavior track corresponds to user behavior For attack.
In above scheme, the method also includes:
If the comparison result is that the user behavior track can be fitted on the network map, by user's row Judgement processing is fitted for track and user right map;
If the fitting judging result shows the user behavior track beyond user right boundary, it is determined that the user Action trail corresponds to user behavior and goes beyond one's commission attack.
In above scheme, the method also includes:
If the fitting judging result shows the user behavior track without departing from user right boundary, to user's row Cluster judgement is carried out for track, obtains cluster judging result;
If the cluster judging result shows that the user behavior track is most users behavior, it is determined that user's row It is normal users track for track, records and add the user behavior track to user right map;
If the cluster judging result shows that the user behavior track is a few users behavior, it is determined that user's row It is abnormal behaviour track for track.
In above scheme, the determination user behavior track be abnormal behaviour track after, the method also includes:
To the user behavior track carry out manual audit's analysis, with further judge the user behavior track whether be Attack;
If it is determined that the user behavior track is attack, then records and add the user behavior track and weighed to user Limit map.
The embodiment of the present invention also provides a kind of data analysis system, and the system comprises obtain module, drafting module, fitting Comparison module and determining module;
The acquisition module, for obtaining user behavior data;
The drafting module, for according to the incidence relation in the user behavior data, drafting to obtain user behavior rail Mark;
The fitting comparison module is compared for the user behavior track to be carried out track fitting with site maps, is obtained To comparison result;
The determining module, if being that the user behavior track does not fit to the network map for the comparison result On, determine that the user behavior track is abnormal behaviour track.
In above scheme, the system also includes detection modules;
The detection module, for detecting whether the user behavior track meets the first preset condition, described first is pre- If condition is used to show the residence time and normal operating in the user behavior track in same uniform resource position mark URL Time interval between time threshold is less than preset threshold;
The determining module, if being also used to the user behavior track meets the first preset condition, it is determined that the user It is attack that action trail, which corresponds to user behavior,.
In above scheme, the detection module, if being also used to the user behavior track is unsatisfactory for the first preset condition, after Whether the continuous detection user behavior track meets the second preset condition, and second preset condition is for showing user's row It is different for the upload data in track on same URL;
Correspondingly, the fitting comparison module, if being also used to the user behavior track is unsatisfactory for the second preset condition, It continues to execute and the user behavior track and site maps is subjected to the processing operation that track fitting compares;
The determining module, if being also used to the user behavior track meets the second preset condition, it is determined that the user It is attack that action trail, which corresponds to user behavior,.
In above scheme, the system also includes fitting judgment modules;
The fitting judgment module, if being that the user behavior track can be fitted to the net for the comparison result On network map, the user behavior track and user right map are fitted judgement processing;
The determining module shows the user behavior track beyond user right if being also used to the fitting judging result Boundary, it is determined that the user behavior track corresponds to user behavior and goes beyond one's commission attack.
In above scheme, the system also includes cluster judgment modules;
The cluster judgment module, if showing the user behavior track without departing from user for the fitting judging result Permission boundary carries out cluster judgement to the user behavior track, obtains cluster judging result;
The determining module, if being also used to the cluster judging result shows that the user behavior track is most users row For, it is determined that the user behavior track is normal users track, records and adds the user behavior track to user right Map;If being also used to the cluster judging result shows that the user behavior track is a few users behavior, it is determined that the use Family action trail is abnormal behaviour track.
In above scheme, the system also includes manual audit's analysis modules;
Manual audit's analysis module, for carrying out manual audit's analysis to the user behavior track, with further Judge whether the user behavior track is attack;If it is determined that the user behavior track is attack, then record simultaneously The user behavior track is added to user right map.
In the embodiment of the present invention, user behavior data is obtained;According to the incidence relation in the user behavior data, draw Obtain user behavior track;The user behavior track is carried out track fitting with site maps to compare, obtains comparison result;If The comparison result is that the user behavior track does not fit on the network map, determines that the user behavior track is different Normal action trail.In this way, passing through the fitting of site maps and user behavior track, note abnormalities attack to the greatest extent, To avoid the mode that can not fully rely on manual analysis audit in the biggish situation of user journal amount from carrying out abnormal behaviour point The problem of analysis.
Detailed description of the invention
Fig. 1 is the implementation process schematic diagram one of data analysing method of the embodiment of the present invention;
Fig. 2 is the architecture diagram of user behavior analysis system of the embodiment of the present invention;
Fig. 3 is the implementation process schematic diagram two of data analysing method of the embodiment of the present invention;
Fig. 4 is the implementation process schematic diagram three of data analysing method of the embodiment of the present invention;
Fig. 5 is the implementation process schematic diagram four of data analysing method of the embodiment of the present invention;
Fig. 6 is the specific implementation flow schematic diagram of data analysing method of the embodiment of the present invention;
Fig. 7 is the composed structure schematic diagram of data analysis system of the embodiment of the present invention.
Specific embodiment
With reference to the accompanying drawing and specific embodiment the present invention is further described in more detail.
Embodiment one
Fig. 1 is the implementation process schematic diagram one of data analysing method of the embodiment of the present invention, as shown in Figure 1, the present invention is implemented Example data analysing method include:
Step 101, user behavior data is obtained;
Wherein, the user behavior data includes landing time, user's unique identification, uniform resource locator (Uniform Resource Locator, URL), the residence time, upload the information such as data.
Specifically, the user day in conjunction with user behavior analysis system as shown in Figure 2, in the user behavior analysis system Will logger is the important sources for obtaining user behavior data;Therefore user behavior number can be obtained directly from user writer According to.
Step 102, according to the incidence relation in the user behavior data, drafting obtains user behavior track;
Here, landing time included in the user behavior data, user's unique identification, URL, the residence time, on There are relevant between the information such as biography data.Correspondingly, as shown in Fig. 2, user in the user behavior analysis system Action trail plotter is realized the truth the incidence relation in data according to the user, for example, using the unique identification of user as area Not, with the context between landing time association user log, user is obtained from logging in website to describe, it is complete to website is left The user behavior track of process.
Step 103, the user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
Wherein, the site maps are to utilize web crawlers technology to drawing net by site maps renderer as shown in Figure 2 Incidence relation between station structure tree, and each link, thus the train of thought map of the entire website formed.Here, user is being just Normal operation behavior should be on map sequential transformations between adjacent connection.As jump conversion occurs in user's operation behavior or occurs Some websites place outside assigned permission can be identified as aggression.Therefore, as shown in Fig. 2, site maps There is connections between renderer and track fitting determining device, normal behaviour ranker, abnormal behaviour ranker.Site maps are drawn Device processed provides basic map service for latter three, is the basis that latter three does Activity recognition judgement.
Step 104, if the comparison result is that the user behavior track does not fit on the network map, institute is determined Stating user behavior track is abnormal behaviour track.
The step 103 in conjunction with described in the embodiment of the present invention~104, as shown in Fig. 2, the use in the Users'Data Analysis system Family action trail plotter is connected with track fitting determining device, provides user behavior track for track fitting determining device.Specifically, Track fitting device is to compare comparison for the site maps for generating the action trail of user and site maps renderer;If rail Mark appropriate can be fitted on site maps, then this track is transferred to normal behaviour ranker, for analysis;For that can not intend The user trajectory on site maps is closed, abnormal user behavior is defined as, is transferred to abnormal behaviour ranker.
Data analysing method described in the embodiment of the present invention obtains user behavior data;According in the user behavior data Incidence relation, drafting obtain user behavior track;The user behavior track is carried out track fitting with site maps to compare, Obtain comparison result;If the comparison result is that the user behavior track does not fit on the network map, described in determination User behavior track is abnormal behaviour track.In this way, passing through the fitting of site maps and user behavior track, send out to the greatest extent Existing abnormal aggression behavior, to avoid the side that can not fully rely on manual analysis audit in the biggish situation of user journal amount Formula carries out the problem of abnormal behaviour analysis.
Embodiment two
Fig. 3 is the implementation process schematic diagram two of data analysing method of the embodiment of the present invention, as shown in figure 3, the present invention is implemented Example data analysing method include:
Step 301, user behavior data is obtained;
Wherein, the user behavior data includes landing time, user's unique identification, URL, the residence time, uploads data Etc. information.
Specifically, the user day in conjunction with user behavior analysis system as shown in Figure 2, in the user behavior analysis system Will logger is the important sources for obtaining user behavior data;Therefore user behavior number can be obtained directly from user writer According to.
Step 302, according to the incidence relation in the user behavior data, drafting obtains user behavior track;
Here, landing time included in the user behavior data, user's unique identification, URL, the residence time, on There are relevant between the information such as biography data.Correspondingly, as shown in Fig. 2, user in the user behavior analysis system Action trail plotter is realized the truth the incidence relation in data according to the user, for example, using the unique identification of user as area Not, with the context between landing time association user log, user is obtained from logging in website to describe, it is complete to website is left The user behavior track of process.
Step 303, detect whether the user behavior track meets the first preset condition;
Wherein, first preset condition is for showing in the user behavior track in same uniform resource locator Time interval between residence time on URL and normal working time threshold value is less than preset threshold.
Step 304, if the user behavior track meets the first preset condition, it is determined that the user behavior track is corresponding User behavior is attack.
Step 305, if the user behavior track is unsatisfactory for the first preset condition, the user behavior track is continued to test Whether second preset condition is met;
Wherein, second preset condition is used to show the upload data in the user behavior track on same URL It is different.
Step 306, if the user behavior track meets the second preset condition, it is determined that the user behavior track is corresponding User behavior is attack.
Here, in conjunction with step 302~306 of the embodiment of the present invention, while describing user behavior track, to user behavior Make preliminary analysis, wherein can be by the way that residence time is compared with thinking between normal working time threshold value on same URL, discrimination Operation still comes from automation tools from artificial out.And as standard, tentatively identify what attack automation tools generated Attack.But also it can be by the difference of data being uploaded between different upload data and front and back track, into one to same URL Step excavates and identifies possible attack.
Step 307, if the user behavior track is unsatisfactory for the second preset condition, continue the user behavior track Track fitting is carried out with site maps to compare, and obtains comparison result;
Wherein, the site maps are to utilize web crawlers technology to drawing net by site maps renderer as shown in Figure 2 Incidence relation between station structure tree, and each link, thus the train of thought map of the entire website formed.Here, user is being just Normal operation behavior should be on map sequential transformations between adjacent connection.As jump conversion occurs in user's operation behavior or occurs Some websites place outside assigned permission can be identified as aggression.Therefore, as shown in Fig. 2, site maps There is connections between renderer and track fitting determining device, normal behaviour ranker, abnormal behaviour ranker.Site maps are drawn Device processed provides basic map service for latter three, is the basis that latter three does Activity recognition judgement.
Step 308, if the comparison result is that the user behavior track does not fit on the network map, institute is determined Stating user behavior track is abnormal behaviour track.
The step 307 in conjunction with described in the embodiment of the present invention~308, as shown in Fig. 2, the use in the Users'Data Analysis system Family action trail plotter is connected with track fitting determining device, provides user behavior track for track fitting determining device.Specifically, Track fitting device is to compare comparison for the site maps for generating the action trail of user and site maps renderer;If rail Mark appropriate can be fitted on site maps, then this track is transferred to normal behaviour ranker, for analysis;For that can not intend The user trajectory on site maps is closed, abnormal user behavior is defined as, is transferred to abnormal behaviour ranker.
The data analysing method through the embodiment of the present invention, by the fitting of site maps and user behavior track, most The attack that notes abnormalities of big degree can not fully rely on artificial point to avoid in the biggish situation of user journal amount The problem of mode of analysis audit carries out abnormal behaviour analysis.
Embodiment three
Fig. 4 is the implementation process schematic diagram three of data analysing method of the embodiment of the present invention, as shown in figure 4, the present invention is implemented Example data analysing method include:
Step 401, user behavior data is obtained;
Wherein, the user behavior data includes landing time, user's unique identification, URL, the residence time, uploads data Etc. information.
Specifically, the user day in conjunction with user behavior analysis system as shown in Figure 2, in the user behavior analysis system Will logger is the important sources for obtaining user behavior data;Therefore user behavior number can be obtained directly from user writer According to.
Step 402, according to the incidence relation in the user behavior data, drafting obtains user behavior track;
Here, landing time included in the user behavior data, user's unique identification, URL, the residence time, on There are relevant between the information such as biography data.Correspondingly, as shown in Fig. 2, user in the user behavior analysis system Action trail plotter is realized the truth the incidence relation in data according to the user, for example, using the unique identification of user as area Not, with the context between landing time association user log, user is obtained from logging in website to describe, it is complete to website is left The user behavior track of process.
Step 403, the user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
Wherein, the site maps are to utilize web crawlers technology to drawing net by site maps renderer as shown in Figure 2 Incidence relation between station structure tree, and each link, thus the train of thought map of the entire website formed.Here, user is being just Normal operation behavior should be on map sequential transformations between adjacent connection.As jump conversion occurs in user's operation behavior or occurs Some websites place outside assigned permission can be identified as aggression.Therefore, as shown in Fig. 2, site maps There is connections between renderer and track fitting determining device, normal behaviour ranker, abnormal behaviour ranker.Site maps are drawn Device processed provides basic map service for latter three, is the basis that latter three does Activity recognition judgement.
The step 402 in conjunction with described in the embodiment of the present invention~403, as shown in Fig. 2, the use in the Users'Data Analysis system Family action trail plotter is connected with track fitting determining device, provides user behavior track for track fitting determining device.Specifically, Track fitting device is to compare comparison for the site maps for generating the action trail of user and site maps renderer;If rail Mark appropriate can be fitted on site maps, then this track is transferred to normal behaviour ranker, for analysis.
Step 404, if the comparison result is that the user behavior track can be fitted on the network map, by institute It states user behavior track and user right map is fitted judgement processing;
Step 405, if the fitting judging result shows the user behavior track beyond user right boundary, it is determined that The user behavior track corresponds to user behavior and goes beyond one's commission attack.
Step 406, if the fitting judging result shows the user behavior track without departing from user right boundary, to institute It states user behavior track and carries out cluster judgement, obtain cluster judging result;
Step 407, if the cluster judging result shows that the user behavior track is most users behavior, it is determined that institute Stating user behavior track is normal users track, records and adds the user behavior track to user right map;
Step 408, if the cluster judging result shows that the user behavior track is a few users behavior, it is determined that institute Stating user behavior track is abnormal behaviour track.
Here, as shown in Fig. 2, in conjunction with step 404~408 of the embodiment of the present invention, for the use of site maps can be fitted to Family action trail, the method that normal behaviour ranker will be clustered using pattern-recognition, user behavior track is sorted out.With website Most users behavior is normal operating, and abnormal aggression behavior is only a small number of operations as foundation is distinguished, is identified just common The operation trace of family behavior.And this operation trace is fed back into track fitting device, to identify normal behaviour.For that can not be referred to The track of normal behaviour is transferred to abnormal behaviour ranker.
The data analysing method through the embodiment of the present invention, by the fitting of site maps and user behavior track, most The attack that notes abnormalities of big degree can not fully rely on artificial point to avoid in the biggish situation of user journal amount The problem of mode of analysis audit carries out abnormal behaviour analysis;Further, use can be recognized by normal behaviour ranker automatically The normal operating behavior at family, the manual audit being significantly reduced analyze the workload of work.
Example IV
Fig. 5 is the implementation process schematic diagram four of data analysing method of the embodiment of the present invention, as shown in figure 5, the present invention is implemented Example data analysing method include:
Step 501, user behavior data is obtained;
Wherein, the user behavior data includes landing time, user's unique identification, URL, the residence time, uploads data Etc. information.
Specifically, the user day in conjunction with user behavior analysis system as shown in Figure 2, in the user behavior analysis system Will logger is the important sources for obtaining user behavior data;Therefore user behavior number can be obtained directly from user writer According to.
Step 502, according to the incidence relation in the user behavior data, drafting obtains user behavior track;
Here, landing time included in the user behavior data, user's unique identification, URL, the residence time, on There are relevant between the information such as biography data.Correspondingly, as shown in Fig. 2, user in the user behavior analysis system Action trail plotter is realized the truth the incidence relation in data according to the user, for example, using the unique identification of user as area Not, with the context between landing time association user log, user is obtained from logging in website to describe, it is complete to website is left The user behavior track of process.
Step 503, the user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
Wherein, the site maps are to utilize web crawlers technology to drawing net by site maps renderer as shown in Figure 2 Incidence relation between station structure tree, and each link, thus the train of thought map of the entire website formed.Here, user is being just Normal operation behavior should be on map sequential transformations between adjacent connection.As jump conversion occurs in user's operation behavior or occurs Some websites place outside assigned permission can be identified as aggression.Therefore, as shown in Fig. 2, site maps There is connections between renderer and track fitting determining device, normal behaviour ranker, abnormal behaviour ranker.Site maps are drawn Device processed provides basic map service for latter three, is the basis that latter three does Activity recognition judgement.
The step 502 in conjunction with described in the embodiment of the present invention~503, as shown in Fig. 2, the use in the Users'Data Analysis system Family action trail plotter is connected with track fitting determining device, provides user behavior track for track fitting determining device.Specifically, Track fitting device is to compare comparison for the site maps for generating the action trail of user and site maps renderer;If rail Mark appropriate can be fitted on site maps, then this track is transferred to normal behaviour ranker, for analysis.
Step 504, if the comparison result is that the user behavior track can be fitted on the network map, by institute It states user behavior track and user right map is fitted judgement processing;
Step 505, if the fitting judging result shows the user behavior track beyond user right boundary, it is determined that The user behavior track corresponds to user behavior and goes beyond one's commission attack.
Step 506, if the fitting judging result shows the user behavior track without departing from user right boundary, to institute It states user behavior track and carries out cluster judgement, obtain cluster judging result;
Step 507, if the cluster judging result shows that the user behavior track is most users behavior, it is determined that institute Stating user behavior track is normal users track, records and adds the user behavior track to user right map;
Step 508, if the cluster judging result shows that the user behavior track is a few users behavior, it is determined that institute Stating user behavior track is abnormal behaviour track;
Here, as shown in Fig. 2, in conjunction with step 504~508 of the embodiment of the present invention, for the use of site maps can be fitted to Family action trail, the method that normal behaviour ranker will be clustered using pattern-recognition, user behavior track is sorted out.With website Most users behavior is normal operating, and abnormal aggression behavior is only a small number of operations as foundation is distinguished, is identified just common The operation trace of family behavior.And this operation trace is fed back into track fitting device, to identify normal behaviour.For that can not be referred to The track of normal behaviour is transferred to abnormal behaviour ranker.
Step 509, manual audit's analysis is carried out to the user behavior track, further to judge the user behavior rail Whether mark is attack;
Step 510, however, it is determined that the user behavior track is attack, then records and add the user behavior track To user right map.
Here, as shown in Fig. 2, in conjunction with step 509~510, the abnormal behaviour in the user behavior analysis system is sorted out Device will submit to manual audit to analyze the action trail that can not be fitted and the track that cannot be referred to normal behaviour.It will knot Fruit records and feeds back track fitting determining device, increases automatic identification judgement sample, user behavior analysis is made to work to form closed loop Processing.By analyzing behavior, iteration optimization work promotes user behavior analysis working efficiency.
The data analysing method through the embodiment of the present invention, by the fitting of site maps and user behavior track, most The attack that notes abnormalities of big degree can not fully rely on artificial point to avoid in the biggish situation of user journal amount The problem of mode of analysis audit carries out abnormal behaviour analysis;Further, use can be recognized by normal behaviour ranker automatically The normal operating behavior at family, the manual audit being significantly reduced analyze the workload of work;Moreover, by track fitting determining device, Normal behaviour ranker and abnormal behaviour ranker three have done closed-loop process to user behavior analysis, so as to pass through analysis Behavior, iteration optimization work, effectively promotes user behavior analysis working efficiency.
Embodiment five
Fig. 6 is the specific implementation flow schematic diagram of data analysing method of the embodiment of the present invention, as shown in fig. 6, the present invention is real Applying a data analysing method includes:
Step 601, site maps renderer draws site maps using crawler technology;
Step 602, user accesses website, and user journal logger records user behavior data;
Step 603, the user behavior data that user behavior plotter utilizes step 602 to generate, passes through unique mark of user Know ID, URL, access time, upload the incidence relation between the information such as data, draws user behavior track;
Step 604, user behavior plotter is thought between operating time threshold value using residence time on same URL and normally Comparison, determine whether time interval is less than preset threshold;
Here, if time interval is less than preset threshold, 605 are gone to step;Otherwise, 606 are gone to step;
Step 605, assert that access from automation tools, and as standard, identifies attack automation tools and produces Raw attack, does alarming processing.
Step 606, to same URL, whether upload data are identical, do and determine.
Here, if same URL, difference uploads data and goes to step 607, otherwise goes to step 608;
Step 607, same to URL, difference upload data, then are the different test load of attack tool load, are judged to attacking Alarming processing is done in behavior.
Step 608, fitting comparison processing is done in user behavior track and site maps by track fitting device.If cannot be in map On search out continuous continual access track, then go to step 609, otherwise go to step 610;
Step 609, because there is jumps for user behavior track, it is determined as abnormal behaviour, goes to step 613.
Step 610, user trajectory is fitted with user right map, sees if fall out user right boundary.If exceeding User right boundary then goes to step 611, otherwise goes to step 612;
Step 611, user exceeds permission boundary, and alarming processing is done in attack of going beyond one's commission.
Step 612, it can be fitted to the user trajectory of site maps, normal behaviour ranker is submitted to come to user behavior rail Mark carries out cluster judgement.
Here, normal behaviour ranker thinks that, by user behavior plotter, the filtering of track fitting device, remaining behavior is big Majority is normal operation behavior, and attack is only minority.Therefore threshold value is distinguished by normal behaviour, to user's row after classification Sort out judgement to do, i.e. cluster judgement.If user belongs to most behaviors, it is determined as normal users track, keep a record processing, and Determine to use for user behavior fitting device fitting;If belonging to a small number of behaviors, 613 are gone to step;
Step 613, artificial audit analysis is done to a small number of user behaviors is belonged to by abnormal behaviour ranker, determined whether For attack, if it is determined that being attack, then keep a record processing, and determines to use for user behavior fitting device fitting, to Identify abnormal aggression behavior.
The embodiment of the present invention passes through the fitting of site maps and user behavior track, notes abnormalities attack row to the greatest extent For;By normal behaviour ranker come the normal operating behavior of automatic discriminating user, the manual audit being significantly reduced analyzes work The workload of work;Moreover, by track fitting determining device, normal behaviour ranker and abnormal behaviour ranker three to user's row Closed-loop process is done for analysis, so as to which by analysis behavior, iteration optimization work effectively promotes user behavior analysis work effect Rate.
Embodiment six
Fig. 7 is the composed structure schematic diagram of data analysis system of the embodiment of the present invention, as shown in fig. 7, the data are analyzed System 70 includes obtaining module 701, drafting module 702, fitting comparison module 703 and determining module 704;
The acquisition module 701, for obtaining user behavior data;
The drafting module 702, for according to the incidence relation in the user behavior data, drafting to obtain user behavior Track;
The fitting comparison module 703 is compared for the user behavior track to be carried out track fitting with site maps, Obtain comparison result;
The determining module 704, if being that the user behavior track does not fit to the network for the comparison result On map, determine that the user behavior track is abnormal behaviour track.
In one embodiment, as shown in fig. 7, the system also includes detection modules 705;
Whether the detection module 705 meets the first preset condition for detecting the user behavior track, and described first Preset condition is used to show residence time and normal behaviour in the user behavior track in same uniform resource position mark URL The time interval made between time threshold is less than preset threshold;
The determining module 704, if being also used to the user behavior track meets the first preset condition, it is determined that the use It is attack that family action trail, which corresponds to user behavior,.
In one embodiment, as shown in fig. 7, the detection module 705, is discontented with if being also used to the user behavior track The first preset condition of foot, continues to test whether the user behavior track meets the second preset condition, second preset condition For showing that the upload data in the user behavior track on same URL are different;
Correspondingly, the fitting comparison module 703, if being also used to the user behavior track is unsatisfactory for the second default item Part then continues to execute the user behavior track and site maps carrying out the processing operation that track fitting compares;
The determining module 704, if being also used to the user behavior track meets the second preset condition, it is determined that the use It is attack that family action trail, which corresponds to user behavior,.
In one embodiment, as shown in fig. 7, the system also includes fitting judgment modules 706;
The fitting judgment module 706, if institute can be fitted to for the comparison result for the user behavior track It states on network map, the user behavior track and user right map is fitted judgement processing;
The determining module 704 shows the user behavior track beyond user if being also used to the fitting judging result Permission boundary, it is determined that the user behavior track corresponds to user behavior and goes beyond one's commission attack.
In one embodiment, as shown in fig. 7, the system also includes cluster judgment modules 707;
The cluster judgment module 707, if for the fitting judging result show the user behavior track without departing from User right boundary carries out cluster judgement to the user behavior track, obtains cluster judging result;
The determining module 704, if being also used to the cluster judging result shows that the user behavior track is used to be most Family behavior, it is determined that the user behavior track is normal users track, records and adds the user behavior track to user Permission map;If being also used to the cluster judging result shows that the user behavior track is a few users behavior, it is determined that institute Stating user behavior track is abnormal behaviour track.
In one embodiment, as shown in fig. 7, the system also includes manual audit's analysis modules 708;
Manual audit's analysis module 708, for carrying out manual audit's analysis to the user behavior track, with into one Step judges whether the user behavior track is attack;If it is determined that the user behavior track is attack, then record And the user behavior track is added to user right map.
In practical applications, each module in data analysis system described in the embodiment of the present invention and its each module can lead to The processor crossed in the data analysis system is realized, can also be realized by specific logic circuit;For example, in practical application In, it can be by central processing unit (CPU), the microprocessor (MPU), digital signal processor positioned at the data processing equipment (DSP) or field programmable gate array (FPGA) etc. is realized.In addition, in conjunction with user behavior analysis system of the embodiment of the present invention Framework, the acquisition module 701 in data analysis system described in the embodiment of the present invention can be by user journal logger Lai real It is existing;The drafting module 702 and detection module 705 can be realized by user behavior track plotter;The fitting compares mould Block 703 and determining module 704 can be by site maps renderer and track fitting determining devices in conjunction with realizing;The fitting judgement Module 706 and cluster judgment module 707 can be realized by normal behaviour ranker;Manual audit's analysis module 708 can To be realized by abnormal behaviour ranker.
Data analysis system described in the embodiment of the present invention six provides specific implementation for method described in embodiment one to five Hardware, can be for realizing technical solution any described in embodiment one to five, likewise, site maps and use can be passed through The fitting of family action trail, note abnormalities attack to the greatest extent;By normal behaviour ranker come automatic discriminating user Normal operating behavior, the manual audit that is significantly reduced analyzes the workload of work;Moreover, by track fitting determining device, just Chang Hangwei ranker and abnormal behaviour ranker three have done closed-loop process to user behavior analysis, so as to pass through analysis row For iteration optimization work effectively promotes user behavior analysis working efficiency.
In several embodiments provided herein, it should be understood that disclosed system and method can pass through it Its mode is realized.System embodiment described above is only schematical, for example, the division of the unit, only A kind of logical function partition, there may be another division manner in actual implementation, such as: multiple units or components can combine, or It is desirably integrated into another system, or some features can be ignored or not executed.In addition, shown or discussed each composition portion Mutual coupling or direct-coupling or communication connection is divided to can be through some interfaces, the INDIRECT COUPLING of equipment or unit Or communication connection, it can be electrical, mechanical or other forms.
Above-mentioned unit as illustrated by the separation member, which can be or may not be, to be physically separated, aobvious as unit The component shown can be or may not be physical unit;Both it can be located in one place, and may be distributed over multiple network lists In member;Some or all of units can be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated in one processing unit, it can also To be each unit individually as a unit, can also be integrated in one unit with two or more units;It is above-mentioned Integrated unit both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, which exists When execution, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: movable storage device, read-only deposits Reservoir (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or The various media that can store program code such as CD.
If alternatively, the above-mentioned integrated unit of the present invention is realized in the form of software function module and as independent product When selling or using, it also can store in a computer readable storage medium.Based on this understanding, the present invention is implemented Substantially the part that contributes to existing technology can be embodied in the form of software products the technical solution of example in other words, The computer software product is stored in a storage medium, including some instructions are used so that computer equipment (can be with It is personal computer, server or network equipment etc.) execute all or part of each embodiment the method for the present invention. And storage medium above-mentioned includes: that movable storage device, ROM, RAM, magnetic or disk etc. are various can store program code Medium.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.

Claims (12)

1. a kind of data analysing method, which is characterized in that the described method includes:
Obtain user behavior data;
According to the incidence relation in the user behavior data, drafting obtains user behavior track;
The user behavior track is carried out track fitting with site maps to compare, obtains comparison result;
If the comparison result is that the user behavior track does not fit on the site maps, the user behavior rail is determined Mark is abnormal behaviour track;
Wherein, the user behavior data includes at least two in following:
Login time, uniform resource position mark URL, the residence time, uploads data at user's unique identification.
2. the method according to claim 1, wherein after drafting obtains user behavior track, the method Further include:
Detect whether the user behavior track meets the first preset condition, first preset condition is for showing the user Time interval in action trail between the residence time in same uniform resource position mark URL and normal working time threshold value Less than preset threshold;
If the user behavior track meets the first preset condition, it is determined that it is to attack that the user behavior track, which corresponds to user behavior, Hit behavior.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
If the user behavior track is unsatisfactory for the first preset condition, continue to test whether the user behavior track meets second Preset condition, second preset condition are used to show that the upload data in the user behavior track on same URL to be different;
If the user behavior track is unsatisfactory for the second preset condition, continue to execute by the user behavior track and website Figure carries out the processing operation of track fitting comparison;
If the user behavior track meets the second preset condition, it is determined that it is to attack that the user behavior track, which corresponds to user behavior, Hit behavior.
4. the method according to claim 1, wherein the method also includes:
If the comparison result is that the user behavior track can be fitted on the site maps, by the user behavior rail Mark and user right map are fitted judgement processing;
If the fitting judging result shows the user behavior track beyond user right boundary, it is determined that the user behavior Track corresponds to user behavior and goes beyond one's commission attack.
5. according to the method described in claim 4, it is characterized in that, the method also includes:
If the fitting judging result shows the user behavior track without departing from user right boundary, to the user behavior rail Mark carries out cluster judgement, obtains cluster judging result;
If the cluster judging result shows that the user behavior track is most users behavior, it is determined that the user behavior rail Mark is normal users track, records and adds the user behavior track to user right map;
If the cluster judging result shows that the user behavior track is a few users behavior, it is determined that the user behavior rail Mark is abnormal behaviour track.
6. method according to any one of claims 1 to 5, which is characterized in that the determination user behavior track is After abnormal behaviour track, the method also includes:
Manual audit's analysis is carried out to the user behavior track, further to judge whether the user behavior track is attack Behavior;
If it is determined that the user behavior track is attack, then records and add the user behavior track with arriving user right Figure.
7. a kind of data analysis system, which is characterized in that the system comprises obtain module, drafting module, fitting comparison module And determining module;
The acquisition module, for obtaining user behavior data;
The drafting module, for according to the incidence relation in the user behavior data, drafting to obtain user behavior track;
The fitting comparison module compares for the user behavior track to be carried out track fitting with site maps, is compared To result;
The determining module, if being that the user behavior track does not fit to the site maps for the comparison result, Determine that the user behavior track is abnormal behaviour track;
Wherein, the user behavior data includes at least two in following:
Landing time, uniform resource position mark URL, the residence time, uploads data at user's unique identification.
8. system according to claim 7, which is characterized in that the system also includes detection modules;
The detection module, for detecting whether the user behavior track meets the first preset condition, the first default item Part is used to show the residence time and normal working time in the user behavior track in same uniform resource position mark URL Time interval between threshold value is less than preset threshold;
The determining module, if being also used to the user behavior track meets the first preset condition, it is determined that the user behavior It is attack that track, which corresponds to user behavior,.
9. system according to claim 8, which is characterized in that
The detection module continues to test the user if being also used to the user behavior track is unsatisfactory for the first preset condition Whether action trail meets the second preset condition, and second preset condition is for showing in the user behavior track same Upload data on URL are different;
Correspondingly, the fitting comparison module continues if being also used to the user behavior track is unsatisfactory for the second preset condition It executes and the user behavior track and site maps is subjected to the processing operation that track fitting compares;
The determining module, if being also used to the user behavior track meets the second preset condition, it is determined that the user behavior It is attack that track, which corresponds to user behavior,.
10. system according to claim 7, which is characterized in that the system also includes fitting judgment modules;
The fitting judgment module, if for the comparison result be the user behavior track with being fitted to the website On figure, the user behavior track and user right map are fitted judgement processing;
The determining module shows the user behavior track beyond user right side if being also used to the fitting judging result Boundary, it is determined that the user behavior track corresponds to user behavior and goes beyond one's commission attack.
11. system according to claim 10, which is characterized in that the system also includes cluster judgment modules;
The cluster judgment module, if showing the user behavior track without departing from user right for the fitting judging result Boundary carries out cluster judgement to the user behavior track, obtains cluster judging result;
The determining module, if being also used to the cluster judging result shows that the user behavior track is most users behavior, It then determines that the user behavior track is normal users track, records and add the user behavior track with arriving user right Figure;If being also used to the cluster judging result shows that the user behavior track is a few users behavior, it is determined that the user Action trail is abnormal behaviour track.
12. according to the described in any item systems of claim 7 to 11, which is characterized in that the system also includes manual audits point Analyse module;
Manual audit's analysis module, for carrying out manual audit's analysis to the abnormal behaviour track, further to judge Whether the user behavior track is attack;If it is determined that the user behavior track is attack, then records and add The user behavior track is to user right map.
CN201610249798.2A 2016-04-21 2016-04-21 A kind of data analysing method and system Active CN107306252B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610249798.2A CN107306252B (en) 2016-04-21 2016-04-21 A kind of data analysing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610249798.2A CN107306252B (en) 2016-04-21 2016-04-21 A kind of data analysing method and system

Publications (2)

Publication Number Publication Date
CN107306252A CN107306252A (en) 2017-10-31
CN107306252B true CN107306252B (en) 2019-11-12

Family

ID=60152805

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610249798.2A Active CN107306252B (en) 2016-04-21 2016-04-21 A kind of data analysing method and system

Country Status (1)

Country Link
CN (1) CN107306252B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111258874B (en) * 2018-11-30 2023-09-05 ***通信集团浙江有限公司 User operation track analysis method and device based on web data
CN112087452B (en) * 2020-09-09 2022-11-15 北京元心科技有限公司 Abnormal behavior detection method and device, electronic equipment and computer storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030115469A1 (en) * 2001-12-14 2003-06-19 Intel Corporation Systems and methods for detecting and deterring rollback attacks
CN101477552A (en) * 2009-02-03 2009-07-08 辽宁般若网络科技有限公司 Website user rank division method
CN102739683B (en) * 2012-06-29 2015-09-09 杭州迪普科技有限公司 A kind of network attack filter method and device
CN104883363A (en) * 2015-05-11 2015-09-02 北京交通大学 Method and device for analyzing abnormal access behaviors

Also Published As

Publication number Publication date
CN107306252A (en) 2017-10-31

Similar Documents

Publication Publication Date Title
CN111277578B (en) Encrypted flow analysis feature extraction method, system, storage medium and security device
CN105577679B (en) A kind of anomalous traffic detection method based on feature selecting and density peaks cluster
Mohammad et al. A novel intrusion detection system by using intelligent data mining in weka environment
CN105208037B (en) A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection
CN105577440B (en) A kind of network downtime localization method and analytical equipment
KR101060612B1 (en) Audit data based web attack event extraction system and method
CN105024877A (en) Hadoop malicious node detection system based on network behavior analysis
CN103428196A (en) URL white list-based WEB application intrusion detecting method and apparatus
CN107360152A (en) A kind of Web based on semantic analysis threatens sensory perceptual system
US20170063892A1 (en) Robust representation of network traffic for detecting malware variations
CN109525551A (en) A method of the CC based on statistical machine learning attacks protection
Aung et al. An analysis of K-means algorithm based network intrusion detection system
CN109120592A (en) A kind of Web abnormality detection system based on user behavior
CN108540473A (en) A kind of data analysing method and data analysis set-up
CN105227408A (en) A kind of intelligent wooden horse recognition device and method
CN114785563A (en) Encrypted malicious flow detection method for soft voting strategy
CN107306252B (en) A kind of data analysing method and system
CN113660267B (en) Botnet detection system, method and storage medium for IoT environment
Viegas et al. A resilient stream learning intrusion detection mechanism for real-time analysis of network traffic
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
CN103490944A (en) Mixed P2P flow monitoring system based on BP neural network
CN108566392A (en) Defence CC attacking systems based on machine learning and method
CN117040664A (en) Computer system detection method based on network operation safety
CN112257076A (en) Vulnerability detection method based on random detection algorithm and information aggregation
Tran Network anomaly detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant