CN107517203B - User behavior baseline establishing method and device - Google Patents
User behavior baseline establishing method and device Download PDFInfo
- Publication number
- CN107517203B CN107517203B CN201710671859.9A CN201710671859A CN107517203B CN 107517203 B CN107517203 B CN 107517203B CN 201710671859 A CN201710671859 A CN 201710671859A CN 107517203 B CN107517203 B CN 107517203B
- Authority
- CN
- China
- Prior art keywords
- user
- user behavior
- time
- users
- session set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000006399 behavior Effects 0.000 claims description 229
- 230000009471 action Effects 0.000 claims description 37
- 230000003442 weekly effect Effects 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 18
- 238000003860 storage Methods 0.000 claims description 6
- 230000004931 aggregating effect Effects 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 16
- 230000008569 process Effects 0.000 abstract description 5
- 230000002354 daily effect Effects 0.000 description 17
- 238000010586 diagram Methods 0.000 description 12
- 238000004220 aggregation Methods 0.000 description 4
- 230000002776 aggregation Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000005520 cutting process Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the invention discloses a method and a device for establishing a user behavior baseline, wherein the method comprises the following steps: acquiring a user behavior log sample set; establishing a session set user behavior baseline of users and user groups by taking a session set as a minimum time statistical unit according to a time axis based on the user behavior log sample set; and establishing user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups. By utilizing the embodiment of the invention, the conversation set can be compared with the conversation set in the follow-up process, the preset time period is compared with the preset time period, and compared with the prior art in which one conversation or a single log is used as a minimum time statistical unit, the abnormal behavior of the user can be more easily and reasonably found, and the recognition probability of the abnormal behavior of the user is improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method and a device for establishing a user behavior baseline.
Background
The rapid development of computer networks and mobile internet applications brings great convenience to social work and life, but the threat and loss caused by various network security problems are increasing. Moreover, with the rapid development of network application technology, the network behaviors of users are more and more diversified, the behaviors of network users are identified, abnormal behavior events are found, and the security of the network is ensured.
Currently, whether the user behavior is abnormal is generally determined by analyzing a user behavior log.
In view of this, how to analyze the user behavior log to improve the recognition probability of the user abnormal behavior becomes a technical problem to be solved at present.
Disclosure of Invention
Because the existing method has the problems, the embodiment of the invention provides a method and a device for establishing a user behavior baseline.
In a first aspect, an embodiment of the present invention provides a method for establishing a user behavior baseline, including:
acquiring a user behavior log sample set;
establishing a session set user behavior baseline of users and user groups by taking a session set as a minimum time statistical unit according to a time axis based on the user behavior log sample set;
and establishing user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups.
Optionally, the establishing a session set user behavior baseline of the user and the user group by using the session set as a minimum time statistic unit according to a time axis based on the user behavior log sample set includes:
and establishing a session set user behavior baseline of the users and the user groups by taking the session set as a minimum time statistical unit according to a time axis and acquiring the user behavior information of each user and each user group in one session set based on the user behavior log sample set.
Optionally, the user behavior information in one session set includes: the number of various actions within a session set, the size of the data volume downloaded or uploaded, the access frequency and the length of time.
Optionally, the preset time period includes: daily, weekly, monthly, and quarterly;
correspondingly, the establishing of the user behavior baseline of the user and the user group with the preset time period as the time unit according to the time axis based on the conversation set user behavior baseline of the user and the user group comprises:
establishing a daily user behavior baseline of the users and the user groups by acquiring daily user behavior information of each user and each user group according to a time axis and taking days as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
based on the conversation set user behavior baselines of the users and the user groups, establishing weekly user behavior baselines of the users and the user groups by acquiring weekly user behavior information of each user and each user group according to a time axis and taking a week as a time unit;
establishing a monthly user behavior baseline of the users and the user groups by acquiring monthly user behavior information of each user and each user group according to a time axis and by taking months as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
and based on the conversation set user behavior baselines of the users and the user groups, establishing the quarterly user behavior baselines of the users and the user groups by acquiring the quarterly user behavior information of each user and each user group according to a time axis.
Optionally, the daily user behavior information includes: the number of times of each day of session set, the number of times of various actions, the size of data volume, the time period of the accessed session set, the overall access time, the source IP address and the source physical address;
the weekly user behavior information comprises: the number of times of the session set, the number of times of various actions, the data size, the time period of the accessed session set, the overall access time, the source IP address, the source physical address and the number of days of the access in the week;
the monthly user behavior information includes: the number of sessions, the number of actions, the data size, the time period of the accessed sessions, the overall access time, the source IP address, the source physical address and the number of days of access in the month;
the quarterly user behavior information comprises: number of session sets per quarter, number of actions of various types, data size, session set time period of access, overall access time, source IP address, source physical address, and number of days accessed in the quarter.
Optionally, the dividing of the session set is to determine whether a time interval between two adjacent operations is less than or equal to a timeout time interval of the session set based on the user behavior log sample set; and if so, dividing the two adjacent operations into the same session set, otherwise, dividing the two adjacent operations into different session sets.
Optionally, the timeout interval of the session set is obtained by aggregating, based on the user behavior log sample set, the length of the operation interval of the learning user;
alternatively, the first and second electrodes may be,
the timeout interval of the session set is preset according to actual conditions.
In a second aspect, an embodiment of the present invention further provides a device for establishing a user behavior baseline, including:
the acquisition module is used for acquiring a user behavior log sample set;
the first establishing module is used for establishing a session set user behavior baseline of users and user groups by taking a session set as a minimum time statistical unit according to a time axis based on the user behavior log sample set;
and the second establishing module is used for establishing the user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups.
Optionally, the first establishing module is specifically configured to
And establishing a session set user behavior baseline of the users and the user groups by taking the session set as a minimum time statistical unit according to a time axis and acquiring the user behavior information of each user and each user group in one session set based on the user behavior log sample set.
Optionally, the user behavior information in one session set includes: the number of various actions within a session set, the size of the data volume downloaded or uploaded, the access frequency and the length of time.
Optionally, the preset time period includes: daily, weekly, monthly, and quarterly;
accordingly, the second establishing module is specifically used for
Establishing a daily user behavior baseline of the users and the user groups by acquiring daily user behavior information of each user and each user group according to a time axis and taking days as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
based on the conversation set user behavior baselines of the users and the user groups, establishing weekly user behavior baselines of the users and the user groups by acquiring weekly user behavior information of each user and each user group according to a time axis and taking a week as a time unit;
establishing a monthly user behavior baseline of the users and the user groups by acquiring monthly user behavior information of each user and each user group according to a time axis and by taking months as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
and based on the conversation set user behavior baselines of the users and the user groups, establishing the quarterly user behavior baselines of the users and the user groups by acquiring the quarterly user behavior information of each user and each user group according to a time axis.
Optionally, the daily user behavior information includes: the number of times of each day of session set, the number of times of various actions, the size of data volume, the time period of the accessed session set, the overall access time, the source IP address and the source physical address;
the weekly user behavior information comprises: the number of times of the session set, the number of times of various actions, the data size, the time period of the accessed session set, the overall access time, the source IP address, the source physical address and the number of days of the access in the week;
the monthly user behavior information includes: the number of sessions, the number of actions, the data size, the time period of the accessed sessions, the overall access time, the source IP address, the source physical address and the number of days of access in the month;
the quarterly user behavior information comprises: number of session sets per quarter, number of actions of various types, data size, session set time period of access, overall access time, source IP address, source physical address, and number of days accessed in the quarter.
Optionally, the dividing of the session set is to determine whether a time interval between two adjacent operations is less than or equal to a timeout time interval of the session set based on the user behavior log sample set; and if so, dividing the two adjacent operations into the same session set, otherwise, dividing the two adjacent operations into different session sets.
Optionally, the timeout interval of the session set is obtained by aggregating, based on the user behavior log sample set, the length of the operation interval of the learning user;
alternatively, the first and second electrodes may be,
the timeout interval of the session set is preset according to actual conditions.
In a third aspect, an embodiment of the present invention further provides an electronic device, including: a processor, a memory, a bus, and a computer program stored on the memory and executable on the processor;
the processor and the memory complete mutual communication through the bus;
the processor, when executing the computer program, implements the method described above.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the above method.
According to the technical scheme, the embodiment of the invention establishes the session set user behavior baseline of the users and the user groups by acquiring the user behavior log sample set, taking the session set as the minimum time statistical unit according to the time axis and taking the session set as the minimum time statistical unit based on the user behavior log sample set, and establishes the user behavior baseline of the users and the user groups by taking the preset time period as the time unit according to the time axis and the session set user behavior baseline of the users and the user groups, so that the abnormal behaviors of the users can be discovered more reasonably and the recognition probability of the abnormal behaviors of the users can be improved compared with the prior art in which one session or a single log is taken as the minimum time statistical unit by comparing the session set with the session set and comparing the preset time period with the preset time period.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for establishing a user behavior baseline according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a user behavior baseline establishing apparatus according to an embodiment of the present invention;
fig. 3 is a logic block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following further describes embodiments of the present invention with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
Fig. 1 is a schematic flowchart illustrating a method for establishing a user behavior baseline according to an embodiment of the present invention, where as shown in fig. 1, the method for establishing a user behavior baseline according to the embodiment includes:
s101, obtaining a user behavior log sample set.
It is to be understood that a plurality of user behavior log samples may be included in the set of user behavior log samples.
And S102, establishing a session set user behavior baseline of the user and the user group by taking the session set as a minimum time statistical unit (namely a minimum analysis unit) according to a time axis based on the user behavior log sample set.
In a specific application, the division of the session set may be based on the user behavior log sample set, and determine whether a time interval between two adjacent operations is less than or equal to a timeout time interval of the session set; if the time interval of the two adjacent operations is less than or equal to the time-out interval of the session set, the two adjacent operations are divided into the same session set, and if the time interval of the two adjacent operations is greater than the time-out interval of the session set, the two adjacent operations are divided into different session sets.
It can be understood that, when a user actually accesses the cloud or the intranet, the user is mainly given a time period, even if the current access exits and the next access is very close to the current access, for example, the difference is 5 minutes (which is smaller than the timeout interval of the session set), the two accesses are still regarded as one session set, that is, in one analysis unit, rather than being analyzed as two separate sessions.
In a specific application, the timeout interval of the session set may be learned by using a machine learning algorithm, that is, based on the user behavior log sample set, the length of the operation interval of the user is learned, and a smaller aggregation interval is obtained through aggregation and is used as the timeout interval of the session set;
alternatively, the first and second electrodes may be,
the timeout interval of the session set may also be preset according to an actual situation, for example, the timeout interval of the session set may be set according to a specific cloud service, for example, the timeout interval of the session set may be set to 1 hour.
S103, establishing user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups.
Wherein the preset time period may include: daily, weekly, monthly, quarterly, etc., which is not limited in this embodiment, other preset time periods, such as yearly, etc., may be used according to actual situations.
It will be appreciated that in practical situations many of the acquired user behavior logs may not have log-in log-out logs, so it is not practical to establish a user behavior baseline based on an existing single session. Therefore, in this embodiment, the behavior of a person or entity is analyzed to see his actions concentrated on a certain period of time, rather than being differentiated simply by logging in and logging out of a session. For example, a malicious user logs in to the cloud service and drags data 2:00 a.m. and exits the cloud service 2:30 a.m. 2:35 logs in the cloud service again, and 3:00 exits, the present embodiment is analyzed by taking the session set of the time period of 2:00 to 3:00 as a unit, instead of taking the session set of 2:00 to 2: 30. 2:35 to 3: 00. Therefore, the actions in one operation of the user can be reflected, and the connection of the operations before and after the cutting due to one exit in the middle can be avoided.
The user behavior baseline establishing method of the embodiment can be realized through a processor, a user behavior log sample set is obtained, based on the user behavior log sample set, a session set is taken as a minimum time statistical unit according to a time axis, a session set user behavior baseline of users and user groups is established, based on the session set user behavior baseline of the users and the user groups, a user behavior baseline of the users and the user groups with a preset time period as a time unit is established according to the time axis, and therefore, the session set and the session set can be compared subsequently, the preset time period and the preset time period are compared, compared with the prior art that one session or a single log is taken as the minimum time statistical unit, the abnormal behaviors of the users can be discovered more reasonably subsequently, the recognition probability of the abnormal behaviors of the users is improved, and the method has more practical significance.
Further, on the basis of the foregoing method embodiment, step S102 in this embodiment may include:
and establishing a session set user behavior baseline of the users and the user groups by taking the session set as a minimum time statistical unit according to a time axis and acquiring the user behavior information of each user and each user group in one session set based on the user behavior log sample set.
The user behavior information in one session set may include: the number of various actions (i.e., various operation times), the size of downloaded or uploaded data volume, the access frequency and time length, etc. in a session set are not limited in this embodiment, and other user behavior information of each other user and each user group in a session set may also be included according to actual situations.
Compared with the prior art in which one session or a single log is used as the minimum time counting unit, the session set is used as the minimum time counting unit in the embodiment, so that the abnormal behavior of the user is easily and reasonably discovered subsequently, the recognition probability of the abnormal behavior of the user is improved, and the method has practical significance.
Further, on the basis of the above method embodiment, this embodiment includes, in the preset time period: every day, every week, every month and every season, accordingly, the step S103 may include steps a1-a4 not shown in the figure:
a1, establishing a daily user behavior baseline of the users and the user groups by acquiring daily user behavior information of each user and each user group according to a time axis and taking days as time units based on the conversation set user behavior baseline of the users and the user groups.
The daily user behavior information may include: the number of sessions per day, the number of actions of each type, the size of data, the time period of the session set accessed, the overall access time, the source IP (protocol for interconnection between networks) address and the source physical address, etc. this embodiment does not limit them, and may also include other user behavior information per user and per user group per day according to the actual situation.
A2, establishing a weekly user behavior baseline of the users and the user groups by acquiring the weekly user behavior information of each user and each user group according to a time axis and taking weeks as time units based on the conversation set user behavior baseline of the users and the user groups.
The weekly user behavior information may include: the number of sessions per week, the number of actions of each type, the size of data, the time period of session set visited, the total visiting time, the source IP address, the source physical address, the number of days visited in the week, etc. this embodiment does not limit them, and may also include behavior information of other users and other users per week for each user group according to the actual situation.
A3, establishing a monthly user behavior baseline of the users and the user groups by acquiring monthly user behavior information of each user and each user group according to a time axis and by taking months as time units based on the conversation set user behavior baseline of the users and the user groups.
The monthly user behavior information may include: the number of sessions per month, the number of actions of each type, the data size, the time period of the session set visited, the total visiting time, the source IP address, the source physical address, the number of days visited in this month, and the like.
A4, based on the conversation set user behavior baseline of the users and the user groups, the quarterly user behavior baseline of the users and the user groups is established by acquiring the user behavior information of each user and each quarterly of each user group according to a time axis and taking the quarterly as a time unit.
The quarterly user behavior information may include: the number of sessions per quarter, the number of actions of each type, the size of data, the time period of the accessed session set, the overall access time, the source IP address, the source physical address, the number of days accessed in this quarter, etc. this embodiment does not limit them, and may also include other user behavior information per quarter for each other user and each user group according to the actual situation.
In the user behavior baseline establishing method of the embodiment, the session set can be compared with the session set subsequently, the day is compared with the day, the month is compared with the month, the quarter is compared with the quarter, and the like.
Fig. 2 is a schematic structural diagram of a user behavior baseline establishing apparatus according to an embodiment of the present invention, and as shown in fig. 2, the user behavior baseline establishing apparatus according to the embodiment includes: an acquisition module 21, a first establishing module 22 and a second establishing module 23; wherein:
the obtaining module 21 is configured to obtain a user behavior log sample set;
the first establishing module 22 is configured to establish a session set user behavior baseline of the user and the user group by using the session set as a minimum time statistic unit according to a time axis based on the user behavior log sample set;
the second establishing module 23 is configured to establish a user behavior baseline of the user and the user group in a time unit of a preset time period according to a time axis based on the session set user behavior baseline of the user and the user group.
Specifically, the obtaining module 21 obtains a user behavior log sample set; the first establishing module 22 establishes a session set user behavior baseline of the user and the user group by taking the session set as a minimum time statistical unit according to a time axis based on the user behavior log sample set; the second establishing module 23 establishes the user behavior baselines of the users and the user groups in a time unit of a preset time period according to a time axis based on the session set user behavior baselines of the users and the user groups.
Wherein the preset time period may include: daily, weekly, monthly, quarterly, etc., which is not limited in this embodiment, other preset time periods, such as yearly, etc., may be used according to actual situations.
In a specific application, the division of the session set may be based on the user behavior log sample set, and determine whether a time interval between two adjacent operations is less than or equal to a timeout time interval of the session set; if the time interval of the two adjacent operations is less than or equal to the time-out interval of the session set, the two adjacent operations are divided into the same session set, and if the time interval of the two adjacent operations is greater than the time-out interval of the session set, the two adjacent operations are divided into different session sets.
It can be understood that, when a user actually accesses the cloud or the intranet, the user is mainly given a time period, even if the current access exits and the next access is very close to the current access, for example, the difference is 5 minutes (which is smaller than the timeout interval of the session set), the two accesses are still regarded as one session set, that is, in one analysis unit, rather than being analyzed as two separate sessions.
In a specific application, the timeout interval of the session set may utilize a machine learning method, that is, the length of the operation interval of the user is learned based on the user behavior log sample set, and a smaller aggregation interval is obtained through aggregation as the timeout interval of the session set;
alternatively, the first and second electrodes may be,
the timeout interval of the session set may also be preset according to an actual situation, for example, the timeout interval of the session set may be set according to a specific cloud service.
It will be appreciated that in practical situations many of the acquired user behavior logs may not have log-in log-out logs, so it is not practical to establish a user behavior baseline based on an existing single session. Therefore, in this embodiment, the behavior of a person or entity is analyzed to see his actions concentrated on a certain period of time, rather than being differentiated simply by logging in and logging out of a session. For example, a malicious user logs in to the cloud service and drags data 2:00 a.m. and exits the cloud service 2:30 a.m. 2:35 logs in the cloud service again, and 3:00 exits, the present embodiment is analyzed by taking the session set of the time period of 2:00 to 3:00 as a unit, instead of taking the session set of 2:00 to 2: 30. 2:35 to 3: 00. Therefore, the actions in one operation of the user can be reflected, and the connection of the operations before and after the cutting due to one exit in the middle can be avoided.
The user behavior baseline establishing device of the embodiment can compare the session set with the session set and compare the preset time period with the preset time period, and compared with the prior art that one session or a single log is used as a minimum time statistic unit, the user behavior baseline establishing device is easier to reasonably discover abnormal behaviors of the user, improves the recognition probability of the abnormal behaviors of the user, and has practical significance.
Further, on the basis of the above method embodiments, the first establishing module 22 of this embodiment may be specifically used for
And establishing a session set user behavior baseline of the users and the user groups by taking the session set as a minimum time statistical unit according to a time axis and acquiring the user behavior information of each user and each user group in one session set based on the user behavior log sample set.
The user behavior information in one session set may include: the number of various actions, the size of downloaded or uploaded data volume, the access frequency and the time length in a session set, etc. are not limited in this embodiment, and may also include other user behavior information of each other user and each user group in a session set according to the actual situation.
Compared with the prior art in which one session or a single log is used as the minimum time counting unit, the session set is used as the minimum time counting unit in the embodiment, so that the abnormal behavior of the user is easily and reasonably discovered subsequently, the recognition probability of the abnormal behavior of the user is improved, and the method has practical significance.
Further, on the basis of the above method embodiment, this embodiment includes, in the preset time period: daily, weekly, monthly and quarterly, respectively, said second building module 23, may be particularly useful for
Establishing a daily user behavior baseline of the users and the user groups by acquiring daily user behavior information of each user and each user group according to a time axis and taking days as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
based on the conversation set user behavior baselines of the users and the user groups, establishing weekly user behavior baselines of the users and the user groups by acquiring weekly user behavior information of each user and each user group according to a time axis and taking a week as a time unit;
establishing a monthly user behavior baseline of the users and the user groups by acquiring monthly user behavior information of each user and each user group according to a time axis and by taking months as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
and based on the conversation set user behavior baselines of the users and the user groups, establishing the quarterly user behavior baselines of the users and the user groups by acquiring the quarterly user behavior information of each user and each user group according to a time axis.
The daily user behavior information may include: the number of times of session set, the number of times of various actions, the data size, the time period of session set visited, the total visiting time, the source IP address, the source physical address, and the like, which are not limited in this embodiment, may also include behavior information of each other user and each user group every day.
The weekly user behavior information may include: the number of sessions per week, the number of actions of each type, the size of data, the time period of session set visited, the total visiting time, the source IP address, the source physical address, the number of days visited in the week, etc. this embodiment does not limit them, and may also include behavior information of other users and other users per week for each user group according to the actual situation.
The monthly user behavior information may include: the number of sessions per month, the number of actions of each type, the data size, the time period of the session set visited, the total visiting time, the source IP address, the source physical address, the number of days visited in this month, and the like.
The quarterly user behavior information may include: the number of sessions per quarter, the number of actions of each type, the size of data, the time period of the accessed session set, the overall access time, the source IP address, the source physical address, the number of days accessed in this quarter, etc. this embodiment does not limit them, and may also include other user behavior information per quarter for each other user and each user group according to the actual situation.
The user behavior baseline establishing device of the embodiment can compare the conversation set with the conversation set, day with day, month with month, quarter with quarter, and the like, and compared with the prior art in which one conversation or single log is used as a minimum time statistical unit, abnormal behaviors of users can be found more easily and reasonably, the recognition probability of the abnormal behaviors of the users is improved, and the device has more practical significance.
The user behavior baseline establishing device of this embodiment may be used to implement the technical solutions of the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and are not described herein again.
Fig. 3 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 3, the electronic device may include: a processor 11, a memory 12, a bus 13, and a computer program stored on the memory 12 and executable on the processor 11;
the processor 11 and the memory 12 complete mutual communication through the bus 13;
when the processor 11 executes the computer program, the method provided by the foregoing method embodiments is implemented, for example, including: acquiring a user behavior log sample set; establishing a session set user behavior baseline of users and user groups by taking a session set as a minimum time statistical unit according to a time axis based on the user behavior log sample set; and establishing user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups.
An embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method provided by the foregoing method embodiments, and for example, the method includes: acquiring a user behavior log sample set; establishing a session set user behavior baseline of users and user groups by taking a session set as a minimum time statistical unit according to a time axis based on the user behavior log sample set; and establishing user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus, and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means/systems for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element. The terms "upper", "lower", and the like, indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience in describing the present invention and simplifying the description, but do not indicate or imply that the referred devices or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Unless expressly stated or limited otherwise, the terms "mounted," "connected," and "connected" are intended to be inclusive and mean, for example, that they may be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
In the description of the present invention, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description. Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present invention is not limited to any single aspect, nor is it limited to any single embodiment, nor is it limited to any combination and/or permutation of these aspects and/or embodiments. Moreover, each aspect and/or embodiment of the present invention may be utilized alone or in combination with one or more other aspects and/or embodiments thereof.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.
Claims (8)
1. A user behavior baseline establishing method is characterized by comprising the following steps:
acquiring a user behavior log sample set;
based on the user behavior log sample set, taking a session set as a minimum time statistical unit according to a time axis, and establishing a session set user behavior baseline of users and user groups by acquiring user behavior information of each user and each user group in one session set;
establishing user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups;
the division of the session set is based on the user behavior log sample set, and whether the time interval of two adjacent operations is less than or equal to the timeout time interval of the session set is judged; if so, dividing the two adjacent operations into the same session set, otherwise, dividing the two adjacent operations into different session sets; the timeout interval of the session set is obtained by aggregating the operation interval length of the learning user based on the user behavior log sample set; or the timeout interval of the session set is preset according to a specific cloud service; the user behavior information in a session set comprises: the number of various actions within a session set, the size of the data volume downloaded or uploaded, the access frequency and the length of time.
2. The method of claim 1, wherein the preset time period comprises: daily, weekly, monthly, and quarterly;
correspondingly, the establishing of the user behavior baseline of the user and the user group with the preset time period as the time unit according to the time axis based on the conversation set user behavior baseline of the user and the user group comprises:
establishing a daily user behavior baseline of the users and the user groups by acquiring daily user behavior information of each user and each user group according to a time axis and taking days as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
based on the conversation set user behavior baselines of the users and the user groups, establishing weekly user behavior baselines of the users and the user groups by acquiring weekly user behavior information of each user and each user group according to a time axis and taking a week as a time unit;
establishing a monthly user behavior baseline of the users and the user groups by acquiring monthly user behavior information of each user and each user group according to a time axis and by taking months as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
and based on the conversation set user behavior baselines of the users and the user groups, establishing the quarterly user behavior baselines of the users and the user groups by acquiring the quarterly user behavior information of each user and each user group according to a time axis.
3. The method of claim 2, wherein the daily user behavior information comprises: the number of times of each day of session set, the number of times of various actions, the size of data volume, the time period of the accessed session set, the overall access time, the source IP address and the source physical address;
the weekly user behavior information comprises: the number of times of the session set, the number of times of various actions, the data size, the time period of the accessed session set, the overall access time, the source IP address, the source physical address and the number of days of the access in the week;
the monthly user behavior information includes: the number of sessions, the number of actions, the data size, the time period of the accessed sessions, the overall access time, the source IP address, the source physical address and the number of days of access in the month;
the quarterly user behavior information comprises: number of session sets per quarter, number of actions of various types, data size, session set time period of access, overall access time, source IP address, source physical address, and number of days accessed in the quarter.
4. A user behavior baseline establishing apparatus, comprising:
the acquisition module is used for acquiring a user behavior log sample set;
the first establishing module is used for establishing a session set user behavior baseline of the users and the user groups by taking the session set as a minimum time statistical unit according to a time axis and acquiring user behavior information of each user and each user group in one session set based on the user behavior log sample set;
the second establishing module is used for establishing user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups;
the division of the session set is based on the user behavior log sample set, and whether the time interval of two adjacent operations is less than or equal to the timeout time interval of the session set is judged; if so, dividing the two adjacent operations into the same session set, otherwise, dividing the two adjacent operations into different session sets; the timeout interval of the session set is obtained by aggregating the operation interval length of the learning user based on the user behavior log sample set; or the timeout interval of the session set is preset according to a specific cloud service; the user behavior information in a session set comprises: the number of various actions within a session set, the size of the data volume downloaded or uploaded, the access frequency and the length of time.
5. The apparatus of claim 4, wherein the preset time period comprises: daily, weekly, monthly, and quarterly;
accordingly, the second establishing module is specifically used for
Establishing a daily user behavior baseline of the users and the user groups by acquiring daily user behavior information of each user and each user group according to a time axis and taking days as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
based on the conversation set user behavior baselines of the users and the user groups, establishing weekly user behavior baselines of the users and the user groups by acquiring weekly user behavior information of each user and each user group according to a time axis and taking a week as a time unit;
establishing a monthly user behavior baseline of the users and the user groups by acquiring monthly user behavior information of each user and each user group according to a time axis and by taking months as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
and based on the conversation set user behavior baselines of the users and the user groups, establishing the quarterly user behavior baselines of the users and the user groups by acquiring the quarterly user behavior information of each user and each user group according to a time axis.
6. The apparatus of claim 5, wherein the daily user behavior information comprises: the number of times of each day of session set, the number of times of various actions, the size of data volume, the time period of the accessed session set, the overall access time, the source IP address and the source physical address;
the weekly user behavior information comprises: the number of times of the session set, the number of times of various actions, the data size, the time period of the accessed session set, the overall access time, the source IP address, the source physical address and the number of days of the access in the week;
the monthly user behavior information includes: the number of sessions, the number of actions, the data size, the time period of the accessed sessions, the overall access time, the source IP address, the source physical address and the number of days of access in the month;
the quarterly user behavior information comprises: number of session sets per quarter, number of actions of various types, data size, session set time period of access, overall access time, source IP address, source physical address, and number of days accessed in the quarter.
7. An electronic device, comprising: a processor, a memory, a bus, and a computer program stored on the memory and executable on the processor;
the processor and the memory complete mutual communication through the bus;
the processor, when executing the computer program, implements the method of any of claims 1-3.
8. A non-transitory computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the method of any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710671859.9A CN107517203B (en) | 2017-08-08 | 2017-08-08 | User behavior baseline establishing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710671859.9A CN107517203B (en) | 2017-08-08 | 2017-08-08 | User behavior baseline establishing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107517203A CN107517203A (en) | 2017-12-26 |
| CN107517203B true CN107517203B (en) | 2020-07-14 |
Family
ID=60723012
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710671859.9A Active CN107517203B (en) | 2017-08-08 | 2017-08-08 | User behavior baseline establishing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107517203B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109164786B (en) * | 2018-08-24 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
| CN110222530A (en) * | 2019-05-27 | 2019-09-10 | 北京奇艺世纪科技有限公司 | A kind of database drags detection method, device and the electronic equipment of library behavior |
| CN111935165B (en) * | 2020-08-14 | 2022-09-20 | 中国工商银行股份有限公司 | Access control method, device, electronic device and medium |
| CN113992340B (en) * | 2021-09-09 | 2024-04-16 | 奇安信科技集团股份有限公司 | User abnormal behavior identification method, device, equipment and storage medium |
| CN114615021A (en) * | 2022-02-16 | 2022-06-10 | 奇安信科技集团股份有限公司 | Real-time behavior safety baseline automatic calculation method and device for safety analysis |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945263A (en) * | 2012-10-23 | 2013-02-27 | 北京百度网讯科技有限公司 | Method for determining access correlation information among multiple access objects |
| CN103178982A (en) * | 2011-12-23 | 2013-06-26 | 阿里巴巴集团控股有限公司 | Method and device for analyzing log |
| CN103399855A (en) * | 2013-07-01 | 2013-11-20 | 百度在线网络技术(北京)有限公司 | Behavior intention determining method and device based on multiple data sources |
| CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
| CN102868548B (en) * | 2012-08-15 | 2016-06-15 | 苏州迈科网络安全技术股份有限公司 | The application affected user distribution detection method of performance and system |
| CN105989155A (en) * | 2015-03-02 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for identifying risk behaviors |
| CN106998334A (en) * | 2017-05-25 | 2017-08-01 | 北京计算机技术及应用研究所 | A kind of computer user's abnormal behavior detection method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104462156B (en) * | 2013-09-25 | 2018-12-28 | 阿里巴巴集团控股有限公司 | A kind of feature extraction based on user behavior, personalized recommendation method and system |
-
2017
- 2017-08-08 CN CN201710671859.9A patent/CN107517203B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103178982A (en) * | 2011-12-23 | 2013-06-26 | 阿里巴巴集团控股有限公司 | Method and device for analyzing log |
| CN102868548B (en) * | 2012-08-15 | 2016-06-15 | 苏州迈科网络安全技术股份有限公司 | The application affected user distribution detection method of performance and system |
| CN102945263A (en) * | 2012-10-23 | 2013-02-27 | 北京百度网讯科技有限公司 | Method for determining access correlation information among multiple access objects |
| CN103399855A (en) * | 2013-07-01 | 2013-11-20 | 百度在线网络技术(北京)有限公司 | Behavior intention determining method and device based on multiple data sources |
| CN105989155A (en) * | 2015-03-02 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for identifying risk behaviors |
| CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
| CN106998334A (en) * | 2017-05-25 | 2017-08-01 | 北京计算机技术及应用研究所 | A kind of computer user's abnormal behavior detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107517203A (en) | 2017-12-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107517203B (en) | User behavior baseline establishing method and device | |
| US11792229B2 (en) | AI-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220078210A1 (en) | System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces | |
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US11848966B2 (en) | Parametric analysis of integrated operational technology systems and information technology systems | |
| AU2016242813B2 (en) | Networking flow logs for multi-tenant environments | |
| CN107809331B (en) | Method and device for identifying abnormal flow | |
| US8959571B2 (en) | Automated policy builder | |
| CN104504084B (en) | Determine the method and device of user's retention ratio | |
| US9591007B2 (en) | Detection of beaconing behavior in network traffic | |
| CN110519077A (en) | A kind of Log Collect System, method, apparatus, server and storage medium | |
| US20230362200A1 (en) | Dynamic cybersecurity scoring and operational risk reduction assessment | |
| US9882773B2 (en) | Virtual resource provider with virtual control planes | |
| US11546380B2 (en) | System and method for creation and implementation of data processing workflows using a distributed computational graph | |
| US20190230109A1 (en) | Methods and systems for improving beaconing detection algorithms | |
| CN112291277B (en) | Malicious software detection method, device, equipment and storage medium | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| US10644947B2 (en) | Non-invasive diagnosis of configuration errors in distributed system | |
| CN111083157A (en) | Method and device for processing message filtering rules | |
| CN109639628A (en) | Private connects behavioral value method, the network equipment, system and storage medium | |
| CN111800292A (en) | Early warning method and device based on historical flow, computer equipment and storage medium | |
| Lee et al. | ATMSim: An anomaly teletraffic detection measurement analysis simulator | |
| CN110034979A (en) | A kind of proxy resources monitoring method, device, electronic equipment and storage medium | |
| CN110460593B (en) | Network address identification method, device and medium for mobile traffic gateway | |
| CN111565311A (en) | Network traffic characteristic generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: QAX Technology Group Inc. Address before: 100015 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |