CN108632097A - Recognition methods, terminal device and the medium of abnormal behaviour object - Google Patents

Recognition methods, terminal device and the medium of abnormal behaviour object Download PDF

Info

Publication number
CN108632097A
CN108632097A CN201810457008.9A CN201810457008A CN108632097A CN 108632097 A CN108632097 A CN 108632097A CN 201810457008 A CN201810457008 A CN 201810457008A CN 108632097 A CN108632097 A CN 108632097A
Authority
CN
China
Prior art keywords
behavior pattern
user
real
time
period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810457008.9A
Other languages
Chinese (zh)
Other versions
CN108632097B (en
Inventor
王义文
王健宗
肖京
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201810457008.9A priority Critical patent/CN108632097B/en
Priority to PCT/CN2018/097453 priority patent/WO2019218475A1/en
Publication of CN108632097A publication Critical patent/CN108632097A/en
Application granted granted Critical
Publication of CN108632097B publication Critical patent/CN108632097B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention is suitable for technical field of information processing, provides a kind of recognition methods, terminal device and the medium of abnormal behaviour object, including:Network history behavioral data based on user, the historical behavior pattern for each period that determines user in preset measurement period;Using the period for forming measurement period as sequence, historical behavior mode sequences are built;The real-time behavioral data of network based on user, determines the real-time behavior pattern of user;In historical behavior mode sequences, the historical behavior pattern overlapped on the period with the real-time behavior pattern of network is searched;Judge whether real-time behavior pattern matches with the historical behavior pattern found;If real-time behavior pattern and the historical behavior pattern found mismatch, it is determined that user is abnormal behaviour object.The present invention only needs to depend on network behavior data collected by backstage that the identification to abnormal behaviour object can be completed, and is checked one by one without by artificial, therefore improves the recognition efficiency and recognition accuracy of abnormal behaviour object.

Description

Recognition methods, terminal device and the medium of abnormal behaviour object
Technical field
The invention belongs to technical field of information processing more particularly to a kind of recognition methods of abnormal behaviour object, terminal to set Standby and computer readable storage medium.
Background technology
Behavior that enterprises employee is occurred, may causing to violate disciplines or generate career criminal is employee's exception Behavior.By identifying the employee with abnormal behaviour, standardized administration is carried out to its behavior in time, abnormal behaviour person can be eliminated Work is to the harmful effect caused by enterprises other staff.Also, for enterprise eliminate the incorrect employee of attitude, select it is excellent For the management strategy of elegant managerial talent, equally there is more important reference significance.
In actual scene, enterprise usually can all arrange special administrative personnel come the daily behavior for the employee that periodically patrols, with Determine abnormal behaviour employee.However, the mode of this hand inspection there is a problem of checking that efficiency is more low.Also, work as When employee recognizes administrative personnel at hand, would generally also it be prevented, accordingly, it is difficult to accurately and effectively identify abnormal row For employee.
Invention content
In view of this, an embodiment of the present invention provides a kind of recognition methods, terminal device and the calculating of abnormal behaviour object Machine readable storage medium storing program for executing, it is more low to solve the recognition efficiency of abnormal behaviour object in the prior art and recognition accuracy The problem of.
The first aspect of the embodiment of the present invention provides a kind of recognition methods of abnormal behaviour object, including:
Network history behavioral data based on user determines the user in preset measurement period each period Historical behavior pattern;
Using the period for forming the measurement period as sequence, historical behavior mode sequences are built;
The real-time behavioral data of network based on the user, determines the real-time behavior pattern of the user;
In the historical behavior mode sequences, lookup is overlapped with the real-time behavior pattern of the network on the period Historical behavior pattern;
Judge whether the real-time behavior pattern matches with the historical behavior pattern found;
If the real-time behavior pattern and the historical behavior pattern found mismatch, it is determined that the user is different Normal object of action.
The second aspect of the embodiment of the present invention provides a kind of terminal device, including memory and processor, described to deposit The computer program that can be run on the processor is stored on reservoir, the processor executes real when the computer program Existing following steps:
Network history behavioral data based on user determines the user in preset measurement period each period Historical behavior pattern;
Using the period for forming the measurement period as sequence, historical behavior mode sequences are built;
The real-time behavioral data of network based on the user, determines the real-time behavior pattern of the user;
In the historical behavior mode sequences, lookup is overlapped with the real-time behavior pattern of the network on the period Historical behavior pattern;
Judge whether the real-time behavior pattern matches with the historical behavior pattern found;
If the real-time behavior pattern and the historical behavior pattern found mismatch, it is determined that the user is different Normal object of action.
The third aspect of the embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable storage Media storage has computer program, the computer program to realize following steps when being executed by processor:
Network history behavioral data based on user determines the user in preset measurement period each period Historical behavior pattern;
Using the period for forming the measurement period as sequence, historical behavior mode sequences are built;
The real-time behavioral data of network based on the user, determines the real-time behavior pattern of the user;
In the historical behavior mode sequences, lookup is overlapped with the real-time behavior pattern of the network on the period Historical behavior pattern;
Judge whether the real-time behavior pattern matches with the historical behavior pattern found;
If the real-time behavior pattern and the historical behavior pattern found mismatch, it is determined that the user is different Normal object of action.
It, can be according to enterprise person by directly collecting the network behavior historical data of user on backstage in the embodiment of the present invention The daily behavior of work is accustomed to, and structure obtains the historical behavior mode sequences of enterprise staff.In historical behavior mode sequences, pass through Search the historical behavior pattern overlapped on the period, the real-time behavior pattern associated by the real-time behavioral data of network and history When behavior pattern mismatches, it is known that there is the behavior mould larger with its consistent rule or behavioral difference in enterprise staff Formula, therefore the enterprise staff at current time is determined as abnormal behaviour object, the recognition accuracy of abnormal behaviour object can be improved.By It only needs that identification to abnormal behaviour object can be completed dependent on network behavior data collected by backstage in the embodiment of the present invention, It need not one by one be checked by artificial, this improves the recognition efficiencies to abnormal behaviour object.
Description of the drawings
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art Needed in attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description be only the present invention some Embodiment for those of ordinary skill in the art without having to pay creative labor, can also be according to these Attached drawing obtains other attached drawings.
Fig. 1 is the implementation flow chart of the recognition methods of abnormal behaviour object provided in an embodiment of the present invention;
Fig. 2 is the specific implementation flow chart of the recognition methods S101 of abnormal behaviour object provided in an embodiment of the present invention;
Fig. 3 is the specific implementation flow of the recognition methods S101 for the abnormal behaviour object that another embodiment of the present invention provides Figure;
Fig. 4 is the implementation flow chart of the recognition methods for the abnormal behaviour object that further embodiment of this invention provides;
Fig. 5 is the implementation flow chart of the recognition methods for the abnormal behaviour object that yet another embodiment of the invention provides;
Fig. 6 is the structure diagram of the identification device of abnormal behaviour object provided in an embodiment of the present invention;
Fig. 7 is the schematic diagram of terminal device provided in an embodiment of the present invention.
Specific implementation mode
In being described below, for illustration and not for limitation, it is proposed that such as tool of particular system structure, technology etc Body details, to understand thoroughly the embodiment of the present invention.However, it will be clear to one skilled in the art that there is no these specific The present invention can also be realized in the other embodiments of details.In other situations, it omits to well-known system, device, electricity The detailed description of road and method, in case unnecessary details interferes description of the invention.
In order to illustrate technical solutions according to the invention, illustrated below by specific embodiment.
Fig. 1 shows the implementation process of the recognition methods of abnormal behaviour object provided in an embodiment of the present invention, and details are as follows:
S101:Network history behavioral data based on user, when determining that the user is each in preset measurement period Between section historical behavior pattern.
In the embodiment of the present invention, network history behavioral data is user's generated history when using enterprises system Daily record data.For example, within past one section of preset duration, generated video when user is by Intranet progress video conference Transmission data, by mailing system receiving and dispatching mail when generated mail protocol transmission data and brushed by access control system Generated attendance data etc., belongs to network history behavioral data when card operation.According to the multiple enterprises connected in advance System collects the history log data that above-mentioned multiple enterprises systems are uploaded.
In the embodiment of the present invention, historical behavior pattern is for characterizing and the matched behavior event of network history behavioral data. Each behavior event is associated with the transport protocol of data, zone bit information and source address.Therefore, pass through the items to receiving Network history behavioral data is analyzed, it may be determined that goes out the historical behavior pattern corresponding to network history behavioral data.It is above-mentioned to go through History behavior pattern includes but not limited to receiving and dispatching mail, web page browsing, video conference, document sharing is transmitted and the moulds such as gate inhibition swipes the card Formula.
For the ease of counting the historical behavior pattern in each period corresponding to user, with preset duration unit for one Measurement period, for example, with measurement period for one day, one week or one month etc..Measurement period is divided into multiple periods.According to The generation time of network history behavioral data is corresponded to after determining a period belonging to the network history behavioral data Historical behavior pattern be determined as the historical behavior pattern of period measurement period Nei.
S102:Using the period for forming the measurement period as sequence, historical behavior mode sequences are built.
In the embodiment of the present invention, the sequencing of each period corresponding to historical behavior pattern is gone through to each History behavior pattern is ranked up, and historical behavior mode sequences are obtained with structure.Wherein, it each historical behavior pattern and its is counting The corresponding period is stored in historical behavior mode sequences in a manner of key assignments and key name respectively in period.
S103:The real-time behavioral data of network based on the user, determines the real-time behavior pattern of the user.
Network history behavioral data referred to above is the behavior thing that is triggered in each historical time section based on user Part and the behavioral data generated in the embodiment of the present invention, when whether judge user is abnormal behaviour object, obtain current time The real-time behavioral data of the behavioral data generated in real time, i.e. network.By analyzing the real-time behavioral data of network, identify The real-time behavior pattern of current time user.
S104:In the historical behavior mode sequences, search with the real-time behavior pattern of the network in the period The historical behavior pattern of upper coincidence.
A period belonging to the real-time behavior pattern of user and current time, in historical behavior mode sequences In, search historical behavior pattern corresponding with the period.Wherein, the historical behavior pattern searched can be one, Can be multiple.
S105:Judge whether the real-time behavior pattern matches with the historical behavior pattern found.
In the embodiment of the present invention, judge whether real-time behavior pattern matches with the historical behavior pattern found, that is, judge Real-time behavior pattern whether there is with the historical behavior pattern found to be associated with.If real-time behavior pattern and the history row found It is identical for pattern, alternatively, behavior pattern and the historical behavior pattern found are associated behavior event in real time, it is determined that the two Matching.Otherwise, it determines behavior pattern and the historical behavior pattern found mismatch in real time.
S106:If the real-time behavior pattern and the historical behavior pattern found mismatch, it is determined that the use Family is abnormal behaviour object.
If real-time behavior pattern and the historical behavior pattern found mismatch, then it represents that the user current slot, Under the situation of presence, occur with the incongruent situation of normal behaviour, accordingly, it is determined that the user be current time abnormal behaviour Object.
For example, if user is current 9:00a.m.-10:The real-time behavior pattern of this period of 00a.m. is transmitting-receiving postal Part, in historical behavior mode sequences, 9:00a.m.-10:The historical behavior pattern that 00a.m. is overlapped on this period is Video tour then can determine that the two mismatches, and active user may do the thing unrelated with work in the work hours, accordingly, it is determined that The user is abnormal behaviour object.
It, can be according to enterprise person by directly collecting the network behavior historical data of user on backstage in the embodiment of the present invention The daily behavior of work is accustomed to, and structure obtains the historical behavior mode sequences of enterprise staff.In historical behavior mode sequences, pass through Search the historical behavior pattern overlapped on the period, the real-time behavior pattern associated by the real-time behavioral data of network and history When behavior pattern mismatches, it is known that there is the behavior mould larger with its consistent rule or behavioral difference in enterprise staff Formula, therefore the enterprise staff at current time is determined as abnormal behaviour object, the recognition accuracy of abnormal behaviour object can be improved.By It only needs that identification to abnormal behaviour object can be completed dependent on network behavior data collected by backstage in the embodiment of the present invention, It need not one by one be checked by artificial, this improves the recognition efficiencies to abnormal behaviour object.
As an embodiment of the present invention, Fig. 2 shows the identifications of abnormal behaviour object provided in an embodiment of the present invention The specific implementation flow of method S101, details are as follows:
S1011:According to the function attribute of the user, the identical N number of object of action of the function attribute is determined.
In the embodiment of the present invention, function attribute be used for indicate user enterprises job category, such as can be use Work position, academic title or the department at family etc..
Have an object of action information bank of personal information of each object of action in record, to currently wait judging its whether be The user of abnormal behaviour object reads the function attribute of the user, and according to the function attribute, subordinate act object information is looked into library Find out a object of action of N (N is more than two integer) identical with its function attribute.
S1012:In the measurement period, the period belonging to current time obtains each behavior respectively Reference behavior pattern of the object in the period.
Object of action is determined according to the network history behavioral data of behavior object to each object of action determined The historical behavior pattern of each period in preset measurement period, for the ease of the historical behavior pattern of partitive behavior object And it is above-mentioned it is to be confirmed its whether be abnormal behaviour object user historical behavior pattern, the multiple object of action that will be determined Historical behavior pattern be known as refer to behavior pattern.In measurement period, in the reference behavior for each object of action determined In mode sequences, read respectively each object of action the affiliated period at current time reference behavior pattern.It is found that when determining When the object of action gone out has N number of, the reference behavior pattern read is at least N.
S1013:If the real-time behavior pattern of the user and M object of action are in the reference line of the period It is all different for pattern, then the user is identified as abnormal behaviour potential object, and the network history behavior number based on user According to the historical behavior pattern for each period that determines the user in preset measurement period;Wherein, the N is more than 2 Integer, the M is the integer more than zero, and M is less than or equal to N.
In the embodiment of the present invention, respectively by the real-time behavior pattern of user and each object of action determined in the time Reference behavior pattern in section is compared, to obtain the statistics for wherein referring to behavior pattern different from above-mentioned real-time behavior pattern Value.If the statistical value is greater than or equal to M (M is the integer more than zero, and M is less than or equal to N), then it represents that active user belongs to function Property identical other object of action there are the difference in behavior, therefore possible its is not known the user in processing one's work Not Wei current time abnormal behaviour potential object, at this point, the network history behavioral data based on user again, determines user pre- If measurement period in each period historical behavior pattern and execute subsequent step S102 to S106, with further to this The abnormal behaviour of user is detected.
Preferably, if above-mentioned statistical value is less than M, then it represents that active user's other object of action identical with function attribute Behavior is same or similar, therefore, user is directly determined as normal behaviour object, and stops executing step S102 to S106.
It is inclined in the behavior pattern of same period based on the identical each object of action of function attribute in the embodiment of the present invention From smaller judgement principle, by determining the identical multiple object of action of function attribute, and in the real-time behavior of active user User, in the reference behavior pattern difference of current slot, it is potential right to be identified as abnormal behaviour by pattern with multiple object of action As hereafter just the historical behavior pattern based on user judges whether the user is abnormal behaviour object, realizes with dual inspection Survey means, the mode of various dimensions identify abnormal behaviour employee, and this improves the recognition accuracies to abnormal behaviour object.
As an alternative embodiment of the invention, Fig. 3 shows the abnormal behaviour object that another embodiment of the present invention provides Recognition methods S101 specific implementation flow.As shown in figure 3, before above-mentioned S1013, further include:
S1014:In dot matrix relational graph, the first mapping point and correspondence of the corresponding real-time behavior pattern are generated respectively Each second mapping point with reference to behavior pattern.
In preset dot matrix relational graph, a behavior pattern of each object of action is indicated with a mapping point.Its In, the mapping point of the real-time behavior pattern of corresponding user is known as the first mapping point, by the identical behavior pair of corresponding function attribute The mapping point of the reference behavior pattern of elephant is known as the second mapping point.
S1015:Determine each center of mass point in the dot matrix relational graph.
In the initial state, the center of mass point that multiple mapping points are used as dot matrix relational graph is randomly selected.In non-initial state Under, calculate each mapping point to wherein one specified mapping point manhatton distance value and absolute error value.Detect dot matrix of sening as an envoy to This is specified mapping point to be determined as the barycenter at current time by the specified mapping point when absolute error total value minimum of relational graph Point.
S1016:By following formula, the distance value D of each mapping point and each center of mass point is calculated separately, it is described to reflect Exit point includes first mapping point and second mapping point:
Wherein, the SkFor the cluster set belonging to mapping point described in current time, the xjTo be reflected described in the cluster set The coordinate value of exit point, the mkFor the coordinate value of k-th of center of mass point in the cluster set.
Under original state, the cluster set belonging to mapping point is the sample set for including all mapping points.To the first mapping point with And each second mapping point, the distance value of itself and each center of mass point is calculated separately out by above formula.
S1017:To each mapping point, a minimum barycenter of the mapping point and its described distance value is clicked through Row clustering processing obtains the updated cluster set.
In the embodiment of the present invention, each center of mass point is contained within a cluster set.It is calculated corresponding to each mapping point In obtained each distance value, the center of mass point with the mapping point distance value minimum is selected, and mapping point is clustered to the barycenter In an existing cluster set of point, so that dynamic change occurs for the mapping point that each cluster set is included.
S1018:The statistical value for clustering iterations is added one, and returns and executes in the determination dot matrix relational graph The operation of each center of mass point, until the cluster iterations reach predetermined threshold value.
In the embodiment of the present invention, after updating the mapping point that each cluster set is included every time, iterations will be clustered Statistical value add one, and judge whether the statistical value reaches preset iterations threshold value.If the determination result is YES, then step is executed Rapid S1019;If judging result is no, returns and execute above-mentioned steps S1015.
Preferably, it after updating the mapping point that each cluster set is included every time, calculates separately each in dot matrix relational graph The absolute error of a cluster set, and count the summation of each absolute error.If detecting, the summation of each absolute error is small In preset error threshold, S1019 is thened follow the steps.
S1019:It is corresponding with reference to behavior pattern if there are described in the final affiliated cluster set of first mapping point Second mapping point, and the number of second mapping point is less than N-M, it is determined that the real-time behavior pattern of the user is a with M The object of action is all different in the described of the period with reference to behavior pattern.
After stopping clustering iteration, the cluster set belonging to the first mapping point is determined.That detects that the cluster set included is each The number of a second mapping point, judges whether the number is less than N-M.If the number for the second mapping point that the cluster set is included More than or equal to N-M, then it represents that the real-time behavior of user is matched with the historical behavior of multiple object of action.If the cluster set is wrapped The number of the second mapping point contained is less than N-M, then it represents that the behavior mould of active user's object of action identical with its function attribute Formula is not inconsistent more, thus think the real-time behavior pattern of user and M object of action the period reference behavior pattern not It is identical.
In the embodiment of the present invention, mapped by generating corresponding each mapping point in dot matrix relational graph, and by calculating Distance value of the point with center of mass point has reached the real-time behavior pattern that user is judged in a manner of quantification to execute clustering processing The whether identical effect with the reference form pattern of other object of action, therefore improve the accuracy and automation of judging result Degree.
As another embodiment of the present invention, as shown in figure 4, after above-mentioned S105, further include:
S107:If the real-time behavior pattern and the historical behavior pattern match found, it is determined that the user For the normal behaviour object at current time.
S108:Predict the user subsequent time potential behavior pattern.
S109:If the historical behavior pattern overlapped on the subsequent time affiliated period with the potential behavior pattern It is mismatched with the potential behavior pattern, then sends out the alarm prompt handled about behavior restraint to the user.
In the embodiment of the present invention, if detecting the real-time behavior pattern of user and the historical behavior pattern match found, Then determine that user belongs to normal behaviour object at current time.Also, in the subsequent time period of measurement period, prediction user exists The potential behavior pattern of the period.
Specifically, above-mentioned prediction user for example can be in the potential behavior pattern of subsequent time:Collect multiple abnormal rows Real-time behavior pattern for object and multiple normal behaviour objects in each period, entrained by abnormal behaviour object Front label entrained by negative label and normal behaviour object, structure and training neural network model;By user current The real-time behavior pattern of period and in measurement period front adjacent multiple periods real-time behavior pattern input god Through network model;According to the output valve of neural network model, determine user subsequent time period potential behavior pattern.
If the historical behavior pattern overlapped on the subsequent time affiliated period with potential behavior pattern and potential behavior mould Formula mismatches, then issues the user with the alarm prompt handled about behavior restraint.
Illustratively, when it is the abnormal behaviour object at current time to determine user, in preset information bank, to user Real-time behavior pattern be marked, become marking behavior pattern, and return to the execution network history based on user Behavioral data, the operation for the historical behavior pattern of each period that determines the user in preset measurement period;Any Moment, however, it is determined that user is the normal behaviour object at current time, and the user generated prediction in the following preset duration Behavior pattern is identical as any marking behavior pattern in information bank, then issues the user with the alarm handled about behavior restraint and carry Show.
In the embodiment of the present invention, when it is normal behaviour object to identify active user, by predicting user next The potential behavior pattern at moment, and in the historical behavior pattern overlapped on the subsequent time affiliated period with potential behavior pattern When being mismatched with potential behavior pattern, the alarm prompt handled about behavior restraint is issued the user with, warning is played the role of, So that user is after receiving alarm prompt, can specification factum in time, this improves to enterprises employee's The efficiency of management.
As one more embodiment of the present invention, as shown in figure 5, after above-mentioned S106, further include:
S501:The real-time behavior pattern is marked.
In the embodiment of the present invention, determine that user is record after abnormal behaviour object according to the real-time behavior pattern of user And mark the real-time behavior pattern of this.
S502:In nearest preset duration, according to the label number of the real-time behavior pattern, pass through preset calculating mould Type obtains the pattern weight of the real-time behavior pattern.
Wherein, above-mentioned preset computation model is specially:
The Wt_mode is the pattern weight of the real-time behavior pattern, and the Sum_tag is the real-time behavior pattern Label number, the Weight be preset weight coefficient, the TiIt is the real-time behavior pattern when ith is labeled The label moment, the T0For the generation moment corresponding to the historical behavior pattern, the D (Tagi-Tag0) indicate the reality When behavior pattern when ith is labeled, the real-time behavior pattern with the history row overlapped is engraved in the label with it For the similarity of pattern.
In the embodiment of the present invention, determine that the real-time behavior pattern of above-mentioned label is counting again in nearest preset duration The number that same time period in period is labeled calculates the real-time row of this after the label number is substituted into above-mentioned formula For the pattern weight of pattern.Wherein, above-mentioned nearest preset duration indicates, at the time of label for the first time with above-mentioned real-time behavior pattern For starting point, and when a length of preset value a period.If for example, 11 days 10 October:00-11:00 this period, in real time Behavior pattern A is labeled, and in follow-up 3 days, real-time behavior pattern is only 12 days 10 October:00-11:00 this period was marked Note, then above-mentioned Sum_tag is 2.
S503:If the pattern weight is more than predetermined threshold value, it is based on the real-time behavior pattern, to the historical behavior Mode sequences are updated processing.
In the embodiment of the present invention, to the real-time behavior pattern that certain time period is marked, if the mould of the real-time behavior pattern Formula weight is more than predetermined threshold value, it is determined that consistent rule of the user in the period of measurement period has been changed, therefore, right The above-mentioned historical behavior mode sequences for having built completion are updated processing, and the time will be corresponded in historical behavior mode sequences The historical behavior pattern of section replaces the real-time behavior pattern.
In the embodiment of the present invention, after determining that user is abnormal behaviour object, by marking current real-time behavior pattern, When the pattern weight for detecting the real-time behavior pattern is more than predetermined threshold value, place just is updated to historical behavior mode sequences Reason, ensure that subsequently when whether judge the user again is abnormal behaviour object, can be based on updated historical behavior mould Formula sequence is compared, and improves the recognition accuracy of abnormal behaviour object, avoid because the function attribute of user or its His factor and when the behavioural habits of user being caused to generate change, generate the effect of misrecognition.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit It is fixed.
Corresponding to the recognition methods for the abnormal behaviour object that the embodiment of the present invention is provided, Fig. 5 shows implementation of the present invention The structure diagram of the identification device for the abnormal behaviour object that example provides.For convenience of description, it illustrates only related to the present embodiment Part.
With reference to Fig. 6, which includes:
First determination unit 61 is used for the network history behavioral data based on user, determines the user in preset system Count the historical behavior pattern of each period in the period.
Construction unit 62 builds historical behavior pattern sequence for the period to form the measurement period as sequence Row.
Second determination unit 63 is used for the real-time behavioral data of network based on the user, determines that the user's is real-time Behavior pattern.
Searching unit 64, in the historical behavior mode sequences, searching and existing with the real-time behavior pattern of the network The historical behavior pattern overlapped on the period.
Judging unit 65, for judge the real-time behavior pattern and the historical behavior pattern that finds whether Match.
Third determination unit 66, if not for the real-time behavior pattern and the historical behavior pattern that finds Match, it is determined that the user is abnormal behaviour object.
Optionally, first determination unit 61 includes:
First determination subelement determines that the function attribute is identical N number of for the function attribute according to the user Object of action.
Subelement is obtained, in the measurement period, the period belonging to current time to obtain each respectively Reference behavior pattern of the object of action in the period.
Subelement is identified, if real-time behavior pattern and the M object of action for the user are in the period It is described to be all different with reference to behavior pattern, then the user is identified as abnormal behaviour potential object, and the network based on user Historical behavior data, the historical behavior pattern for each period that determines the user in preset measurement period.
Wherein, the N is the integer more than 2, and the M is the integer more than zero, and M is less than or equal to N.
Optionally, first determination unit 61 further includes:
Subelement is generated, the first mapping in dot matrix relational graph, generating the corresponding real-time behavior pattern respectively Point and corresponding each second mapping point with reference to behavior pattern.
Second determination subelement, for determining each center of mass point in the dot matrix relational graph.
Computation subunit, for by following formula, calculating separately each mapping point at a distance from each center of mass point Value D, the mapping point include first mapping point and second mapping point:
Wherein, the SkFor the cluster set belonging to mapping point described in current time, the xjTo be reflected described in the cluster set The coordinate value of exit point, the mkFor the coordinate value of k-th of center of mass point in the cluster set.
Subelement is clustered, is used for each mapping point, by an institute of the mapping point and its distance value minimum It states center of mass point and carries out clustering processing, obtain the updated cluster set.
Subelement is returned, for the statistical value for clustering iterations to be added one, and returns and executes the determination dot matrix The operation of each center of mass point in relational graph, until the cluster iterations reach predetermined threshold value.
Third determination subelement is used in the final affiliated cluster set of first mapping point, if there are the references Corresponding second mapping point of behavior pattern, and the number of second mapping point is less than N-M, it is determined that the user's is real-time Behavior pattern is all different in the described of the period with reference to behavior pattern with the M object of action.
Optionally, the identification device of above-mentioned abnormal behaviour object further includes:
4th determination unit, if for the real-time behavior pattern and the historical behavior pattern match found, Determine that the user is the normal behaviour object at current time.
Predicting unit, for predict the user subsequent time potential behavior pattern.
Alarm Unit, if the history for being overlapped on the subsequent time affiliated period with the potential behavior pattern Behavior pattern is mismatched with the potential behavior pattern, then the alarm prompt handled about behavior restraint is sent out to the user.
Optionally, the identification device of above-mentioned abnormal behaviour object further includes:
Marking unit, for the real-time behavior pattern to be marked.
Pattern weight computing unit, in nearest preset duration, according to the label number of the real-time behavior pattern, By preset computation model, the pattern weight of the real-time behavior pattern is obtained;
Above-mentioned preset computation model is specially:
Updating unit is based on the real-time behavior pattern, to described if being more than predetermined threshold value for the pattern weight Historical behavior mode sequences are updated processing.
Wherein, the Wt_mode is the pattern weight of the real-time behavior pattern, and the Sum_tag is the real-time row For the label number of pattern, the Weight is preset weight coefficient, the TiIt is the real-time behavior pattern in ith quilt Label moment when label, the T0For the generation moment corresponding to the historical behavior pattern, the D (Tagi-Tag0) indicate When ith is labeled, the real-time behavior pattern is overlapped with being engraved in the label with it the real-time behavior pattern The similarity of historical behavior pattern.
Fig. 7 is the schematic diagram for the terminal device that one embodiment of the invention provides.As shown in fig. 7, the terminal of the embodiment is set Standby 7 include:Processor 70 and memory 71 are stored with the calculating that can be run on the processor 70 in the memory 71 Machine program 72, for example, abnormal behaviour object recognizer.The processor 70 is realized when executing the computer program 72 State the step in the recognition methods embodiment of each abnormal behaviour object, such as step 101 shown in FIG. 1 is to 106.Alternatively, institute The function that each module/unit in above-mentioned each device embodiment is realized when processor 70 executes the computer program 72 is stated, such as The function of unit 61 to 66 shown in Fig. 5.
Illustratively, the computer program 72 can be divided into one or more module/units, it is one or Multiple module/units are stored in the memory 71, and are executed by the processor 70, to complete the present invention.Described one A or multiple module/units can be the series of computation machine program instruction section that can complete specific function, which is used for Implementation procedure of the computer program 72 in the terminal device 7 is described.
The terminal device 7 can be that the calculating such as desktop PC, notebook, palm PC and cloud server are set It is standby.The terminal device may include, but be not limited only to, processor 70, memory 71.It will be understood by those skilled in the art that Fig. 7 The only example of terminal device 7 does not constitute the restriction to terminal device 7, may include than illustrating more or fewer portions Part either combines certain components or different components, such as the terminal device can also include input-output equipment, net Network access device, bus etc..
Alleged processor 70 can be central processing unit (Central Processing Unit, CPU), can also be Other general processors, digital signal processor (Digital Signal Processor, DSP), application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field- Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic, Discrete hardware components etc..General processor can be microprocessor or the processor can also be any conventional processor Deng.
The memory 71 can be the internal storage unit of the terminal device 7, such as the hard disk of terminal device 7 or interior It deposits.The memory 71 can also be to be equipped on the External memory equipment of the terminal device 7, such as the terminal device 7 Plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card dodge Deposit card (Flash Card) etc..Further, the memory 71 can also both include the storage inside list of the terminal device 7 Member also includes External memory equipment.The memory 71 is for storing needed for the computer program and the terminal device Other programs and data.The memory 71 can be also used for temporarily storing the data that has exported or will export.
In addition, each functional unit in each embodiment of the application can be integrated in a processing unit, it can also It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list The form that hardware had both may be used in member is realized, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can be stored in a computer read/write memory medium.Based on this understanding, the technical solution of the application is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the application Portion or part steps.And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or CD etc. are various can store program The medium of code.
The above, above example are only to illustrate the technical solution of the application, rather than its limitations;Although with reference to before Embodiment is stated the application is described in detail, it will be understood by those of ordinary skill in the art that:It still can be to preceding The technical solution recorded in each embodiment is stated to modify or equivalent replacement of some of the technical features;And these Modification or replacement, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.

Claims (10)

1. a kind of recognition methods of abnormal behaviour object, which is characterized in that including:
Network history behavioral data based on user, the history for each period that determines the user in preset measurement period Behavior pattern;
Using the period for forming the measurement period as sequence, historical behavior mode sequences are built;
The real-time behavioral data of network based on the user, determines the real-time behavior pattern of the user;
In the historical behavior mode sequences, lookup is gone through with what the real-time behavior pattern of the network overlapped on the period History behavior pattern;
Judge whether the real-time behavior pattern matches with the historical behavior pattern found;
If the real-time behavior pattern and the historical behavior pattern found mismatch, it is determined that the user is abnormal row For object.
2. the recognition methods of abnormal behaviour object as described in claim 1, which is characterized in that the network based on user is gone through History behavioral data, the historical behavior pattern for each period that determines the user in preset measurement period, including:
According to the function attribute of the user, the identical N number of object of action of the function attribute is determined;
In the measurement period, the period belonging to current time obtains each object of action at this respectively Between section reference behavior pattern;
If the real-time behavior pattern of the user refers to behavior pattern not with the M object of action in the described of the period It is identical, then the user is identified as abnormal behaviour potential object, and the network history behavioral data based on user, determine described in The historical behavior pattern of user's each period in preset measurement period;
Wherein, the N is the integer more than 2, and the M is the integer more than zero, and M is less than or equal to N.
3. the recognition methods of abnormal behaviour object as claimed in claim 2, which is characterized in that if in the reality of the user When the behavior pattern and M object of action be all different with reference to behavior pattern in the described of the period, then by the user It is identified as abnormal behaviour potential object, and the network history behavioral data based on user, determines the user in preset statistics In period before the historical behavior pattern of each period, further include:
In dot matrix relational graph, the first mapping point of the corresponding real-time behavior pattern and corresponding each ginseng are generated respectively Examine the second mapping point of behavior pattern;
Determine each center of mass point in the dot matrix relational graph;
By following formula, the distance value D of each mapping point and each center of mass point is calculated separately, the mapping point includes institute State the first mapping point and second mapping point:
Wherein, the SkFor the cluster set belonging to mapping point described in current time, the xjFor mapping point described in the cluster set Coordinate value, the mkFor the coordinate value of k-th of center of mass point in the cluster set;
To each mapping point, a center of mass point of the mapping point and its distance value minimum is carried out at cluster Reason, obtains the updated cluster set;
The statistical value for clustering iterations is added one, and returns to each center of mass point executed in the determination dot matrix relational graph Operation, until the cluster iterations reach predetermined threshold value;
In the final affiliated cluster set of first mapping point, if there are described with reference to corresponding second mapping of behavior pattern Point, and the number of second mapping point is less than N-M, it is determined that the real-time behavior pattern of the user and the M behaviors Object is all different in the described of the period with reference to behavior pattern.
4. the recognition methods of abnormal behaviour object as described in claim 1, which is characterized in that further include:
If the real-time behavior pattern and the historical behavior pattern match found, it is determined that the user is current time Normal behaviour object;
Predict the user subsequent time potential behavior pattern:
If diving with described with the historical behavior pattern that the potential behavior pattern overlaps on the subsequent time affiliated period It is mismatched in behavior pattern, then sends out the alarm prompt handled about behavior restraint to the user.
5. the recognition methods of abnormal behaviour object as described in claim 1, which is characterized in that further include:
The real-time behavior pattern is marked;
In nearest preset duration, institute is obtained by preset computation model according to the label number of the real-time behavior pattern State the pattern weight of real-time behavior pattern;
Above-mentioned preset computation model is specially:
If the pattern weight is more than predetermined threshold value, it is based on the real-time behavior pattern, to the historical behavior mode sequences It is updated processing;
Wherein, the Wt_mode is the pattern weight of the real-time behavior pattern, and the Sum_tag is the real-time behavior mould The label number of formula, the Weight are preset weight coefficient, the TiIt is labeled in ith for the real-time behavior pattern When the label moment, the T0For the generation moment corresponding to the historical behavior pattern, the D (Tagi-Tag0) described in expression For real-time behavior pattern when ith is labeled, the real-time behavior pattern engraves the history overlapped in the label with it The similarity of behavior pattern.
6. a kind of terminal device, including memory and processor, it is stored with and can transports on the processor on the memory Capable computer program, which is characterized in that the processor realizes following steps when executing the computer program:
Network history behavioral data based on user, the history for each period that determines the user in preset measurement period Behavior pattern;
Using the period for forming the measurement period as sequence, historical behavior mode sequences are built;
The real-time behavioral data of network based on the user, determines the real-time behavior pattern of the user;
In the historical behavior mode sequences, lookup is gone through with what the real-time behavior pattern of the network overlapped on the period History behavior pattern;
Judge whether the real-time behavior pattern matches with the historical behavior pattern found;
If the real-time behavior pattern and the historical behavior pattern found mismatch, it is determined that the user is abnormal row For object.
7. terminal device as claimed in claim 6, which is characterized in that described to obtain what user generated respectively at each moment Network history behavioral data, including:
According to the function attribute of the user, the identical N number of object of action of the function attribute is determined;
In the measurement period, the period belonging to current time obtains each object of action at this respectively Between section reference behavior pattern;
If the real-time behavior pattern of the user refers to behavior pattern not with the M object of action in the described of the period It is identical, then the user is identified as abnormal behaviour potential object, and the network history behavioral data based on user, determine described in The historical behavior pattern of user's each period in preset measurement period;
Wherein, the N is the integer more than 2, and the M is the integer more than zero, and M is less than or equal to N.
8. terminal device as claimed in claim 7, which is characterized in that when the processor executes the computer program, also Realize following steps:
In dot matrix relational graph, the first mapping point of the corresponding real-time behavior pattern and corresponding each ginseng are generated respectively Examine the second mapping point of behavior pattern;
Determine each center of mass point in the dot matrix relational graph;
By following formula, the distance value D of each mapping point and each center of mass point is calculated separately, the mapping point includes institute State the first mapping point and second mapping point:
Wherein, the SkFor the cluster set belonging to mapping point described in current time, the xjFor mapping point described in the cluster set Coordinate value, the mkFor the coordinate value of k-th of center of mass point in the cluster set;
To each mapping point, a center of mass point of the mapping point and its distance value minimum is carried out at cluster Reason, obtains the updated cluster set;
The statistical value for clustering iterations is added one, and returns to each center of mass point executed in the determination dot matrix relational graph Operation, until the cluster iterations reach predetermined threshold value;
In the final affiliated cluster set of first mapping point, if there are described with reference to corresponding second mapping of behavior pattern Point, and the number of second mapping point is less than N-M, it is determined that the real-time behavior pattern of the user and the M behaviors Object is all different in the described of the period with reference to behavior pattern.
9. terminal device as claimed in claim 6, which is characterized in that when the processor executes the computer program, also Realize following steps:
If the real-time behavior pattern and the historical behavior pattern match found, it is determined that the user is current time Normal behaviour object;
Predict the user subsequent time potential behavior pattern:
If diving with described with the historical behavior pattern that the potential behavior pattern overlaps on the subsequent time affiliated period It is mismatched in behavior pattern, then sends out the alarm prompt handled about behavior restraint to the user.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, feature to exist In when the computer program is executed by processor the step of any one of such as claim 1 to 5 of realization the method.
CN201810457008.9A 2018-05-14 2018-05-14 Abnormal behavior object identification method, terminal device and medium Active CN108632097B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810457008.9A CN108632097B (en) 2018-05-14 2018-05-14 Abnormal behavior object identification method, terminal device and medium
PCT/CN2018/097453 WO2019218475A1 (en) 2018-05-14 2018-07-27 Method and device for identifying abnormally-behaving subject, terminal device, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810457008.9A CN108632097B (en) 2018-05-14 2018-05-14 Abnormal behavior object identification method, terminal device and medium

Publications (2)

Publication Number Publication Date
CN108632097A true CN108632097A (en) 2018-10-09
CN108632097B CN108632097B (en) 2019-12-13

Family

ID=63693187

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810457008.9A Active CN108632097B (en) 2018-05-14 2018-05-14 Abnormal behavior object identification method, terminal device and medium

Country Status (2)

Country Link
CN (1) CN108632097B (en)
WO (1) WO2019218475A1 (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495479A (en) * 2018-11-20 2019-03-19 华青融天(北京)软件股份有限公司 A kind of user's abnormal behaviour recognition methods and device
CN110020687A (en) * 2019-04-10 2019-07-16 北京神州泰岳软件股份有限公司 Abnormal behaviour analysis method and device based on operator's Situation Awareness portrait
CN110245816A (en) * 2019-01-07 2019-09-17 西南科技大学 User job efficiency visualized evaluation method based on browser history record
CN110334517A (en) * 2019-07-05 2019-10-15 北京可信华泰信息技术有限公司 The update method and device of credible strategy, credible and secure management platform
CN110427971A (en) * 2019-07-05 2019-11-08 五八有限公司 Recognition methods, device, server and the storage medium of user and IP
CN110493264A (en) * 2019-09-18 2019-11-22 北京工业大学 It is a kind of that method is found based on the inside threat of Intranet entity relationship and behavioral chain
CN110505196A (en) * 2019-07-02 2019-11-26 中国联合网络通信集团有限公司 Internet of Things network interface card method for detecting abnormality and device
CN111105106A (en) * 2018-10-25 2020-05-05 玳能本股份有限公司 Operation evaluation device, operation evaluation method, and operation evaluation system
CN111131322A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111367906A (en) * 2019-07-23 2020-07-03 杭州海康威视***技术有限公司 Abnormal vehicle identification method, device, equipment and computer readable storage medium
CN111476510A (en) * 2020-06-23 2020-07-31 武汉斗鱼鱼乐网络科技有限公司 Method and system for identifying risk user, storage medium and equipment
CN111652325A (en) * 2020-06-28 2020-09-11 广东诺信安科技有限公司 Enterprise power consumption mode identification method and device based on clustering and storage medium
CN111858285A (en) * 2020-07-30 2020-10-30 北京达佳互联信息技术有限公司 Video operation behavior abnormity identification method and device, server and storage medium
CN112436958A (en) * 2020-11-05 2021-03-02 苏州浪潮智能科技有限公司 Method, system, device and medium for predicting failure of data center network device
CN112654047A (en) * 2019-09-25 2021-04-13 中兴通讯股份有限公司 Method, device, base station and storage medium for identifying abnormal terminal
CN113296990A (en) * 2020-09-30 2021-08-24 阿里云计算有限公司 Method and device for recognizing abnormity of time sequence data
CN113449558A (en) * 2020-03-26 2021-09-28 上海依图网络科技有限公司 Method and device for monitoring abnormal behaviors of personnel
CN113452707A (en) * 2021-06-28 2021-09-28 华中科技大学 Scanner network scanning attack behavior detection method, medium and terminal

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902366A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and system for detecting abnormal service behaviors
CN102957570A (en) * 2011-08-19 2013-03-06 句容今太科技园有限公司 Abnormal detection based association pattern mining system
CN105678457A (en) * 2016-01-06 2016-06-15 成都小步创想畅联科技有限公司 Method for evaluating user behavior on the basis of position mining

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104268378B (en) * 2014-09-12 2017-02-15 北京邮电大学 Visual abnormal behavior monitoring method based on mobile user mass data

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902366A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and system for detecting abnormal service behaviors
CN102957570A (en) * 2011-08-19 2013-03-06 句容今太科技园有限公司 Abnormal detection based association pattern mining system
CN105678457A (en) * 2016-01-06 2016-06-15 成都小步创想畅联科技有限公司 Method for evaluating user behavior on the basis of position mining

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
潘蕾 等: ""网络访问行为分析模型的研究与设计"", 《计算机与现代化》 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111105106A (en) * 2018-10-25 2020-05-05 玳能本股份有限公司 Operation evaluation device, operation evaluation method, and operation evaluation system
CN109495479A (en) * 2018-11-20 2019-03-19 华青融天(北京)软件股份有限公司 A kind of user's abnormal behaviour recognition methods and device
CN110245816A (en) * 2019-01-07 2019-09-17 西南科技大学 User job efficiency visualized evaluation method based on browser history record
CN110245816B (en) * 2019-01-07 2024-04-30 西南科技大学 Visual evaluation method for user work efficiency based on browser history record
CN110020687A (en) * 2019-04-10 2019-07-16 北京神州泰岳软件股份有限公司 Abnormal behaviour analysis method and device based on operator's Situation Awareness portrait
CN110020687B (en) * 2019-04-10 2021-11-05 北京神州泰岳软件股份有限公司 Abnormal behavior analysis method and device based on operator situation perception portrait
CN110505196A (en) * 2019-07-02 2019-11-26 中国联合网络通信集团有限公司 Internet of Things network interface card method for detecting abnormality and device
CN110427971A (en) * 2019-07-05 2019-11-08 五八有限公司 Recognition methods, device, server and the storage medium of user and IP
CN110334517A (en) * 2019-07-05 2019-10-15 北京可信华泰信息技术有限公司 The update method and device of credible strategy, credible and secure management platform
CN111367906A (en) * 2019-07-23 2020-07-03 杭州海康威视***技术有限公司 Abnormal vehicle identification method, device, equipment and computer readable storage medium
CN111367906B (en) * 2019-07-23 2023-09-05 杭州海康威视***技术有限公司 Abnormal vehicle identification method, device, equipment and computer readable storage medium
CN110493264A (en) * 2019-09-18 2019-11-22 北京工业大学 It is a kind of that method is found based on the inside threat of Intranet entity relationship and behavioral chain
CN110493264B (en) * 2019-09-18 2021-12-24 北京工业大学 Internal threat discovery method based on internal network entity relationship and behavior chain
CN112654047A (en) * 2019-09-25 2021-04-13 中兴通讯股份有限公司 Method, device, base station and storage medium for identifying abnormal terminal
CN111131322A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111131322B (en) * 2019-12-31 2022-04-15 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN113449558A (en) * 2020-03-26 2021-09-28 上海依图网络科技有限公司 Method and device for monitoring abnormal behaviors of personnel
CN111476510A (en) * 2020-06-23 2020-07-31 武汉斗鱼鱼乐网络科技有限公司 Method and system for identifying risk user, storage medium and equipment
CN111652325A (en) * 2020-06-28 2020-09-11 广东诺信安科技有限公司 Enterprise power consumption mode identification method and device based on clustering and storage medium
CN111858285B (en) * 2020-07-30 2024-03-12 北京达佳互联信息技术有限公司 Video operation behavior abnormality identification method, device, server and storage medium
CN111858285A (en) * 2020-07-30 2020-10-30 北京达佳互联信息技术有限公司 Video operation behavior abnormity identification method and device, server and storage medium
CN113296990A (en) * 2020-09-30 2021-08-24 阿里云计算有限公司 Method and device for recognizing abnormity of time sequence data
CN113296990B (en) * 2020-09-30 2022-06-24 阿里云计算有限公司 Method and device for recognizing abnormity of time sequence data
CN112436958B (en) * 2020-11-05 2022-05-24 苏州浪潮智能科技有限公司 Method, system, device and medium for predicting failure of data center network device
CN112436958A (en) * 2020-11-05 2021-03-02 苏州浪潮智能科技有限公司 Method, system, device and medium for predicting failure of data center network device
CN113452707A (en) * 2021-06-28 2021-09-28 华中科技大学 Scanner network scanning attack behavior detection method, medium and terminal

Also Published As

Publication number Publication date
WO2019218475A1 (en) 2019-11-21
CN108632097B (en) 2019-12-13

Similar Documents

Publication Publication Date Title
CN108632097A (en) Recognition methods, terminal device and the medium of abnormal behaviour object
Altuntas et al. Analysis of patent documents with weighted association rules
Liu et al. Computational and statistical methods for analysing big data with applications
CN107704512A (en) Financial product based on social data recommends method, electronic installation and medium
CN109829065B (en) Image retrieval method, device, equipment and computer readable storage medium
CN113435202A (en) Product recommendation method and device based on user portrait, electronic equipment and medium
Chang et al. A hybrid system by evolving case-based reasoning with genetic algorithm in wholesaler's returning book forecasting
CN109636212B (en) Method for predicting actual running time of job
CN109753498A (en) data cleaning method and terminal device based on machine learning
Yan et al. A clustering algorithm for multi-modal heterogeneous big data with abnormal data
CN103226748A (en) Associative memory-based project management system
Obweger et al. Similarity searching in sequences of complex events
CN114220536A (en) Disease analysis method, device, equipment and storage medium based on machine learning
CN112215655B (en) Label management method and system for customer portrait
Malburg et al. Modeling and Using Complex IoT Time Series Data in Case-Based Reasoning: From Application Scenarios to Implementations.
CN113435900A (en) Transaction risk determination method and device and server
CN112949778A (en) Intelligent contract classification method and system based on locality sensitive hashing and electronic equipment
Haroon et al. Application of machine learning in forensic science
CN114708073B (en) Intelligent detection method and device for surrounding mark and serial mark, electronic equipment and storage medium
CN115034812B (en) Steel industry sales volume prediction method and device based on big data
CN109739840A (en) Data processing empty value method, apparatus and terminal device
CN113420847B (en) Target object matching method based on artificial intelligence and related equipment
Chang Software risk modeling by clustering project metrics
CN114518993A (en) System performance monitoring method, device, equipment and medium based on business characteristics
CN113505117A (en) Data quality evaluation method, device, equipment and medium based on data indexes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant