CN109918279A - Electronic device, method and storage medium based on daily record data identification user's abnormal operation - Google Patents
Electronic device, method and storage medium based on daily record data identification user's abnormal operation Download PDFInfo
- Publication number
- CN109918279A CN109918279A CN201910065654.5A CN201910065654A CN109918279A CN 109918279 A CN109918279 A CN 109918279A CN 201910065654 A CN201910065654 A CN 201910065654A CN 109918279 A CN109918279 A CN 109918279A
- Authority
- CN
- China
- Prior art keywords
- user
- operating characteristics
- abnormal
- data
- characteristics data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
Method and storage medium the invention discloses a kind of electronic device based on daily record data identification user's abnormal operation, daily record data first by acquiring predetermined multiple users, it is for statistical analysis to the daily record data of acquisition, to obtain the operating characteristics data of predetermined multiple users respectively;Then the operating characteristics data obtained according to the disaggregated model analysis of the abnormal user identification pre-established, to determine abnormal user from predetermined multiple users;The identification information for the abnormal user determined finally is sent to predetermined abnormal user monitoring center, to carry out the monitoring of abnormal user or carry out verification processing.It can rapidly and accurately identify the abnormal operation of user, improve the accuracy of abnormal user identification.
Description
Technical field
User is identified the present invention relates to abnormal operation identification field more particularly to a kind of electronic device, based on daily record data
The method and storage medium of abnormal operation.
Background technique
Currently, for user behavior pattern identification there are many kinds of, application system operating level greatly mostly use setting advise
Mode then identifies monitoring of the user to a certain special object or operation sum aspect, and dimension is more single unilateral;On the other hand
Application system operation log is generally applied to monitoring system health status, lacks in user's operation level complete, architecture
Application method.
Summary of the invention
In view of this, in order to solve the above-mentioned technical problem, present invention firstly provides a kind of electronic device, the electronic device
Including memory and the processor connecting with the memory, the processor is for executing the base stored on the memory
In the program of daily record data identification user's abnormal operation, the program based on daily record data identification user's abnormal operation is described
Processor realizes following steps when executing:
A1, the daily record data for acquiring predetermined multiple users, it is for statistical analysis to the daily record data of acquisition,
To obtain the operating characteristics data of predetermined multiple users respectively;
A2, the operating characteristics data obtained according to the disaggregated model analysis of the abnormal user identification pre-established, with from institute
It states in predetermined multiple users and determines abnormal user;
A3, the identification information for the abnormal user determined is sent to predetermined abnormal user monitoring center,
To carry out the monitoring of abnormal user or carry out verification processing.
Preferably, in the step A2, the establishment process of the disaggregated model of the abnormal user identification pre-established
Include the following steps:
According to the operating characteristics data that the analysis of unsupervised machine learning algorithm obtains, with from predetermined multiple use
Abnormal user is determined in family;
Operating characteristics data based on the abnormal user determined, from the more of the abnormal user in a manner of supervised learning
The key characterization parameter for constructing disaggregated model is selected in a characteristic parameter, and generating includes the key characterization parameter
Key feature data;
Decision-tree model is constructed using the key feature data, the decision-tree model is point of abnormal user identification
Class model.
Preferably, it is described according to unsupervised machine learning algorithm analysis obtain operating characteristics data, with from it is described in advance
The step of determining abnormal user in determining multiple users include:
The operating characteristics data of multiple users are clustered, by the operating characteristics data aggregate of the high user of the degree of association,
Obtain multiple clusters;
The distribution of each operating characteristics data in each cluster is judged respectively, if the operating characteristics data for including in a cluster
Less than the first preset quantity, then it is assumed that the user in the cluster is abnormal user;
If the operating characteristics data for including in a cluster are more than or equal to first preset quantity, and from predefined
The distance of centre data is greater than the number of the operating characteristics data of predefined distance threshold, is more than or equal to the second present count
Amount, then it is assumed that the user in the cluster is abnormal user;
Alternatively, if the operating characteristics data for including in a cluster are more than or equal to first preset quantity, and from pre-
The distance of the centre data of definition is greater than the number of the operating characteristics data of predefined distance threshold, is less than second present count
Amount, then it is assumed that be greater than the corresponding user of operating characteristics data of predefined distance threshold with a distance from centre data in the cluster
Abnormal user.
Preferably, the supervised learning mode is decision Tree algorithms or NB Algorithm.
Preferably, the operating characteristics data include the user name for operating user, log in IP, time, action event, parameter
Equal data informations.
In addition, in order to solve the above-mentioned technical problem, the present invention also proposes that a kind of daily record data that is based on identifies that user grasps extremely
The method of work, which is characterized in that described method includes following steps:
S1, the daily record data for acquiring predetermined multiple users, it is for statistical analysis to the daily record data of acquisition,
To obtain the operating characteristics data of predetermined multiple users respectively;
S2, the operating characteristics data obtained according to the disaggregated model analysis of the abnormal user identification pre-established, with from institute
It states in predetermined multiple users and determines abnormal user;
S3, the identification information for the abnormal user determined is sent to predetermined abnormal user monitoring center,
To carry out the monitoring of abnormal user or carry out verification processing.
Preferably, in the step S2, the establishment process of the disaggregated model of the abnormal user identification pre-established
Include the following steps:
According to the operating characteristics data that the analysis of unsupervised machine learning algorithm obtains, with from predetermined multiple use
Abnormal user is determined in family;
Operating characteristics data based on the abnormal user determined, from the more of the abnormal user in a manner of supervised learning
The key characterization parameter for constructing disaggregated model is selected in a characteristic parameter, and generating includes the key characterization parameter
Key feature data;
Decision-tree model is constructed using the key feature data, the decision-tree model is point of abnormal user identification
Class model.
Preferably, it is described according to unsupervised machine learning algorithm analysis obtain operating characteristics data, with from it is described in advance
The step of determining abnormal user in determining multiple users include:
The operating characteristics data of multiple users are clustered, by the operating characteristics data aggregate of the high user of the degree of association,
Obtain multiple clusters;
The distribution of each operating characteristics data in each cluster is judged respectively, if the operating characteristics data for including in a cluster
Less than the first preset quantity, then it is assumed that the user in the cluster is abnormal user;
If the operating characteristics data for including in a cluster are more than or equal to first preset quantity, and from predefined
The distance of centre data is greater than the number of the operating characteristics data of predefined distance threshold, is more than or equal to the second present count
Amount, then it is assumed that the user in the cluster is abnormal user;
Alternatively, if the operating characteristics data for including in a cluster are more than or equal to first preset quantity, and from pre-
The distance of the centre data of definition is greater than the number of the operating characteristics data of predefined distance threshold, is less than second present count
Amount, then it is assumed that be greater than the corresponding user of operating characteristics data of predefined distance threshold with a distance from centre data in the cluster
Abnormal user.
Preferably, the supervised learning mode is decision Tree algorithms or NB Algorithm.
In addition, in order to solve the above technical problems, the present invention also proposes a kind of computer readable storage medium, the computer
Readable storage medium storing program for executing, which is stored with, monitors exploration procedure based on virtual-number, described to identify user's abnormal operation based on daily record data
Program can be executed by least one processor, so that the execution of at least one described processor is as above described in any item to be based on log
Data identify the step of method of user's abnormal operation.
Electronic device proposed by the invention, method and storage medium based on daily record data identification user's abnormal operation,
It is for statistical analysis to the daily record data of acquisition first by acquiring the daily record data of predetermined multiple users, with
The operating characteristics data of predetermined multiple users are obtained respectively;Then according to the abnormal user identification pre-established
The operating characteristics data that disaggregated model analysis obtains, to determine abnormal user from predetermined multiple users;Most
The identification information for the abnormal user determined is sent to predetermined abnormal user monitoring center afterwards, to carry out exception
The monitoring of user carries out verification processing.It can rapidly and accurately identify the abnormal operation of user, improve abnormal user identification
Accuracy.
Detailed description of the invention
Fig. 1 is the schematic diagram of the optional hardware structure of electronic device one proposed by the present invention;
Fig. 2 is the program of the program based on daily record data identification user's abnormal operation in one embodiment of electronic device of the present invention
Module diagram;
Fig. 3 is that the present invention is based on the implementation flow charts of the method preferred embodiment of daily record data identification user's abnormal operation.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, not
For limiting the present invention.Based on the embodiments of the present invention, those of ordinary skill in the art are not before making creative work
Every other embodiment obtained is put, shall fall within the protection scope of the present invention.
It should be noted that the description for being related to " first ", " second " etc. in the present invention is used for description purposes only, and cannot
It is interpreted as its relative importance of indication or suggestion or implicitly indicates the quantity of indicated technical characteristic.Define as a result, " the
One ", the feature of " second " can explicitly or implicitly include at least one of the features.In addition, the skill between each embodiment
Art scheme can be combined with each other, but must be based on can be realized by those of ordinary skill in the art, when technical solution
Will be understood that the combination of this technical solution is not present in conjunction with there is conflicting or cannot achieve when, also not the present invention claims
Protection scope within.
As shown in fig.1, being the optional hardware structure schematic diagram of electronic device one proposed by the present invention.In the present embodiment,
Electronic device 10 may include, but be not limited only to, and connection memory 11, processor 12, net can be in communication with each other by communication bus 14
Network interface 13.It should be pointed out that Fig. 1 illustrates only the electronic device 10 with component 11-14, it should be understood that simultaneously
All components shown realistic are not applied, the implementation that can be substituted is more or less component.
Wherein, memory 11 includes at least a type of computer readable storage medium, computer readable storage medium
Including flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory etc.), random access storage device (RAM), quiet
State random access storage device (SRAM), electrically erasable programmable read-only memory (EEPROM), can be compiled read-only memory (ROM)
Journey read-only memory (PROM), magnetic storage, disk, CD etc..In some embodiments, memory 11 can be electronics dress
Set 10 internal storage unit, such as the hard disk or memory of electronic device 10.In further embodiments, memory 11 can also be with
It is the outer packet storage device of electronic device 10, such as the plug-in type hard disk being equipped on electronic device 10, intelligent memory card (Smart
Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card) etc..Certainly, it stores
Device 11 can also both including electronic device 10 internal storage unit and also including its outer packet storage device.In the present embodiment, storage
Device 11 is installed on the operating system and types of applications software of electronic device 10 commonly used in storage, such as is identified based on daily record data
The program etc. of user's abnormal operation.It has exported or will export in addition, memory 11 can be also used for temporarily storing
Various types of data.
Processor 12 can be in some embodiments central processing unit (Central Processing Unit, CPU),
Controller, microcontroller, microprocessor or other data processing chips.Processor 12 is commonly used in control electronic device 10
Overall operation.In the present embodiment, program code or processing data of the processor 12 for being stored in run memory 11, such as
The program etc. based on daily record data identification user's abnormal operation of operation.
Network interface 13 may include radio network interface or wired network interface, and network interface 13 is commonly used in filling in electronics
It sets and establishes communication connection between 10 and other electronic equipments.
Communication bus 14 is for realizing the communication connection between component 11-13.
Fig. 1 illustrates only the electronics of the program with component 11-14 and based on daily record data identification user's abnormal operation
Device 10, it should be understood that being not required for implementing all components shown, the implementation that can be substituted is more or less
Component.
Optionally, electronic device 10 can also include user interface (not shown in figure 1), and user interface may include display
Device, input unit such as keyboard, wherein user interface can also be including standard wireline interface and wireless interface etc..
Optionally, in some embodiments, display can be light-emitting diode display, liquid crystal display, touch control type LCD and show
Device and OLED touch device etc..Further, display is alternatively referred to as display screen or display unit, for being shown in electronic device
Information is handled in 10 and for showing visual user interface.
Optionally, in some embodiments, electronic device 10 can also include that audio unit (does not show in audio unit Fig. 1
Out), audio unit can be in call signal reception pattern, call mode, logging mode, speech recognition mould in electronic device 10
When under the isotypes such as formula, broadcast reception mode, received or storage audio data is converted into audio signal;Further
Ground, electronic device 10 can also include audio output unit, and the audio signal that audio output unit converts audio unit exports,
And audio output unit can also provide the relevant audio output of specific function that executes to electronic device 10 (such as calling is believed
Number receive sound, message sink sound etc.), audio output unit may include loudspeaker, buzzer etc..
Optionally, in some embodiments, electronic device 10 can also include alarm unit (not shown), alarm list
Member can provide output and the generation of event is notified electron device 10.Typical event may include calling reception, message
Reception, key signals input, touch input etc..Other than audio or video export, alarm unit can be with different sides
Formula provides output with the generation of notification event.For example, alarm unit can provide output in the form of vibration, exhaled when receiving
Cry, message or it is some other can make electronic device 10 enter communication pattern when, alarm unit can provide tactile output (that is,
Vibration) to notify to user.
In one embodiment, the program based on daily record data identification user's abnormal operation stored in memory 11 is processed
When device 12 executes, following operation is realized:
A, the daily record data of predetermined multiple users is acquired, it is for statistical analysis to the daily record data of acquisition,
To obtain the operating characteristics data of user;
Specifically, the daily record data of the user of acquisition include operate user user name, log in IP, the time, action event,
The data informations such as parameter;Since the operating characteristics that the abnormal operation of analysis user is user in the daily record data based on user carry out
, it is therefore desirable to the daily record data of user is acquired, and acquisition includes the operating characteristics number of user from the daily record data of acquisition
According to specifically, the operating characteristics data of user are multiple characteristic parameters for identifying or recording user's operation behavior, wherein grasping
Making characteristic parameter can be, counted from the operating characteristics data of user with determining user within the predefined period
(such as determine it is workaday per hour or nonworkdays per hour) to execute the number of operation be the obtained feature of dimension
Parameter, or, counted from the operating characteristics data of user with determining operation within the predefined period (example
As it is determining it is workaday per hour or nonworkdays per hour) to be performed number be the characteristic parameter that dimension obtains,
IP number used in the predefined period etc..
B, the operating characteristics data obtained according to the disaggregated model analysis of the abnormal user identification pre-established, with from described
Abnormal user is determined in predetermined multiple users;
C, the identification information for the abnormal user determined is sent to predetermined abnormal user monitoring center, with
It carries out the monitoring of abnormal user or carries out verification processing.
Specifically, in some optional implementations of the present embodiment, the abnormal user identification pre-established
The establishment process of disaggregated model includes the following steps:
E1, the operating characteristics data obtained according to the analysis of unsupervised machine learning algorithm, with from described predetermined more
Abnormal user is determined in a user;
Specifically, it is clustered using characteristic of the clustering algorithm to multiple users, obtains multiple clusters;When including in cluster
There is characteristic when perhaps constituting discrete scatterplot far from entire data center that this is discrete far from data center or composition
The corresponding user of the data characteristics of scatterplot is determined as abnormal user.
In the present embodiment, unsupervised learning mode can be clustering algorithm, such as the clustering algorithm based on distance.
The operating characteristics data of multiple users can be clustered using clustering algorithm, by the behaviour of the high user of the degree of association
Make characteristic polymerization, obtains multiple clusters.It may include the operating characteristics data of the high user of multiple degrees of association in each cluster.
In the present embodiment, the distribution of each operating characteristics data in each cluster can be judged respectively, if be only distributed in a cluster
There are the operating characteristics data less than the first preset quantity, such as 2 scatterplot, then it is assumed that the operating characteristics data in the cluster are scattered
Point, the corresponding user of the scatterplot are abnormal user;If the operation greater than first preset quantity is distributed in a cluster
Characteristic, and most of data farther out from centre data, are greater than predetermined such as with a distance from predefined centre data in the cluster
The number of the operating characteristics data of adopted distance threshold is more than or equal to the second preset quantity, then it is assumed that the entire cluster is abnormal
The cluster of user;Alternatively, if the operating characteristics data more than or equal to first preset quantity are distributed in a cluster, and
It is less than described with a distance from predefined centre data greater than the number of the operating characteristics data of predefined distance threshold in the cluster
Second preset quantity, then it is assumed that corresponding greater than the operating characteristics data of predefined distance threshold with a distance from centre data in the cluster
User be abnormal user.
F1, the operating characteristics data based on the abnormal user determined, from the abnormal user in a manner of supervised learning
Multiple characteristic parameters in select key characterization parameter for constructing disaggregated model, and generating includes the key feature
The key feature data of parameter;
It specifically, in the present embodiment, can be first using there is supervision in order to construct the disaggregated model of abnormal user identification
Mode of learning analyzes the characteristic of the abnormal user in the multiple users determined, chooses from characteristic parameter
Out for constructing the key characterization parameter of disaggregated model, i.e. parameter more important in identification abnormal user.
In the present embodiment, supervised learning mode can use decision tree.It can be used for being selected using decision tree
Before the key characterization parameter for constructing disaggregated model, first with the characteristic for the abnormal user determined, decision tree is constructed.
By being trained using the characteristic of multiple abnormal users as training sample to decision tree, decision tree can learn abnormal out
Significance level of each characteristic parameter in identification abnormal user in the characteristic of user.In the abnormal user determined
It include multiple nodes, root of each node to a characteristic parameter, apart from decision tree in the decision tree that characteristic constructs
The corresponding characteristic parameter of the closer node in the position of node is more important in identification abnormal user.Depth in decision tree can be chosen
Characteristic parameter corresponding greater than the node of depth threshold is that more important characteristic parameter is special as the key of building disaggregated model
Levy parameter.For example, in the present embodiment, the user that the characteristic with user includes executes operation in different preset time periods
Number for, in the decision tree constructed using the characteristic of abnormal user, held comprising user in each preset time point
The corresponding node of number of row operation executes the number of operation to knowledge in each preset time point according to user in decision tree
The difference of the significance level of other abnormal user, the different periods, the corresponding corresponding node of number for executing operation was in decision tree
In depth it is also different.In the present embodiment, the key characterization parameter for constructing disaggregated model is being selected by decision tree,
I.e. after the number of operations of material time section, it can be selected from the characteristic for the abnormal user determined and meet following item
The characteristic of the abnormal user of part: the classification results that decision tree classifies to the characteristic of abnormal user are abnormal
User.Classified again using decision tree to the characteristic of the abnormal user identified, obtains classification results.Work as decision
It sets to when the classification results of the characteristic of abnormal user are abnormal user, it can be by the pass in the characteristic of the abnormal user
Key characteristic parameter (i.e. the execution number of material time point) is combined, and obtains key feature data, to utilize the key feature
Data construct disaggregated model.
In the present embodiment, supervised learning mode can also use NB Algorithm.It can be using simple pattra leaves
It is general to calculate separately the corresponding exception of each characteristic parameter according to the characteristic of the abnormal user by determining for this algorithm
Rate, the corresponding abnormal probability of characteristic parameter are the probability that user is abnormal user when the numerical exception of characteristic parameter.Abnormal probability
It can indicate significance level of the characteristic parameter in identification abnormal user.The bigger characteristic parameter of corresponding exception probability is for knowing
It is abnormal more unimportant.It, can after calculating separately out the corresponding abnormal probability of each characteristic parameter by NB Algorithm
Corresponding abnormal probability to be greater than to the characteristic parameter of probability threshold value as the key characterization parameter for being used to construct disaggregated model.?
In the present embodiment, after selecting the key characterization parameter for constructing disaggregated model by NB Algorithm, Ke Yicong
The characteristic for meeting the abnormal user of the following conditions is selected in the characteristic for the abnormal user determined: using simple shellfish
The classification results that this algorithm of leaf classifies to the characteristic of abnormal user are abnormal user.Use naive Bayesian
Algorithm classifies again to the characteristic of the abnormal user identified, obtains classification results.When NB Algorithm pair
It, can be special by the key in the characteristic of the abnormal user when classification results of the characteristic of abnormal user are abnormal user
Sign parameter is combined, and obtains key feature data, to construct disaggregated model using the key feature data.
It should be noted that in the present embodiment, the key feature data are the execution number of material time section, at it
In its some embodiment, it is also possible to the IP number used in material time section, the number of register system;It can also be use
The essential information at family, such as age, educational background, occupation etc., in the present embodiment, and with no restrictions.
G1, decision-tree model is constructed using the key feature data, the decision-tree model is abnormal user identification
Disaggregated model.
Specifically, in the present embodiment, disaggregated model can be decision-tree model.Decision-tree model can be created, by institute
The key feature data comprising key characterization parameter for stating generation are trained to obtain decision-tree model as training sample
The disaggregated model for the abnormal user identification that training is completed.
By above-mentioned thing embodiment it is found that electronic device proposed by the present invention, receives vehicle insurance case information first, according to predetermined
The scheduling rule of justice analyzes the vehicle insurance case information, surveys the corresponding person of surveying of task with the determining case;It is then based on
Virtual-number user terminal sends the request for obtaining virtual-number to the virtual number service platform of predetermined operator, described
Obtain the actual telephone number information including the user that is in danger in the request of virtual-number;The virtual-number that will acquire again is sent to
The first terminal equipment of the person of surveying monitors the first terminal equipment, to monitor the first terminal equipment based on described virtual
Voice communication information between number and the second terminal equipment of the corresponding user that is in danger;Finally based on first end listened to
Voice communication information between end equipment and the second terminal equipment, determine described in the person of surveying service quality.It can be timely
The service quality for the person of surveying accurately is grasped comprehensively, and can reduce the risk of user information leakage.It is preparatory by acquisition first
The daily record data of determining multiple users, it is for statistical analysis to the daily record data of acquisition, it is described preparatory to obtain respectively
The operating characteristics data of determining multiple users;Then it is obtained according to the disaggregated model analysis of the abnormal user identification pre-established
Operating characteristics data, to determine abnormal user from predetermined multiple users;The exception that will finally determine
The identification information of user is sent to predetermined abnormal user monitoring center, to carry out the monitoring or progress of abnormal user
Verification processing.It can rapidly and accurately identify the abnormal operation of user, improve the accuracy of abnormal user identification.
In addition, the function that the program of the invention based on daily record data identification user's abnormal operation is realized according to its each section
Can be different, it can be described with program module with the same function.It please refers to shown in Fig. 2, is that electronic device one of the present invention is real
Apply the program module schematic diagram of the program based on daily record data identification user's abnormal operation in example.In the present embodiment, it is based on log
The difference for the function that the program of data identification user's abnormal operation is realized according to its each section, can be divided into acquisition module
201, analysis module 202 and sending module 203.By above description it is found that the so-called program module of the present invention is to refer to
The series of computation machine program instruction section for completing specific function, it is more different based on daily record data identification user more suitable for description than program
Implementation procedure of the program often operated in electronic device 10.The functions or operations step that the module 201-203 is realized is equal
Similar as above, and will not be described here in detail, illustratively, such as wherein:
Acquisition module 201 is used to acquire the daily record data of predetermined multiple users, to the daily record data of acquisition
It is for statistical analysis, to obtain the operating characteristics data of predetermined multiple users respectively;
Analysis module 202 is used for the operating characteristics obtained according to the disaggregated model analysis of the abnormal user identification pre-established
Data, to determine abnormal user from predetermined multiple users;
Sending module 203 is used to for the identification information for the abnormal user determined being sent to predetermined abnormal use
Family monitoring center, to carry out the monitoring of abnormal user or carry out verification processing.
In addition, the present invention also proposes a kind of method based on daily record data identification user's abnormal operation, Fig. 3 institute is please referred to
Show, the method based on daily record data identification user's abnormal operation includes the following steps:
S100, the daily record data for acquiring predetermined multiple users carry out statistical to the daily record data of acquisition
Analysis, to obtain the operating characteristics data of user;
Specifically, the daily record data of the user of acquisition include operate user user name, log in IP, the time, action event,
The data informations such as parameter;Since the operating characteristics that the abnormal operation of analysis user is user in the daily record data based on user carry out
, it is therefore desirable to the daily record data of user is acquired, and acquisition includes the operating characteristics number of user from the daily record data of acquisition
According to specifically, the operating characteristics data of user are multiple characteristic parameters for identifying or recording user's operation behavior, wherein grasping
Making characteristic parameter can be, counted from the operating characteristics data of user with determining user within the predefined period
(such as determine it is workaday per hour or nonworkdays per hour) to execute the number of operation be the obtained feature of dimension
Parameter, or, counted from the operating characteristics data of user with determining operation within the predefined period (example
As it is determining it is workaday per hour or nonworkdays per hour) to be performed number be the characteristic parameter that dimension obtains,
IP number used in the predefined period etc..
S200, according to pre-establish abnormal user identification disaggregated model analysis obtain operating characteristics data, with from
Abnormal user is determined in predetermined multiple users;
S300, the identification information for the abnormal user determined is sent in predetermined abnormal user monitoring
The heart, to carry out the monitoring of abnormal user or carry out verification processing.
Specifically, in some optional implementations of the present embodiment, the abnormal user identification pre-established
The establishment process of disaggregated model includes the following steps:
E2, the operating characteristics data obtained according to the analysis of unsupervised machine learning algorithm, with from described predetermined more
Abnormal user is determined in a user;
Specifically, it is clustered using characteristic of the clustering algorithm to multiple users, obtains multiple clusters;When including in cluster
There is characteristic when perhaps constituting discrete scatterplot far from entire data center that this is discrete far from data center or composition
The corresponding user of the data characteristics of scatterplot is determined as abnormal user.
In the present embodiment, unsupervised learning mode can be clustering algorithm, such as the clustering algorithm based on distance.
The operating characteristics data of multiple users can be clustered using clustering algorithm, by the behaviour of the high user of the degree of association
Make characteristic polymerization, obtains multiple clusters.It may include the operating characteristics data of the high user of multiple degrees of association in each cluster.
In the present embodiment, the distribution of each operating characteristics data in each cluster can be judged respectively, if be only distributed in a cluster
There are the operating characteristics data less than the first preset quantity, such as 2 scatterplot, then it is assumed that the operating characteristics data in the cluster are scattered
Point, the corresponding user of the scatterplot are abnormal user;If the operation greater than first preset quantity is distributed in a cluster
Characteristic, and most of data farther out from centre data, are greater than predetermined such as with a distance from predefined centre data in the cluster
The number of the operating characteristics data of adopted distance threshold is more than or equal to the second preset quantity, then it is assumed that the entire cluster is abnormal
The cluster of user;Alternatively, if the operating characteristics data more than or equal to first preset quantity are distributed in a cluster, and
It is less than described with a distance from predefined centre data greater than the number of the operating characteristics data of predefined distance threshold in the cluster
Second preset quantity, then it is assumed that corresponding greater than the operating characteristics data of predefined distance threshold with a distance from centre data in the cluster
User be abnormal user.
F2, the operating characteristics data based on the abnormal user determined, from the abnormal user in a manner of supervised learning
Multiple characteristic parameters in select key characterization parameter for constructing disaggregated model, and generating includes the key feature
The key feature data of parameter;
It specifically, in the present embodiment, can be first using there is supervision in order to construct the disaggregated model of abnormal user identification
Mode of learning analyzes the characteristic of the abnormal user in the multiple users determined, chooses from characteristic parameter
Out for constructing the key characterization parameter of disaggregated model, i.e. parameter more important in identification abnormal user.
In the present embodiment, supervised learning mode can use decision tree.It can be used for being selected using decision tree
Before the key characterization parameter for constructing disaggregated model, first with the characteristic for the abnormal user determined, decision tree is constructed.
By being trained using the characteristic of multiple abnormal users as training sample to decision tree, decision tree can learn abnormal out
Significance level of each characteristic parameter in identification abnormal user in the characteristic of user.In the abnormal user determined
It include multiple nodes, root of each node to a characteristic parameter, apart from decision tree in the decision tree that characteristic constructs
The corresponding characteristic parameter of the closer node in the position of node is more important in identification abnormal user.Depth in decision tree can be chosen
Characteristic parameter corresponding greater than the node of depth threshold is that more important characteristic parameter is special as the key of building disaggregated model
Levy parameter.For example, in the present embodiment, the user that the characteristic with user includes executes operation in different preset time periods
Number for, in the decision tree constructed using the characteristic of abnormal user, held comprising user in each preset time point
The corresponding node of number of row operation executes the number of operation to knowledge in each preset time point according to user in decision tree
The difference of the significance level of other abnormal user, the different periods, the corresponding corresponding node of number for executing operation was in decision tree
In depth it is also different.In the present embodiment, the key characterization parameter for constructing disaggregated model is being selected by decision tree,
I.e. after the number of operations of material time section, it can be selected from the characteristic for the abnormal user determined and meet following item
The characteristic of the abnormal user of part: the classification results that decision tree classifies to the characteristic of abnormal user are abnormal
User.Classified again using decision tree to the characteristic of the abnormal user identified, obtains classification results.Work as decision
It sets to when the classification results of the characteristic of abnormal user are abnormal user, it can be by the pass in the characteristic of the abnormal user
Key characteristic parameter (i.e. the execution number of material time point) is combined, and obtains key feature data, to utilize the key feature
Data construct disaggregated model.
In the present embodiment, supervised learning mode can also use NB Algorithm.It can be using simple pattra leaves
It is general to calculate separately the corresponding exception of each characteristic parameter according to the characteristic of the abnormal user by determining for this algorithm
Rate, the corresponding abnormal probability of characteristic parameter are the probability that user is abnormal user when the numerical exception of characteristic parameter.Abnormal probability
It can indicate significance level of the characteristic parameter in identification abnormal user.The bigger characteristic parameter of corresponding exception probability is for knowing
It is abnormal more unimportant.It, can after calculating separately out the corresponding abnormal probability of each characteristic parameter by NB Algorithm
Corresponding abnormal probability to be greater than to the characteristic parameter of probability threshold value as the key characterization parameter for being used to construct disaggregated model.?
In the present embodiment, after selecting the key characterization parameter for constructing disaggregated model by NB Algorithm, Ke Yicong
The characteristic for meeting the abnormal user of the following conditions is selected in the characteristic for the abnormal user determined: using simple shellfish
The classification results that this algorithm of leaf classifies to the characteristic of abnormal user are abnormal user.Use naive Bayesian
Algorithm classifies again to the characteristic of the abnormal user identified, obtains classification results.When NB Algorithm pair
It, can be special by the key in the characteristic of the abnormal user when classification results of the characteristic of abnormal user are abnormal user
Sign parameter is combined, and obtains key feature data, to construct disaggregated model using the key feature data.
It should be noted that in the present embodiment, the key feature data are the execution number of material time section, at it
In its some embodiment, it is also possible to the IP number used in material time section, the number of register system;It can also be use
The essential information at family, such as age, educational background, occupation etc., in the present embodiment, and with no restrictions.
G2, decision-tree model is constructed using the key feature data, the decision-tree model is abnormal user identification
Disaggregated model.
Specifically, in the present embodiment, disaggregated model can be decision-tree model.Decision-tree model can be created, by institute
The key feature data comprising key characterization parameter for stating generation are trained to obtain decision-tree model as training sample
The disaggregated model for the abnormal user identification that training is completed.
By above-mentioned thing embodiment it is found that it is proposed by the present invention based on daily record data identification user's abnormal operation method,
First by acquiring the daily record data of predetermined multiple users, the daily record data of acquisition is counted
Analysis, to obtain the operating characteristics data of predetermined multiple users respectively;Then according to the abnormal use pre-established
The operating characteristics data that the disaggregated model analysis of family identification obtains, to determine exception from predetermined multiple users
User;The identification information for the abnormal user determined finally is sent to predetermined abnormal user monitoring center, with
It carries out the monitoring of abnormal user or carries out verification processing.It can rapidly and accurately identify the abnormal operation of user, improve abnormal
The accuracy of user's identification.
In addition, the present invention also proposes a kind of computer readable storage medium, stored on the computer readable storage medium
There are the program based on daily record data identification user's abnormal operation, the program quilt based on daily record data identification user's abnormal operation
Following operation is realized when processor executes:
The daily record data for acquiring predetermined multiple users, it is for statistical analysis to the daily record data of acquisition, with
The operating characteristics data of predetermined multiple users are obtained respectively;
According to the operating characteristics data that the disaggregated model analysis of the abnormal user identification pre-established obtains, with from described pre-
Abnormal user is determined in the multiple users first determined;
The identification information for the abnormal user determined is sent to predetermined abnormal user monitoring center, with into
The monitoring of row abnormal user carries out verification processing.
Computer readable storage medium specific embodiment of the present invention is known with above-mentioned electronic device and based on daily record data
Each embodiment of method of other user's abnormal operation is essentially identical, does not make tired state herein.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in a storage medium
In (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, computer, clothes
Business device, air conditioner or the network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of electronic device, which is characterized in that the electronic device includes memory and the processing that connect with the memory
Device, the processor are used to execute the program based on daily record data identification user's abnormal operation stored on the memory, institute
It states when the program based on daily record data identification user's abnormal operation is executed by the processor and realizes following steps:
A1, the daily record data for acquiring predetermined multiple users, it is for statistical analysis to the daily record data of acquisition, to divide
The operating characteristics data of predetermined multiple users are not obtained;
A2, the operating characteristics data obtained according to the disaggregated model analysis of the abnormal user identification pre-established, with from described pre-
Abnormal user is determined in the multiple users first determined;
A3, the identification information for the abnormal user determined is sent to predetermined abnormal user monitoring center, with into
The monitoring of row abnormal user carries out verification processing.
2. electronic device as described in claim 1, which is characterized in that in the step A2, the exception pre-established
The establishment process of the disaggregated model of user's identification includes the following steps:
According to the operating characteristics data that the analysis of unsupervised machine learning algorithm obtains, from predetermined multiple users
Determine abnormal user;
Operating characteristics data based on the abnormal user determined, from multiple spies of the abnormal user in a manner of supervised learning
The key characterization parameter for constructing disaggregated model is selected in sign parameter, and generates the pass comprising the key characterization parameter
Key characteristic;
Decision-tree model is constructed using the key feature data, the decision-tree model is the classification mould of abnormal user identification
Type.
3. electronic device as claimed in claim 2, which is characterized in that described analyzed according to unsupervised machine learning algorithm obtains
Operating characteristics data, to include: the step of determining abnormal user from predetermined multiple users
The operating characteristics data of multiple users are clustered, the operating characteristics data aggregate of the high user of the degree of association obtains
Multiple clusters;
The distribution of each operating characteristics data in each cluster is judged respectively, if the operating characteristics data for including in a cluster are less than
First preset quantity, then it is assumed that the user in the cluster is abnormal user;
If the operating characteristics data for including in a cluster are more than or equal to first preset quantity, and from predefined center
The distance of data is greater than the number of the operating characteristics data of predefined distance threshold, is more than or equal to the second preset quantity, then
Think that the user in the cluster is abnormal user;
Alternatively, if the operating characteristics data for including in a cluster are more than or equal to first preset quantity, and from predefined
Centre data distance be greater than predefined distance threshold operating characteristics data number, be less than second preset quantity,
Then think that the corresponding user of operating characteristics data in the cluster with a distance from centre data greater than predefined distance threshold is different
Common family.
4. electronic device as claimed in claim 2, which is characterized in that the supervised learning mode be decision Tree algorithms or
NB Algorithm.
5. electronic device according to any one of claims 1-4, which is characterized in that the operating characteristics data include that operation is used
The user name at family logs in the data informations such as IP, time, action event, parameter.
6. a kind of method based on daily record data identification user's abnormal operation, which is characterized in that described method includes following steps:
S1, the daily record data for acquiring predetermined multiple users, it is for statistical analysis to the daily record data of acquisition, to divide
The operating characteristics data of predetermined multiple users are not obtained;
S2, the operating characteristics data obtained according to the disaggregated model analysis of the abnormal user identification pre-established, with from described pre-
Abnormal user is determined in the multiple users first determined;
S3, the identification information for the abnormal user determined is sent to predetermined abnormal user monitoring center, with into
The monitoring of row abnormal user carries out verification processing.
7. the method as claimed in claim 6 based on daily record data identification user's abnormal operation, which is characterized in that in the step
In rapid S2, the establishment process of the disaggregated model of the abnormal user identification pre-established includes the following steps:
According to the operating characteristics data that the analysis of unsupervised machine learning algorithm obtains, from predetermined multiple users
Determine abnormal user;
Operating characteristics data based on the abnormal user determined, from multiple spies of the abnormal user in a manner of supervised learning
The key characterization parameter for constructing disaggregated model is selected in sign parameter, and generates the pass comprising the key characterization parameter
Key characteristic;
Decision-tree model is constructed using the key feature data, the decision-tree model is the classification mould of abnormal user identification
Type.
8. the method as claimed in claim 6 based on daily record data identification user's abnormal operation, which is characterized in that the basis
The operating characteristics data that unsupervised machine learning algorithm analysis obtains, it is different to be determined from predetermined multiple users
The step of common family includes:
The operating characteristics data of multiple users are clustered, the operating characteristics data aggregate of the high user of the degree of association obtains
Multiple clusters;
The distribution of each operating characteristics data in each cluster is judged respectively, if the operating characteristics data for including in a cluster are less than
First preset quantity, then it is assumed that the user in the cluster is abnormal user;
If the operating characteristics data for including in a cluster are more than or equal to first preset quantity, and from predefined center
The distance of data is greater than the number of the operating characteristics data of predefined distance threshold, is more than or equal to the second preset quantity, then
Think that the user in the cluster is abnormal user;
Alternatively, if the operating characteristics data for including in a cluster are more than or equal to first preset quantity, and from predefined
Centre data distance be greater than predefined distance threshold operating characteristics data number, be less than second preset quantity,
Then think that the corresponding user of operating characteristics data in the cluster with a distance from centre data greater than predefined distance threshold is different
Common family.
9. the method as claimed in claim 6 based on daily record data identification user's abnormal operation, which is characterized in that described to have prison
Superintending and directing mode of learning is decision Tree algorithms or NB Algorithm.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has to be looked into based on virtual-number monitoring
Program is surveyed, the program based on daily record data identification user's abnormal operation can be executed by least one processor, so that described
At least one processor executes the side based on daily record data identification user's abnormal operation as described in any one of claim 6-9
The step of method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910065654.5A CN109918279B (en) | 2019-01-24 | 2019-01-24 | Electronic device, method for identifying abnormal operation of user based on log data and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910065654.5A CN109918279B (en) | 2019-01-24 | 2019-01-24 | Electronic device, method for identifying abnormal operation of user based on log data and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109918279A true CN109918279A (en) | 2019-06-21 |
CN109918279B CN109918279B (en) | 2022-09-27 |
Family
ID=66960644
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910065654.5A Active CN109918279B (en) | 2019-01-24 | 2019-01-24 | Electronic device, method for identifying abnormal operation of user based on log data and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109918279B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110427971A (en) * | 2019-07-05 | 2019-11-08 | 五八有限公司 | Recognition methods, device, server and the storage medium of user and IP |
CN111259985A (en) * | 2020-02-19 | 2020-06-09 | 腾讯科技(深圳)有限公司 | Classification model training method and device based on business safety and storage medium |
CN111444534A (en) * | 2020-03-12 | 2020-07-24 | 中国建设银行股份有限公司 | Method, device, equipment and computer readable medium for monitoring user operation |
CN111913860A (en) * | 2020-07-15 | 2020-11-10 | 中国民航信息网络股份有限公司 | Operation behavior analysis method and device |
CN112819486A (en) * | 2020-02-20 | 2021-05-18 | 支付宝实验室(新加坡)有限公司 | Method and system for identity certification |
CN112837061A (en) * | 2021-02-26 | 2021-05-25 | 腾讯科技(深圳)有限公司 | Data processing method and related device |
CN113765850A (en) * | 2020-06-03 | 2021-12-07 | ***通信集团重庆有限公司 | Internet of things anomaly detection method and device, computing equipment and computer storage medium |
CN115688024A (en) * | 2022-09-27 | 2023-02-03 | 哈尔滨工程大学 | Network abnormal user prediction method based on user content characteristics and behavior characteristics |
CN115941265A (en) * | 2022-11-01 | 2023-04-07 | 南京鼎山信息科技有限公司 | Big data attack processing method and system applied to cloud service |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106304085A (en) * | 2016-08-15 | 2017-01-04 | 成都九鼎瑞信科技股份有限公司 | Information processing method and device |
CN107135195A (en) * | 2017-02-20 | 2017-09-05 | 平安科技(深圳)有限公司 | The detection method and device of abnormal user account |
CN107809331A (en) * | 2017-10-25 | 2018-03-16 | 北京京东尚科信息技术有限公司 | The method and apparatus for identifying abnormal flow |
CN108108743A (en) * | 2016-11-24 | 2018-06-01 | 百度在线网络技术(北京)有限公司 | Abnormal user recognition methods and the device for identifying abnormal user |
US10095774B1 (en) * | 2017-05-12 | 2018-10-09 | International Business Machines Corporation | Cluster evaluation in unsupervised learning of continuous data |
US20190005586A1 (en) * | 2017-06-30 | 2019-01-03 | Alibaba Group Holding Limited | Prediction algorithm based attribute data processing |
-
2019
- 2019-01-24 CN CN201910065654.5A patent/CN109918279B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106304085A (en) * | 2016-08-15 | 2017-01-04 | 成都九鼎瑞信科技股份有限公司 | Information processing method and device |
CN108108743A (en) * | 2016-11-24 | 2018-06-01 | 百度在线网络技术(北京)有限公司 | Abnormal user recognition methods and the device for identifying abnormal user |
CN107135195A (en) * | 2017-02-20 | 2017-09-05 | 平安科技(深圳)有限公司 | The detection method and device of abnormal user account |
US10095774B1 (en) * | 2017-05-12 | 2018-10-09 | International Business Machines Corporation | Cluster evaluation in unsupervised learning of continuous data |
US20190005586A1 (en) * | 2017-06-30 | 2019-01-03 | Alibaba Group Holding Limited | Prediction algorithm based attribute data processing |
CN107809331A (en) * | 2017-10-25 | 2018-03-16 | 北京京东尚科信息技术有限公司 | The method and apparatus for identifying abnormal flow |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110427971A (en) * | 2019-07-05 | 2019-11-08 | 五八有限公司 | Recognition methods, device, server and the storage medium of user and IP |
CN111259985A (en) * | 2020-02-19 | 2020-06-09 | 腾讯科技(深圳)有限公司 | Classification model training method and device based on business safety and storage medium |
CN112819486A (en) * | 2020-02-20 | 2021-05-18 | 支付宝实验室(新加坡)有限公司 | Method and system for identity certification |
CN111444534A (en) * | 2020-03-12 | 2020-07-24 | 中国建设银行股份有限公司 | Method, device, equipment and computer readable medium for monitoring user operation |
CN113765850A (en) * | 2020-06-03 | 2021-12-07 | ***通信集团重庆有限公司 | Internet of things anomaly detection method and device, computing equipment and computer storage medium |
CN113765850B (en) * | 2020-06-03 | 2023-08-15 | ***通信集团重庆有限公司 | Internet of things abnormality detection method and device, computing equipment and computer storage medium |
CN111913860A (en) * | 2020-07-15 | 2020-11-10 | 中国民航信息网络股份有限公司 | Operation behavior analysis method and device |
CN111913860B (en) * | 2020-07-15 | 2024-02-27 | 中国民航信息网络股份有限公司 | Operation behavior analysis method and device |
CN112837061A (en) * | 2021-02-26 | 2021-05-25 | 腾讯科技(深圳)有限公司 | Data processing method and related device |
CN115688024A (en) * | 2022-09-27 | 2023-02-03 | 哈尔滨工程大学 | Network abnormal user prediction method based on user content characteristics and behavior characteristics |
CN115941265A (en) * | 2022-11-01 | 2023-04-07 | 南京鼎山信息科技有限公司 | Big data attack processing method and system applied to cloud service |
CN115941265B (en) * | 2022-11-01 | 2023-10-03 | 南京鼎山信息科技有限公司 | Big data attack processing method and system applied to cloud service |
Also Published As
Publication number | Publication date |
---|---|
CN109918279B (en) | 2022-09-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109918279A (en) | Electronic device, method and storage medium based on daily record data identification user's abnormal operation | |
CN109377333A (en) | Electronic device determines method and storage medium based on the collection person of disaggregated model | |
CN109598434A (en) | Abnormity early warning method, apparatus, computer installation and storage medium | |
CN109739730A (en) | Monitoring method, device, equipment and the readable storage medium storing program for executing of multisystem daily record data | |
CN110766271A (en) | Customer service agent configuration method and device based on deep learning and computer equipment | |
CN108108743A (en) | Abnormal user recognition methods and the device for identifying abnormal user | |
WO2019062405A1 (en) | Application program processing method and apparatus, storage medium, and electronic device | |
CN109669837A (en) | Equipment state method for early warning, system, computer installation and readable storage medium storing program for executing | |
US10498897B1 (en) | Systems and methods for simulating multiple call center balancing | |
WO2019174184A1 (en) | Outbound phone call analysis and control method, electronic apparatus and readable storage medium | |
CN109669835A (en) | MySQL database monitoring method, device, equipment and readable storage medium storing program for executing | |
CN109166624A (en) | A kind of behavior analysis method, device, server, system and storage medium | |
CN109840183B (en) | Data center grading early warning method and device and storage medium | |
CN110020191A (en) | Electronic device, the target object invited outside investment determine method and storage medium | |
CN109447674A (en) | Electronic device, insurance agent target service area determine method and storage medium | |
CN110084619A (en) | Support recognition methods, device and the computer readable storage medium of card behavior | |
CN111582341A (en) | User abnormal operation prediction method and device | |
CN109522919A (en) | A kind of data assessment method and device | |
CN109377406A (en) | Electronic device promotes the building Methods of electric load forecasting and storage medium returned based on gradient | |
CN116915710A (en) | Traffic early warning method, device, equipment and readable storage medium | |
CN112887371B (en) | Edge calculation method and device, computer equipment and storage medium | |
CN105162931B (en) | The sorting technique and device of a kind of communicating number | |
WO2019062404A1 (en) | Application program processing method and apparatus, storage medium, and electronic device | |
CN104937613A (en) | Heuristics to quantify data quality | |
CN109561134A (en) | Electronic device, distributed type assemblies service distribution method and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |