CN110365634B - Abnormal data monitoring method, device, medium and electronic equipment - Google Patents
Abnormal data monitoring method, device, medium and electronic equipment Download PDFInfo
- Publication number
- CN110365634B CN110365634B CN201910435057.7A CN201910435057A CN110365634B CN 110365634 B CN110365634 B CN 110365634B CN 201910435057 A CN201910435057 A CN 201910435057A CN 110365634 B CN110365634 B CN 110365634B
- Authority
- CN
- China
- Prior art keywords
- data
- abnormal data
- identified
- monitoring model
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure relates to the field of network monitoring, and discloses an abnormal data monitoring method, an abnormal data monitoring device, an abnormal data monitoring medium and electronic equipment. The method comprises the following steps: acquiring data to be identified; respectively inputting data to be identified into a first monitoring model, a second monitoring model and a third monitoring model which are established to determine whether each monitoring model identifies the data to be identified as abnormal data or not, wherein the abnormal data identification accuracy of each monitoring model is different, and each monitoring model respectively corresponds to different data generation object processing strategies; for each abnormal data, determining a data generation object processing strategy to be executed on a data generation object corresponding to the abnormal data according to the model for identifying the abnormal data; and executing the determined data generation object processing strategy corresponding to the data generation object for the data generation object corresponding to each abnormal data. Under the method, the abnormal data is accurately monitored, and the network security is improved.
Description
Technical Field
The present disclosure relates to the field of network monitoring technologies, and in particular, to a method, an apparatus, a medium, and an electronic device for monitoring abnormal data.
Background
With the advent of the mobile internet and the internet of things, the population and terminals covered by the network are more and more, and the network security situation is more and more complex. For example, network attack events represented by traffic attacks occur frequently, and an attacker often manipulates a large number of attack source devices to overwhelm a normally operating network service with a large traffic, and such actions generate a large amount of abnormal data. Therefore, how to accurately monitor abnormal data and prevent generation of similar abnormal data in time is a problem that needs to be solved urgently in the prior art.
Disclosure of Invention
In the field of network monitoring, an object of the present disclosure is to provide a method, an apparatus, a medium, and an electronic device for monitoring abnormal data, so as to accurately monitor the abnormal data and prevent the generation of the abnormal data.
According to an aspect of the present application, there is provided an abnormal data monitoring method, the method including:
acquiring at least one piece of data to be identified, wherein each piece of data to be identified corresponds to a data generation object;
respectively and simultaneously inputting each piece of data to be identified into a first monitoring model, a second monitoring model and a third monitoring model which are established so as to determine whether each monitoring model identifies the data to be identified as abnormal data or not, wherein the accuracy of identifying the abnormal data by the first monitoring model, the second monitoring model and the third monitoring model is different, and the first monitoring model, the second monitoring model and the third monitoring model respectively correspond to different data generation object processing strategies;
for each abnormal data, determining a data generation object processing strategy to be executed on a data generation object corresponding to the abnormal data according to a model for identifying the abnormal data in the first monitoring model, the second monitoring model and the third monitoring model;
and executing the determined data generation object processing strategy corresponding to the data generation object for the data generation object corresponding to each abnormal data.
According to another aspect of the present application, there is provided an abnormal data monitoring apparatus, the apparatus including:
the system comprises an acquisition module, a data generation module and a recognition module, wherein the acquisition module is configured to acquire at least one piece of data to be recognized, and each piece of data to be recognized corresponds to a data generation object;
the input module is configured to simultaneously input each piece of data to be identified into the established first monitoring model, the second monitoring model and the third monitoring model respectively so as to determine whether each monitoring model identifies the data to be identified as abnormal data, wherein the first monitoring model, the second monitoring model and the third monitoring model have different accuracy rates of identifying the abnormal data, and the first monitoring model, the second monitoring model and the third monitoring model respectively correspond to different data generation object processing strategies;
a determining module configured to determine, for each of the abnormal data, a data generation object processing policy to be executed on a data generation object corresponding to the abnormal data, according to a model in which the abnormal data is identified among the first monitoring model, the second monitoring model, and the third monitoring model;
and the execution module is configured to execute the determined data generation object processing strategy corresponding to the data generation object for the data generation object corresponding to each abnormal data.
According to another aspect of the present application, there is provided a computer readable program medium storing computer program instructions which, when executed by a computer, cause the computer to perform the method as previously described.
According to another aspect of the present application, there is provided an electronic device including:
a processor;
a memory having computer readable instructions stored thereon which, when executed by the processor, implement the method as previously described.
The technical scheme provided by the embodiment of the invention can have the following beneficial effects:
the abnormal data monitoring method provided by the invention comprises the following steps: acquiring at least one piece of data to be identified, wherein each piece of data to be identified corresponds to a data generation object; respectively and simultaneously inputting each piece of data to be identified into a first monitoring model, a second monitoring model and a third monitoring model which are established to determine whether each monitoring model identifies the data to be identified as abnormal data, wherein the first monitoring model, the second monitoring model and the third monitoring model have different accuracy rates of identifying the abnormal data, and the first monitoring model, the second monitoring model and the third monitoring model respectively correspond to different data generation object processing strategies; for each abnormal data, determining a data generation object processing strategy to be executed on a data generation object corresponding to the abnormal data according to a model for identifying the abnormal data in the first monitoring model, the second monitoring model and the third monitoring model; and executing the determined data generation object processing strategy corresponding to the data generation object for the data generation object corresponding to each abnormal data.
According to the method, the data to be identified is input into three monitoring models with different identification accuracy rates of abnormal data, the abnormal data can be accurately monitored by using the three guarantees, then a specific object processing strategy is executed on the data generation object corresponding to the abnormal data according to the model for identifying the abnormal data, the abnormal data can be reduced to a certain extent, the behavior of the data generation object can be limited in time, and therefore the network security is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
FIG. 1 is a system architecture diagram illustrating a method for abnormal data monitoring in a traffic attack scenario, according to an example embodiment;
FIG. 2 is a system architecture diagram illustrating an abnormal data monitoring method in a counterfeit account abnormal account opening scenario, according to an exemplary embodiment;
FIG. 3 is a flow diagram illustrating a method of anomaly data monitoring in accordance with an exemplary embodiment;
FIG. 4 is a flow diagram of a method of creating a first monitoring model and identifying anomalous data using the first monitoring model in accordance with one embodiment shown in FIG. 3 in a corresponding embodiment;
FIG. 5 is a flow diagram of a method of creating a second monitoring model and identifying anomalous data using the second monitoring model in accordance with one embodiment illustrated in a corresponding embodiment in FIG. 3;
FIG. 6 is a flow diagram of a method of establishing a third monitoring model and identifying anomalous data using the third monitoring model in accordance with one embodiment shown in FIG. 3 in a corresponding embodiment;
FIG. 7 is a block diagram illustrating an anomaly data monitoring apparatus in accordance with an exemplary embodiment;
FIG. 8 is a block diagram illustrating an example of an electronic device implementing the above-described anomaly data monitoring method according to one example embodiment;
fig. 9 is a computer readable storage medium for implementing the above-described abnormal data monitoring method according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities.
The present disclosure first provides an abnormal data monitoring method. The abnormal data may be data belonging to various fields, such as data of a production process, external device access data, business process data, application login data, and the like. The abnormal data is data that does not meet the requirements of normal processes such as business, production, and service, and may be, for example, illegal traffic data, abnormal log-in data, abnormal object operation data, and the like. Monitoring abnormal data means that possible abnormal data is identified, and entities corresponding to the abnormal data can be limited or processed. The implementation terminal of the present disclosure may be any device having computing, processing, and communication functions, which may be connected to an external device for receiving or sending information, may be a portable mobile device, such as a smart phone, a tablet computer, a notebook computer, a pda (personal Digital assistant), or the like, may also be a fixed device, such as a computer device, a field terminal, a desktop computer, a server, a workstation, or the like, and may also be a set of multiple devices, such as a server cluster or a physical infrastructure of cloud computing, or the like.
Fig. 1 is a system architecture diagram illustrating an abnormal data monitoring method in a traffic attack scenario according to an exemplary embodiment. As shown in fig. 1, the terminal device 120 includes a server 110 and a plurality of terminal devices 120, and the server 110 and the terminal devices 120 are connected by a communication link. In a traffic attack scenario, a lawless person may simultaneously operate a large number of terminal devices 120 to issue access requests to the server 110, and if the processing capability of the server 110 cannot bear the access requests, the performance of the server 110 may be degraded or even paralyzed; however, these terminal devices 120 may generate traffic data during access, and by monitoring the traffic data, the risk of traffic attack may be reduced to some extent.
Fig. 2 is a system architecture diagram illustrating an abnormal data monitoring method in a counterfeit account abnormal account opening scenario according to an exemplary embodiment. The abnormal account opening of the counterfeit account refers to the opening of an account by an illegal user, for example, the opening of an account is performed through stolen personal information or the opening of an account is performed through information such as a mobile phone number and a mailbox obtained through an illegal way. As shown in fig. 2, includes a server 210, a router 220, a smartphone 230, and a base station 240. In the embodiment shown in fig. 2, the executing main body, i.e. the implementing terminal, of the technical solution of the present disclosure may be the server 210. In general, the router 210 is a bridge for exchanging information between a Wide Area Network (WAN) and a Local Area Network (LAN), and can realize information communication between different networks. In fig. 2, the server 210 is located in a wide area network with respect to the router 220, the smartphone 230 is located in a local area network with respect to the router 220, and the smartphone 230 may communicate with the server 210 through a WI-FI local area network generated by the router 220 or the base station 240. When some smartphones 230 have one or more apps (Application programs) managed by server 210, smartphones 230 may use apps to communicate with server 210 through router or base station 220 240 to complete App registration, and then users of smartphones 230 may operate apps to use more services provided by App operators. However, the process of registering App is often utilized by lawless persons to engage in criminal activities, for example, a user needs to loan from a loan platform, but the amount is not enough, so that the criminal persons can trick the user who wants to loan, inform the user that the loan platform will increase the amount of the user's loan as long as the currency of the bank card is large, and then cheat the user to provide the bank card account to swipe the currency, which finally results in the fund loss of the user. Therefore, when the user uses the smart phone 230 to open an account of a counterfeit account, the abnormal data monitoring method provided by the present disclosure can be used to monitor the behaviors, so that the financial risk can be reduced to a certain extent.
FIG. 3 is a flowchart illustrating an anomaly data monitoring method in accordance with an exemplary embodiment. As shown in fig. 3, the method comprises the following steps:
In step 310, at least one data to be identified is obtained.
Each data to be identified corresponds to one data generation object. The data to be identified is data which needs to be judged whether the data is abnormal data or not. In the scenario of the embodiment shown in fig. 1, the data to be identified is traffic data, and in the scenario of the embodiment shown in fig. 2, the data to be identified is account opening data. The data generation object is an entity that generates data to be identified, for example, in the embodiment of fig. 1, the data generation object may be an account, an IP address, a mobile phone number, or the like, and in the embodiment of fig. 2, the data generation object may be an account number, a mobile phone number, or the like.
The traffic data is data related to terminal access behavior generated when the terminal accesses the home terminal or other terminals.
In one embodiment, the traffic data includes access time, IP address of the user terminal, account number accessed under the same IP address, account login record of the same mobile phone number segment, and the like.
The account opening data is data in any form or related to account opening behaviors generated when the account opening terminal interacts with the home terminal during account opening, and each account opening data corresponds to an account number.
In one embodiment, the account opening data includes account opening time, an account opening IP Address (Internet Protocol Address), an account opening bound mobile phone number, and the like.
In one embodiment, the account opening data is acquired as data generated within a predetermined time period.
In step 320, each piece of data to be recognized is simultaneously input into the established first monitoring model, the second monitoring model and the third monitoring model respectively, so as to determine whether each monitoring model recognizes the data to be recognized as abnormal data.
The first monitoring model, the second monitoring model and the third monitoring model are different in abnormal data identification accuracy rate, and the first monitoring model, the second monitoring model and the third monitoring model respectively correspond to different data generation object processing strategies.
A data generation object handling policy refers to the manner in which a data generation object is handled, such as detecting whether the data generation object is legitimate, whether certain behaviors of the data generation object should be restricted, and the like. For example, in the context of the embodiment of fig. 1, the data generation object handling policy may be to disable IP, disable IP within a given time frame, etc.; in the scenario of the embodiment in fig. 2, the data generation object processing policy may be to freeze the account opening number, limit login of the account opening number, or the like.
The monitoring model is a mathematical model for identifying abnormal data, and may contain elements such as algorithms, judgment rules, and the like. At least one part of the first monitoring model, the second monitoring model and the third monitoring model is inconsistent, so that the accuracy of the first monitoring model, the second monitoring model and the third monitoring model for identifying abnormal data is different.
The following sets of 3 embodiments are used to respectively illustrate possible ways of establishing and using the first monitoring model, the second monitoring model and the third monitoring model.
In one embodiment, as shown in FIG. 4, the first monitoring model is established and abnormal data is identified using the first monitoring model by:
Each piece of data to be identified comprises a joint feature value corresponding to each joint feature in a plurality of joint features of the joint feature group. A federated feature is the name of the federated feature, which may be represented as a field in the data. The join feature is a summary of the significance of the join feature values. The relationship of the joint signature to the value of the joint signature is similar to the relationship of the parameter to the value of the parameter. The joint feature is a feature preset empirically. For example, if the union feature is a WI-FI name, the union feature value may be the name of various WI-FI such as CMCC.
The "plurality" of the data to be identified and the "plurality" of the associated feature may be the same plurality or different pluralities, and the present disclosure does not limit the present disclosure.
In one embodiment, a plurality of joint features in the joint feature group have joint feature identifiers, each joint feature value in the data to be recognized is stored in correspondence with the joint feature identifier of the joint feature corresponding to the joint feature value, and a plurality of joint feature values corresponding to each data to be recognized in the data to be recognized and the plurality of joint features are determined according to the joint feature identifiers.
Each data to be identified corresponds to one combined characteristic value group, and the combined characteristic value group corresponding to each data to be identified can be the same or different, so that in all the obtained combined characteristic value groups, the situation that more than one combined characteristic value group exists may exist. In one embodiment, a counter is provided in the implementation terminal of the present disclosure, and the number of each combined feature value group in all the acquired combined feature value groups can be obtained.
For a traffic attack scenario, the data to be identified is traffic data. In one embodiment, the set of federated features includes: the IP address of the access device, the WI-FI name of the access device and the access time of the access device. For example, the combined set of characteristic values for a traffic data may be 192.168.1.156, NET-001, and 18: 20.
And for the scene of abnormal account opening of the counterfeit account, the data to be identified is account opening data. In one embodiment, the account opening device is a smart phone, and the federated feature set includes: the IP address of the account opening device, the name of the WI-FI connected with the account opening device, the mobile phone model of the account opening device and the host name (net). The account opening data includes joint feature values corresponding to the joint features one to one, for example, the joint feature value group of one account opening data may be 171.168.131.27.6, HUAWEI-E7753, Redmi5A, Redmi 5A-hongmishouji.
In one embodiment, the predetermined threshold is 5, if the combined feature value group is 171.168.131.27.6, HUAWEI-E7753, Redmi5A, Redmi5A-hongmishouji, if the combined feature value group appears in more than 5 account opening data, it indicates that there are more than 5 account opening actions under the same WI-FI name and under the same IP address on the same red-rice handset, so it can indicate a false account abnormal account opening action which may be of a group-partner nature, such as a group obtaining a large number of handset numbers from an illegal way, and then because the handset cost is high and the traffic cost is high, criminals generally use the same handset number to connect WI-FI to perform large-batch account opening, so it is the false account abnormal account opening action.
In one embodiment, each of the sets of joined feature values in the data to be recognized is stored in correspondence with an identification of the corresponding joined feature. When judging whether the combined characteristic value group contained in the data to be identified is consistent with the combined characteristic value group of the first abnormal data, firstly, acquiring the identification of the combined characteristic which is correspondingly stored with the combined characteristic value group of the first abnormal data; then acquiring a combined characteristic value set which is stored corresponding to the identification of the combined characteristic from the combined characteristic value set contained in the data to be identified according to the identification of the combined characteristic; and finally, comparing the combined characteristic values in the two combined characteristic value groups correspondingly stored with the same combined characteristic identifier according to the corresponding relationship of the combined characteristic identifiers, so as to judge whether the combined characteristic value group contained in the data to be identified is consistent with the combined characteristic value group of the first abnormal data.
In summary, the embodiment shown in fig. 3 has the advantage that the combined characteristic value group for determining the abnormal data is summarized and summarized according to the combined characteristic group and the plurality of account opening data, so that when similar abnormal data occurs again, the abnormal data can be timely monitored, and the network risk is effectively reduced.
In one embodiment, as shown in FIG. 5, the second monitoring model is established and abnormal data is identified using the second monitoring model by:
and step 510, acquiring abnormal data generated in a first preset time period from the abnormal data identified by the first monitoring model.
Each abnormal data corresponds to identity information, and the abnormal data meets a first preset rule.
The first predetermined period of time may be a period of time in which abnormal data is arbitrarily generated before the current time, and may be, for example, three months before the current time.
In one embodiment, the time at which the anomaly data is generated is the time at which the first monitoring model identifies the anomaly data.
The second predetermined judgment rule is a rule having an association with the second predetermined rule.
In one embodiment, for the false account abnormal account opening scenario, the second predetermined judgment rule is used for filtering the fraudulent group account opening data.
In one embodiment, for traffic attack scenarios, the second predetermined decision rule is used to filter aggregated traffic attack sources.
In one embodiment, the second predetermined rule is first determined based on the acquired anomaly data, and then the second predetermined judgment rule is determined based on the second predetermined rule.
In one embodiment, the data to be identified includes characteristic values corresponding to the characteristics in addition to the joint characteristic values, and the second predetermined rule is determined according to the characteristics in the acquired abnormal data. For example, in the case of an abnormal account opening scene of a counterfeit account, the abnormal data is account opening data which is characterized by longitude and latitude of an account opening IP address, the corresponding second predetermined rule may be in a longitude and latitude aggregation range of the IP address, and the second predetermined judgment rule may be a country or a grade city to which the longitude and latitude range of the IP address belongs.
In one embodiment, the IP address longitude and latitude aggregation range is a range that accommodates the number of IP addresses corresponding to the account opening data exceeding a predetermined number threshold, wherein the absolute value of the difference between longitudes in the IP addresses corresponding to the account opening data in the range is smaller than a predetermined longitude difference threshold and the absolute value of the difference between latitudes in the range is smaller than a predetermined latitude difference threshold. For example, if the difference threshold of the predetermined longitudes is 5 degrees, the difference threshold of the predetermined latitudes is 3 degrees, and the predetermined number threshold is 3, then if the longitude and latitude are the longitude and latitude of the IP address corresponding to the three account opening data of (20.5 degrees north latitude, 116.7 degrees east longitude), (20.2 degrees north latitude, 116.0 degrees east longitude), and (21 degrees north latitude, 117 degrees east longitude), and these longitude and latitude of the IP address belong to city a, the second predetermined determination rule may be that the longitude and latitude of the IP address corresponding to the account opening data belong to the administrative region of city a.
In one embodiment, the feature, the second predetermined rule and the second predetermined judgment rule are stored in a correspondence table empirically established in advance, and the second predetermined rule and the second predetermined judgment rule are determined by table lookup, respectively.
In an embodiment, for a scenario of an abnormal account opening of a counterfeit account, as described in the foregoing embodiment, the second predetermined determination rule may be that the longitude and latitude of the IP corresponding to the account opening data belong to the administrative area of city a; when the second abnormal data is determined, the longitude and latitude of the IP address corresponding to each suspected account opening data can be obtained first, then the city or the country to which the longitude and latitude of each IP address belongs is obtained according to the longitude and latitude of the IP address, and if the longitude and latitude corresponding to the account opening data is judged to belong to city a, the account opening data is used as the fraudulent group account opening data, namely the second abnormal data.
And 540, verifying the identity information in the second abnormal data to obtain a verification result.
In one embodiment, for a traffic attack scenario, if the identity information is an IP address, the identity information is verified by verifying the IP address. A specific way of authentication may be to monitor the access frequency of the IP over a specified time.
In an embodiment, for a scenario of an abnormal account opening of a counterfeit account, if the identity information is a mobile phone number, the authentication of the identity information in the form of the mobile phone number may be performed by performing dynamic password authentication on the mobile phone number. The dynamic password refers to authentication by using a dynamic password or a dynamic authentication code.
In one embodiment, the mobile phone number is verified by means of a voice verification code. For example, the account opening can be verified by dialing the mobile phone number in the fraudulent group account opening data and then broadcasting the verification code to the mobile phone number user in a voice broadcasting mode.
As described above, each piece of data to be recognized includes the joint feature value, and may further include the feature value corresponding to the feature, and the additional rule of the first predetermined rule may be determined by the feature value of each piece of data to be recognized.
In one embodiment, the additional rules of the first predetermined rule are determined by: normalizing the characteristic values of all the characteristics to be between [0,1], and acquiring the average value of the normalized characteristic values of the characteristics in the second abnormal data which is successfully verified as a first average value for each characteristic; then, aiming at the feature, acquiring the average value of the normalized feature values of the feature in all the second abnormal data which fail to be verified as a second average value; then, aiming at each feature, obtaining the absolute value of the difference between the second average value and the first average value of the feature; additional rules of the first predetermined rule are then determined from the absolute value.
Since the dimension of the feature value of each feature may be different, if the feature value is used to obtain the average value and then the additional rule is determined, the feature value obtained for each feature may be very different, resulting in unreasonable determination of the additional rule, and in the present embodiment, by normalizing the feature value, the applicability of the determined additional rule may be improved.
In one embodiment, first, the feature with the largest absolute value is obtained, and the second average value and the first average value are determined; and if the first average value is larger than the second average value, determining an additional rule of a first predetermined rule that the feature value of the feature after normalization is larger than an intermediate value, wherein the intermediate value is the average value of the first average value and the second average value. The larger the absolute value of the difference between the second average value and the first average value is, the more obvious the difference between the second abnormal data which is successfully verified and the second abnormal data which is failed to be verified can be shown by the characteristic value of the characteristic, and the accuracy of identifying the abnormal data can be improved by using the characteristic value of the characteristic as an additional rule.
The second predetermined judgment rule screens the data to be identified from one side, and the third rule screens the data to be identified from the other side, each rule can indicate that the data to be identified meeting the rule may be abnormal data to a certain extent, so that if one data to be identified has two rules at the same time, the possibility that the data to be identified is abnormal data is greatly increased. This has the advantage of increasing the accuracy of identifying anomalous data.
In one embodiment, as shown in FIG. 6, the third monitoring model is established and abnormal data is identified using the third monitoring model by:
The second time period may be a time period in which abnormal data is generated arbitrarily before the current time, may be the same time period as the first time period, or may be a time period different from the first time period.
Wherein the third predetermined rule belongs to the second predetermined rule. The fact that the third predetermined rule belongs to the second predetermined rule specifically means that: the range defined by the third predetermined rule is smaller than the second predetermined rule, that is, the second predetermined rule is a combination of a plurality of rules including the third predetermined rule, and it is possible to define by more combinations of rules that the screened-out abnormal data by the combination rule is made more accurate.
In an embodiment, for a false account abnormal account opening scenario, the third predetermined rule refers to the number of opening data with the same IP address longitude and latitude aggregation, the same WI-FI name, and the same mobile phone model, specifically, the absolute value of the difference between the IP address longitudes is smaller than the predetermined longitude difference threshold, the absolute value of the latitude difference is smaller than the predetermined latitude difference threshold, and the number of suspect opening data with the same WI-FI name and mobile phone model is larger than the predetermined number threshold.
In one embodiment, the third predetermined judgment rule refers to a combination of rules corresponding to the third predetermined rule. For example, the longitude and latitude of the IP addresses of a plurality of suspected account opening data are concentrated at 25.19 degrees of north latitude, the east longitude is near 101 degrees, the WI-FI names used in account opening are both HUAWEI-E5573, the mobile phone models are Redmi5A, and the number of the suspected account opening data is greater than a predetermined number threshold, the third predetermined judgment rule is that the longitude and latitude of the IP address corresponding to the account opening data and the distance between the longitude and latitude of the IP address are within a predetermined range, the WI-FI name is HUAWEI-E5573, and the mobile phone model is Redmi 5A; if the IP address longitude and latitude of the suspected account opening data are concentrated at 15.9 degrees of north latitude and near 107 degrees of east longitude, the WI-FI names are HUAWEI E-E5573, the mobile phone models are Redmi5A, and the number of the suspected account opening data is greater than the predetermined number threshold, the third predetermined judgment rule further includes the IP address longitude and latitude corresponding to the account opening data and 15.9 degrees of north latitude, the distance of 107 degrees of east longitude is within the predetermined range, the WI-FI name is HUAWEI E-E5573, and the mobile phone model is Redmi 5A.
In one embodiment, the third predetermined rule may be determined according to the third predetermined rule through a preset correspondence table.
And step 640, if yes, using the data to be identified as abnormal data identified by the third monitoring model.
In summary, in the embodiment shown in fig. 5, the third predetermined judgment rule is determined according to the acquired abnormal data and the third predetermined rule, and because the third predetermined rule belongs to the second predetermined rule, the accuracy of identifying the abnormal data by the third predetermined judgment rule determined according to the third predetermined rule is higher, and finally, the abnormal data is judged by combining the third predetermined judgment rule and the third rule, so that the accuracy of identifying the abnormal data is greatly improved.
Returning to step 330 in fig. 3, for each of the abnormal data, a data generation object processing policy to be executed on the data generation object corresponding to the abnormal data is determined according to the model for identifying the abnormal data in the first monitoring model, the second monitoring model and the third monitoring model.
In one embodiment, among the data generation object processing strategies corresponding to the models identifying the abnormal data, the data generation object processing strategy corresponding to the model identifying the abnormal data with the highest accuracy is obtained as the determined data generation object processing strategy to be executed on the data generation object corresponding to the abnormal data. In an embodiment, for a traffic attack scenario, data to be identified is traffic data, a data generation object corresponding to the data to be identified is an IP address, a data generation object processing policy corresponding to a first monitoring model prohibits an IP address corresponding to abnormal data identified by the first monitoring model from accessing a home terminal within a first time period of each day, a data generation object processing policy corresponding to a second monitoring model prohibits an IP address corresponding to abnormal data identified by the second monitoring model from accessing the home terminal within a second time period of each day, and a data generation object processing policy corresponding to a third monitoring model prohibits an IP address corresponding to abnormal data identified by the third monitoring model from accessing the home terminal comprehensively. In an embodiment, for a false account abnormal account opening scene, data to be identified is account opening data, data generating objects corresponding to the data to be identified are a mobile phone number and an account number, a data generating object processing policy corresponding to a first monitoring model refers to performing dynamic password verification on the mobile phone number corresponding to the abnormal data identified by the first monitoring model, a data generating object processing policy corresponding to a second monitoring model refers to performing face recognition verification on the account number corresponding to the abnormal data identified by the second monitoring model during account opening, and a data generating object processing policy corresponding to a third monitoring model refers to rejecting an account opening request of the account number corresponding to the abnormal data identified by the third monitoring model.
In step 340, for the data generation object corresponding to each abnormal data, the determined data generation object processing policy corresponding to the data generation object is executed.
By executing the corresponding data generation object processing strategy on the data generation object, the generation of abnormal data can be reduced to a certain extent, so that the safety of the network is improved.
In one embodiment, after step 340, further comprising: determining first abnormal data meeting a fourth preset rule as target abnormal data; and generating monitoring reminding information containing target abnormal data in a first preset time period every other first preset time period.
In an embodiment, for a scenario of abnormal account opening of a counterfeit account, the first abnormal data further includes a feature value, each piece of data to be identified corresponds to a mobile phone number, and the mobile phone number may or may not bind to a salesman. The characteristic values include: the number of mobile phone numbers of the unbound operators in the mobile phone numbers corresponding to all the first abnormal data with the same combined characteristic value group as the first abnormal data, and the fourth predetermined rule means that the number of the mobile phone numbers of the unbound operators in the mobile phone numbers corresponding to the first abnormal data with the same combined characteristic value group is greater than the predetermined threshold value of the number of the mobile phone numbers.
The reminding information is information for reminding a user of monitoring conditions, and the implementation mode for presenting the reminding information to the user can be short messages, mails, notifications, display screen display connected with the execution main body of the disclosure or sending the reminding information to a specific terminal, projection display and the like.
In this embodiment, the first abnormal data is filtered by using a further defined fourth rule, so that target abnormal data is obtained, and the accuracy of identifying the target abnormal data is further ensured; meanwhile, monitoring reminding information is generated every other preset time period, and the method is beneficial to improving the perception of the user on the development situation of abnormal data.
In one embodiment, the data to be identified further includes: before generating monitoring reminding information containing target abnormal data in a first preset time period at intervals of the first preset time period, the method further comprises the following steps: for each combined feature value set for which the number is greater than a predetermined threshold, determining a score for the combined feature value set from the plurality of scored feature data;
generating monitoring reminding information containing target abnormal data in a first preset time period every other first preset time period, wherein the monitoring reminding information comprises: and generating monitoring reminding information containing the target abnormal data in the first preset time period every other first preset time period, wherein in the monitoring reminding information, the target abnormal data are sorted from large to small according to the scores of the corresponding combined characteristic value groups.
The combined feature value set corresponds to the account opening data, which in turn corresponds to the scoring feature data, so that the scoring feature data can be utilized to determine a score for the combined feature value set.
In one embodiment, each scoring feature data is defined manually, and each scoring feature data has a corresponding scoring rule and a corresponding score; aiming at each grading feature data, obtaining grading feature extraction data according to the grading feature data in all data to be identified under each combined feature value group, wherein the grading obtaining of each combined feature value group is to judge the grading feature extraction data by using a corresponding grading rule, and if the grading rule is judged to be met, setting a grade corresponding to the grading rule for the combined feature value group; for each combined feature value group, the sum of the scores set for the combined feature value group for all the scoring rules is obtained as the score of the combined feature value group.
In one embodiment, for a false account abnormal account opening scene, the account opening device is a Mobile phone, each account opening corresponds to one Mobile phone number, the data to be identified is account opening data, and the scoring feature data included in the account opening data is an International Mobile Equipment Identity (IMEI) of the Mobile phone corresponding to the Mobile phone number; then, for each combined feature value set, the corresponding scored feature extraction data may be the number of mobile phone numbers of the same IMEI code of the account opening data under the combined feature value set. For example, a scoring rule may be that the number of mobile phone numbers of the same IMEI code of the account opening data in the combined feature value group is greater than 5, and the corresponding score may be 0.1, so that if the number of mobile phone numbers of the same IMEI code of the account opening data in one combined feature value group is 6, a score of 0.1 may be set for the combined feature value group.
The larger the score of the combined feature value group is, the larger the security risk that may be caused in a short time is, so the advantage of this embodiment is that the abnormal data with the larger score of the corresponding combined feature value group is preferentially displayed, which is beneficial to improving the monitoring and precaution capability of the data generation object corresponding to the abnormal data. In one embodiment, the data to be identified further includes condition data, and after generating monitoring reminding information including target abnormal data in a first predetermined time period every other first predetermined time period, the method further includes: judging whether the condition data in each data to be identified meet a preset condition or not; acquiring to-be-identified data, which comprises condition data meeting the preset condition or comprises a combined characteristic value group consistent with the combined characteristic value group of the first abnormal data, from to-be-identified data generated in a second preset time period; and generating the acquired monitoring reminding information of the data to be identified every a third preset time period.
The method has the advantages that the possible abnormal data are obtained from another angle and monitoring reminding information is generated, and more comprehensive monitoring can be realized on the abnormal data.
In one embodiment, for a scenario of abnormal account opening of a counterfeit account, the condition data includes an attribution of a mobile phone number for registration and an attribution of an IP address, and the predetermined condition includes: the attribution of the mobile phone number for registration is inconsistent with the attribution of the IP address.
In summary, according to the abnormal data monitoring method provided in fig. 2, the data to be identified is input into three monitoring models with different identification accuracy rates for three times of identification, so that the accuracy of monitoring the abnormal data is improved; in addition, the data generation object processing strategy is determined according to the model for identifying the abnormal data, and is executed for the corresponding data generation object, so that the behavior of the data generation object can be limited in time, and the safety of the network is improved.
The disclosure also provides an abnormal data monitoring device, and the following is an embodiment of the device disclosed herein.
FIG. 7 is a block diagram illustrating an abnormal data monitoring apparatus according to an exemplary embodiment. As shown in fig. 7, the apparatus 700 includes:
an obtaining module 710 configured to obtain at least one piece of data to be identified, where each piece of data to be identified corresponds to a data generation object;
an input module 720, configured to simultaneously input each of the data to be identified into the established first monitoring model, the second monitoring model and the third monitoring model respectively, so as to determine whether each monitoring model identifies the data to be identified as abnormal data, where the first monitoring model, the second monitoring model and the third monitoring model have different accuracies for identifying the abnormal data, and the first monitoring model, the second monitoring model and the third monitoring model respectively correspond to different data generation object processing strategies;
a determining module 730, configured to determine, for each of the abnormal data, a data generation object processing policy to be executed on a data generation object corresponding to the abnormal data according to a model in which the abnormal data is identified among the first monitoring model, the second monitoring model, and the third monitoring model;
the executing module 740 is configured to execute the determined data generation object processing policy corresponding to the data generation object for the data generation object corresponding to each abnormal data.
According to a third aspect of the present disclosure, there is also provided an electronic device capable of implementing the above method.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 800 according to this embodiment of the invention is described below with reference to fig. 8. The electronic device 800 shown in fig. 8 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present invention.
As shown in fig. 8, electronic device 800 is in the form of a general purpose computing device. Components of electronic device 900 may include, but are not limited to: the at least one processing unit 810, the at least one memory unit 820, and a bus 830 that couples the various system components including the memory unit 820 and the processing unit 810.
Wherein the storage unit stores program code that can be executed by the processing unit 810, such that the processing unit 810 performs the steps according to various exemplary embodiments of the present invention described in the "example methods" section above in this specification.
The storage unit 820 may include readable media in the form of volatile storage units, such as a random access storage unit (RAM)821 and/or a cache storage unit 822, and may further include a read only storage unit (ROM) 823.
The electronic device 800 may also communicate with one or more external devices 1000 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 800, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 800 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 850. Also, the electronic device 800 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 860. As shown, the network adapter 860 communicates with the other modules of the electronic device 800 via the bus 830. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
According to a fourth aspect of the present disclosure, there is also provided a computer readable storage medium having stored thereon a program product capable of implementing the above-mentioned method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
Referring to fig. 9, a program product 900 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
Claims (9)
1. An abnormal data monitoring method, characterized in that the method comprises:
acquiring at least one piece of data to be identified, wherein each piece of data to be identified corresponds to a data generation object;
respectively and simultaneously inputting the data to be identified into a first monitoring model, a second monitoring model and a third monitoring model which are established so as to determine whether each monitoring model identifies the data to be identified as abnormal data or not, wherein the first monitoring model, the second monitoring model and the third monitoring model have different accuracy rates of identifying the abnormal data, and the first monitoring model, the second monitoring model and the third monitoring model respectively correspond to different data generation object processing strategies;
for each abnormal data, determining a data generation object processing strategy to be executed on a data generation object corresponding to the abnormal data according to a model for identifying the abnormal data in the first monitoring model, the second monitoring model and the third monitoring model;
executing the determined data generation object processing strategy corresponding to the data generation object for the data generation object corresponding to each abnormal data;
the second monitoring model is established and abnormal data are identified by the second monitoring model in the following mode: acquiring abnormal data generated in a first preset time period from the abnormal data identified by the first monitoring model, wherein each abnormal data corresponds to identity information and meets a first preset rule; determining a second preset judgment rule according to the acquired abnormal data and the second preset rule; determining abnormal data meeting a second preset judgment rule from the acquired abnormal data as second abnormal data; verifying the identity information in the second abnormal data to obtain a verification result, wherein the verification result comprises verification success and verification failure; determining an additional rule of a first preset rule according to the second abnormal data which are successfully verified and the second abnormal data which are failed to be verified so as to obtain a third rule consisting of the first preset rule and the additional rule; receiving data to be identified, and judging whether the data to be identified simultaneously meets a second preset judgment rule and a third rule; if so, taking the data to be identified as abnormal data identified by the second monitoring model.
2. The method of claim 1, wherein the first monitoring model is established and abnormal data is identified using the first monitoring model by:
acquiring a plurality of data to be identified and a joint feature group consisting of a plurality of joint features, wherein each data to be identified comprises a joint feature value corresponding to each joint feature in the plurality of joint features of the joint feature group;
determining a plurality of combined feature values corresponding to each data to be identified and the plurality of combined features in the plurality of data to be identified according to the plurality of combined features in the combined feature group to obtain a combined feature value group of each data to be identified;
determining, for each obtained combined feature value set, a number of the combined feature value set in all obtained combined feature value sets;
acquiring data to be identified corresponding to the combined characteristic value groups with the number larger than a preset threshold value as first abnormal data;
receiving data to be identified, and judging whether a combined characteristic value group contained in the data to be identified is consistent with a combined characteristic value group of the first abnormal data;
if so, taking the data to be identified as abnormal data identified by the first monitoring model.
3. The method according to claim 1 or 2, characterized in that the third monitoring model is established and utilized for identifying abnormal data by:
acquiring abnormal data which is output by the first monitoring model and generated in a second preset time period, wherein the abnormal data meets a first preset rule;
determining a third predetermined judgment rule according to the acquired abnormal data and a third predetermined rule, wherein the third predetermined rule belongs to the second predetermined rule;
receiving data to be identified, and judging whether the data to be identified simultaneously meets a third preset judgment rule and a third rule;
and if so, taking the data to be identified as abnormal data identified by the third monitoring model.
4. The method according to claim 2, wherein after the acquiring the data to be identified corresponding to the combined feature value groups of which the number is greater than the predetermined threshold value as the first abnormal data, the method further comprises:
determining first abnormal data meeting a fourth preset rule as target abnormal data;
and generating monitoring reminding information containing target abnormal data in a first preset time period every other first preset time period.
5. The method of claim 4, wherein the data to be identified further comprises: before generating monitoring reminding information containing target abnormal data in a first preset time period at intervals of the first preset time period, the method further comprises the following steps:
for each combined feature value set for which the number is greater than a predetermined threshold, determining a score for the combined feature value set from the plurality of scored feature data;
the generating of the monitoring reminding information containing the target abnormal data in the first predetermined time period every other first predetermined time period comprises:
and generating monitoring reminding information containing the target abnormal data in the first preset time period every other first preset time period, wherein in the monitoring reminding information, the target abnormal data are sorted from large to small according to the scores of the corresponding combined characteristic value groups.
6. The method according to claim 4 or 5, wherein the data to be identified further comprises condition data, and after generating monitoring reminding information containing target abnormal data in a first predetermined time period every other first predetermined time period, the method further comprises:
judging whether the condition data in each data to be identified meet a preset condition or not;
acquiring to-be-identified data, which comprises condition data meeting the preset condition or comprises a combined characteristic value group consistent with the combined characteristic value group of the first abnormal data, from to-be-identified data generated in a second preset time period;
and generating the acquired monitoring reminding information of the data to be identified every a third preset time period.
7. An abnormal data monitoring apparatus, characterized in that the apparatus comprises:
the system comprises an acquisition module, a data generation module and a recognition module, wherein the acquisition module is configured to acquire at least one piece of data to be recognized, and each piece of data to be recognized corresponds to a data generation object;
the input module is configured to simultaneously input each piece of data to be identified into the established first monitoring model, the second monitoring model and the third monitoring model respectively so as to determine whether each monitoring model identifies the data to be identified as abnormal data, wherein the first monitoring model, the second monitoring model and the third monitoring model have different accuracy rates of identifying the abnormal data, and the first monitoring model, the second monitoring model and the third monitoring model respectively correspond to different data generation object processing strategies;
a determining module configured to determine, for each of the abnormal data, a data generation object processing policy to be executed on a data generation object corresponding to the abnormal data, according to a model in which the abnormal data is identified among the first monitoring model, the second monitoring model, and the third monitoring model;
the execution module is configured to execute the determined data generation object processing strategy corresponding to the data generation object for the data generation object corresponding to each abnormal data;
the second monitoring model is established and abnormal data are identified by the second monitoring model in the following mode: acquiring abnormal data generated in a first preset time period from the abnormal data identified by the first monitoring model, wherein each abnormal data corresponds to identity information and meets a first preset rule; determining a second preset judgment rule according to the acquired abnormal data and the second preset rule; determining abnormal data meeting a second preset judgment rule from the acquired abnormal data as second abnormal data; verifying the identity information in the second abnormal data to obtain a verification result, wherein the verification result comprises verification success and verification failure; determining an additional rule of a first preset rule according to the second abnormal data which are successfully verified and the second abnormal data which are failed to be verified so as to obtain a third rule consisting of the first preset rule and the additional rule; receiving data to be identified, and judging whether the data to be identified simultaneously meets a second preset judgment rule and a third rule; if so, taking the data to be identified as abnormal data identified by the second monitoring model.
8. A computer-readable program medium, characterized in that it stores computer program instructions which, when executed by a computer, cause the computer to perform the method according to any one of claims 1 to 6.
9. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory having stored thereon computer readable instructions which, when executed by the processor, implement the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910435057.7A CN110365634B (en) | 2019-05-23 | 2019-05-23 | Abnormal data monitoring method, device, medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910435057.7A CN110365634B (en) | 2019-05-23 | 2019-05-23 | Abnormal data monitoring method, device, medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110365634A CN110365634A (en) | 2019-10-22 |
| CN110365634B true CN110365634B (en) | 2022-07-08 |
Family
ID=68215296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910435057.7A Active CN110365634B (en) | 2019-05-23 | 2019-05-23 | Abnormal data monitoring method, device, medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110365634B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112839008B (en) * | 2019-11-22 | 2024-02-06 | 北京沃东天骏信息技术有限公司 | Access monitoring method, device and system |
| CN111049838B (en) * | 2019-12-16 | 2022-05-13 | 铭迅(北京)信息技术有限公司 | Black product equipment identification method and device, server and storage medium |
| CN112988728A (en) * | 2021-03-26 | 2021-06-18 | 云南电网有限责任公司电力科学研究院 | Power distribution network data cleaning method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471819B (en) * | 2014-08-19 | 2019-08-30 | 腾讯科技(深圳)有限公司 | Account method for detecting abnormality and device |
| CN105791255B (en) * | 2014-12-23 | 2020-03-13 | 阿里巴巴集团控股有限公司 | Computer risk identification method and system based on account clustering |
| CN105554007B (en) * | 2015-12-25 | 2019-01-04 | 北京奇虎科技有限公司 | A kind of web method for detecting abnormality and device |
| CN107256257A (en) * | 2017-06-12 | 2017-10-17 | 上海携程商务有限公司 | Abnormal user generation content identification method and system based on business datum |
| CN108875388A (en) * | 2018-05-31 | 2018-11-23 | 康键信息技术(深圳)有限公司 | Real-time risk control method, device and computer readable storage medium |
-
2019
- 2019-05-23 CN CN201910435057.7A patent/CN110365634B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110365634A (en) | 2019-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11288677B1 (en) | Adjustment of knowledge-based authentication | |
| US8666894B1 (en) | Systems and methods for remotely authenticating credit card transactions | |
| CN106575327B (en) | Analyzing facial recognition data and social network data for user authentication | |
| CN110365634B (en) | Abnormal data monitoring method, device, medium and electronic equipment | |
| US20130239173A1 (en) | Computer program and method for administering secure transactions using secondary authentication | |
| CN102405474B (en) | User challenge using information based on geography or user identity | |
| US10803154B2 (en) | Multicomputer system for user data authentication and processing | |
| CN111247511A (en) | System and method for aggregating authenticated determined customer data and network data | |
| US11381972B2 (en) | Optimizing authentication and management of wireless devices in zero trust computing environments | |
| CN107046516B (en) | Wind control method and device for identifying mobile terminal identity | |
| US11790638B2 (en) | Monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources | |
| CN114339767B (en) | Signaling detection method and device, electronic equipment and storage medium | |
| CN109426961B (en) | Card binding risk control method and device | |
| CN111754237B (en) | Verification method and device for transfer transaction | |
| CN113518075A (en) | Phishing early warning method and device, electronic equipment and storage medium | |
| US9973508B2 (en) | Dynamic record identification and analysis computer system with event monitoring components | |
| US20230188564A1 (en) | Detecting and Protecting Against Employee Targeted Phishing Attacks | |
| CN114418586A (en) | Reserved mobile phone number verification method, reserved mobile phone number verification device, reserved mobile phone number verification electronic equipment, reserved mobile phone number verification medium and program product | |
| CN110690973B (en) | Identity verification method, identity verification device, identity verification medium and electronic equipment | |
| US20240129309A1 (en) | Distributed device trust determination | |
| CN110351116B (en) | Abnormal object monitoring method, device, medium and electronic equipment | |
| US11544714B2 (en) | Apparatus, computer program and method of tracing events in a communications network | |
| CN113286035B (en) | Abnormal call detection method, device, equipment and medium | |
| WO2024102385A1 (en) | Systems and methods for use in securing open service connections | |
| CN115022004A (en) | Data processing method and device and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |