CN112487210A - Abnormal device identification method, electronic device, and medium - Google Patents

Abnormal device identification method, electronic device, and medium Download PDF

Info

Publication number
CN112487210A
CN112487210A CN202011471778.2A CN202011471778A CN112487210A CN 112487210 A CN112487210 A CN 112487210A CN 202011471778 A CN202011471778 A CN 202011471778A CN 112487210 A CN112487210 A CN 112487210A
Authority
CN
China
Prior art keywords
equipment
weight
identified
setting
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011471778.2A
Other languages
Chinese (zh)
Inventor
方宏源
袁凯
陈津来
叶新江
方毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Merit Interactive Co Ltd
Original Assignee
Merit Interactive Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Merit Interactive Co Ltd filed Critical Merit Interactive Co Ltd
Priority to CN202011471778.2A priority Critical patent/CN112487210A/en
Publication of CN112487210A publication Critical patent/CN112487210A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2205Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Animal Behavior & Ethology (AREA)
  • Computational Linguistics (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

The invention relates to an abnormal device identification method, an electronic device and a medium, wherein the method comprises the following steps: acquiring data information of multiple dimensions of equipment to be identified at preset intervals; constructing a knowledge graph according to the data information of the equipment to be identified in multiple dimensions; and identifying abnormal equipment from the equipment to be identified based on the knowledge graph. According to the method, the knowledge graph is constructed at intervals based on the data information of multiple dimensions of the equipment to be identified, the abnormal equipment can be actively and comprehensively identified, and the accuracy and the identification rate of identifying the abnormal equipment are improved.

Description

Abnormal device identification method, electronic device, and medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an abnormal device identification method, an electronic device, and a medium.
Background
The device farm refers to a device in which a plurality of mobile terminals are fixed in a same geographical location area, and only a single type of app is installed to implement a single function, and these devices are referred to as abnormal devices. In the existing abnormal equipment identification technology, an identification condition is established mainly based on existing abnormal equipment related data, and then the abnormal equipment is identified based on the established identification condition, however, the existing abnormal equipment data is limited, and the method for identifying the abnormal equipment only based on a single identification condition has at least the defects: the method has the advantages that the method has the conditions of wrong identification, unidentified conditions or rule bypassing, particularly the conditions that the identification conditions cannot be covered or the identification conditions are too harsh, and has low identification accuracy and low identification rate; in addition, the existing abnormal equipment identification technology is not flexible in identification, needs to continuously update the rule, and is large in workload and high in cost.
Disclosure of Invention
The invention aims to provide an abnormal equipment identification method, electronic equipment and a medium, which improve the accuracy and identification rate of identifying abnormal equipment.
According to a first aspect of the present invention, there is provided an abnormal device identification method, including:
acquiring data information of multiple dimensions of equipment to be identified at preset intervals;
constructing a knowledge graph according to the data information of the equipment to be identified in multiple dimensions;
and identifying abnormal equipment from the equipment to be identified based on the knowledge graph.
According to a second aspect of the present invention, there is provided an electronic apparatus comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of the first aspect of the invention.
According to a third aspect of the invention, there is provided a computer readable storage medium, the computer instructions being for performing the method of the first aspect of the invention.
Compared with the prior art, the invention has obvious advantages and beneficial effects. By the technical scheme, the abnormal equipment identification method, the electronic equipment and the medium provided by the invention can achieve considerable technical progress and practicability, have industrial wide utilization value and at least have the following advantages:
the invention constructs the knowledge graph based on the data information of multiple dimensions of the equipment to be identified at intervals, can actively and comprehensively identify abnormal equipment, and improves the accuracy and the identification rate of identifying the abnormal equipment.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical means of the present invention more clearly understood, the present invention may be implemented in accordance with the content of the description, and in order to make the above and other objects, features, and advantages of the present invention more clearly understood, the following preferred embodiments are described in detail with reference to the accompanying drawings.
Drawings
Fig. 1 is a flowchart of abnormal device identification according to an embodiment of the present invention.
Detailed Description
To further illustrate the technical means and effects of the present invention adopted to achieve the predetermined objects, the following detailed description will be given to specific embodiments and effects of an abnormal device identification method, an electronic device and a medium according to the present invention, with reference to the accompanying drawings and preferred embodiments.
The embodiment of the invention provides an abnormal device identification method, as shown in fig. 1, comprising the following steps:
step S1, acquiring data information of multiple dimensions of the equipment to be identified at preset time intervals;
the corresponding data of each device may also be different at different time, so that the data information of multiple dimensions of the device to be identified can be acquired at preset time intervals to construct the knowledge graph. The preset time can be specifically set according to the identification requirement and the performance of the equipment. Due to the fact that abnormal equipment which cannot be identified or cannot be accurately and comprehensively identified is likely to occur through data of a single dimension, the abnormal equipment can be identified through data information of multiple dimensions, so that accuracy of identification of the abnormal equipment is improved, and the abnormal equipment comprises terminals such as a mobile phone and a tablet personal computer.
Step S2, constructing a knowledge graph according to the data information of the equipment to be identified in multiple dimensions;
and step S3, identifying abnormal equipment from the equipment to be identified based on the knowledge graph.
According to the method, the knowledge graph is constructed at intervals based on the data information of multiple dimensions of the equipment to be identified, the abnormal equipment can be actively and comprehensively identified, and the accuracy of identifying the abnormal equipment is improved.
As an example, in step S1, the data information of the multiple dimensions includes at least two of device information, device network information, device location information, and application (app) behavior data corresponding to the device, where the device information includes a device id. The device network information comprises ip information and wifi address (wifi) information, and when the device is connected with the network through mobile traffic, the corresponding device network information is the ip information; when the device is connected to the network through wifi, the corresponding device network information is wifi information. Device location information coordinate information and/or grid information, preferably the grid information is a geohash. The app behavior data includes app installation data and app activity data.
As an example, the step S2 specifically includes constructing a central node for each device under test, taking each data of each dimension as a node, taking a corresponding relationship between each node and the central node as an edge, and constructing the knowledge graph.
After the knowledge graph is constructed, abnormal devices can be identified through various implementation modes, and the following description is further provided through a plurality of specific embodiments:
the first embodiment,
In some application scenarios, when the determination is performed by setting one identification condition only through one type of data information, the identification accuracy may be very low, and by constructing a knowledge graph, multiple dimensions may be obtained, and the abnormal device may be identified through data under multiple identification conditions, step S3 may include:
step S31, traversing the knowledge graph;
step S32, acquiring a first parameter corresponding to a central node of the equipment to be identified from the knowledge graph, judging whether the parameter corresponding to the central node meets a preset first judgment condition or not based on the first parameter, if so, setting a first weight to be a1, otherwise, setting the first weight to be 0;
step S33, acquiring a second parameter corresponding to a central node of the equipment to be identified from the knowledge graph, judging whether the parameter corresponding to the central node meets a preset second judgment condition or not based on the second parameter, if so, setting a second weight to be a2, otherwise, setting the second weight to be 0;
S3M, acquiring an Mth parameter corresponding to a central node of the equipment to be identified from the knowledge graph, judging whether the parameter corresponding to the central node meets a preset Mth judgment condition or not based on the Mth parameter, if so, setting the Mth weight to be a1, otherwise, setting the Mth weight to be 0;
S3M +1, summing the first weight and the second weight … (Mth weight) to obtain an identification result A;
and S3M +2, judging whether the identification result A is higher than a preset identification threshold value, if so, judging that the equipment to be identified corresponding to the central node is abnormal equipment.
As an example, M is equal to 4,
the step S32 includes:
acquiring the account login behavior quantity associated with the central node of the device to be identified in a first preset time period, if the account login behavior quantity exceeds a preset first threshold value, setting a first weight to be a1, otherwise, setting the first weight to be 0;
the step S33 includes:
acquiring the number of accounts related to the ip connected with the central node of the device to be identified in a second preset time period, if the number of the accounts exceeds a preset second threshold value, setting a second weight to be a2, otherwise, setting the second weight to be 0;
the step S34 includes:
acquiring the number of accounts associated with the wifi mac connected to the central node of the device to be identified in a third preset time period, if the number exceeds a preset third threshold value, setting the third weight of the account to be a3, otherwise, setting the third weight to be 0;
the step S35 includes:
acquiring the account number associated with the device id connected with the central node in a fourth preset time period, if the account number exceeds a preset fourth threshold, setting a fourth weight as a4, otherwise, setting the fourth weight as 0; the first preset time period, the second preset time period, the third preset time period and the fourth preset time period are all the same, partially the same or all different.
Based on the knowledge graph, multi-dimensional data information can be acquired, so that a plurality of identification conditions can be set, corresponding weights are set, and the identification rate and the identification efficiency of abnormal equipment are improved.
Example II,
After the knowledge graph is established, a large number of parameters for identifying abnormal equipment can be acquired through the knowledge graph, so that the abnormal equipment can be identified through a mode of combining the knowledge graph with machine learning.
In step S3, the identifying abnormal devices from the devices to be identified based on the knowledge graph may include:
step S311, traversing the associated knowledge graph, and extracting preset model input parameters from the associated knowledge graph, where the model input parameters include: the number of the associated accounts of the device in a preset time period, the number of the devices in a preset position range of the device position, the number of the devices in the same ip associated users, the number of the devices associated with the same device id connected to the device, and the like.
Step S312, setting labels for the extracted model input parameters, performing supervised training, wherein the labels comprise abnormal equipment and non-abnormal equipment, and performing classification-regression training based on the model input parameters with the labels to obtain an abnormal equipment identification model;
and step 313, inputting the model input parameters corresponding to the equipment to be identified into the abnormal equipment identification model to identify abnormal equipment.
Through the steps S311 to S313, model input parameters can be obtained based on data of multiple dimensions, a model is trained, and the accuracy and the recognition efficiency of abnormal equipment recognition are improved.
Example III,
As a variation of the second embodiment, in step S3, the training to obtain the abnormal device identification model based on the extracted model input parameters may include:
step S321, traversing the associated knowledge graph, and extracting preset model input parameters from the associated knowledge graph, where the model input parameters include: the number of the associated accounts of the device in a preset time period, the number of the devices in a preset position range of the device position, the number of the devices in the same ip associated users, the number of the devices associated with the same device id connected to the device, and the like.
Step S322, carrying out unsupervised clustering training on the extracted model input parameters to obtain the abnormal equipment identification model;
and S323, inputting the model input parameters corresponding to the equipment to be identified into the abnormal equipment identification model to identify abnormal equipment.
Through the steps S321 to S323, model input parameters can be obtained based on data of multiple dimensions, a model is trained, and the accuracy and the recognition efficiency of abnormal equipment recognition are improved.
An embodiment of the present invention further provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions configured to perform the abnormal device identification method of an embodiment of the present invention.
The embodiment of the invention also provides a computer-readable storage medium, and the computer instruction is used for executing the abnormal device identification method in the embodiment of the invention.
Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. An abnormal device identification method, comprising:
step S1, acquiring data information of multiple dimensions of the equipment to be identified at preset time intervals;
step S2, constructing a knowledge graph according to the data information of the equipment to be identified in multiple dimensions;
and step S3, identifying abnormal equipment from the equipment to be identified based on the knowledge graph.
2. The method of claim 1,
the data information of the multiple dimensions comprises at least two of device information, device network information, device position information and app behavior data corresponding to the devices, wherein the device information comprises device id, the device network information comprises ip information and wifi information, the device position information comprises coordinate information and/or grid information, and the app behavior data comprises app installation data and app active data.
3. The method of claim 2,
the step S2 includes:
and constructing a central node for each device to be tested, taking each data of each dimension as a node, taking the corresponding relation between each node and the central node as an edge, and constructing the knowledge graph.
4. The method of claim 3,
the step S3 includes:
step S31, traversing the knowledge graph;
step S32, acquiring a first parameter corresponding to a central node of the equipment to be identified from the knowledge graph, judging whether the parameter corresponding to the central node meets a preset first judgment condition or not based on the first parameter, if so, setting a first weight to be a1, otherwise, setting the first weight to be 0;
step S33, acquiring a second parameter corresponding to a central node of the equipment to be identified from the knowledge graph, judging whether the parameter corresponding to the central node meets a preset second judgment condition or not based on the second parameter, if so, setting a second weight to be a2, otherwise, setting the second weight to be 0;
S3M, acquiring an Mth parameter corresponding to a central node of the equipment to be identified from the knowledge graph, judging whether the parameter corresponding to the central node meets a preset Mth judgment condition or not based on the Mth parameter, if so, setting the Mth weight to be a1, otherwise, setting the Mth weight to be 0;
S3M +1, summing the first weight and the second weight … (Mth weight) to obtain an identification result A;
and S3M +2, judging whether the identification result A is higher than a preset identification threshold value, if so, judging that the equipment to be identified corresponding to the central node is abnormal equipment.
5. The method of claim 4,
m is equal to 4, and M is equal to 4,
the step S32 includes:
acquiring the account login behavior quantity associated with the central node of the device to be identified in a first preset time period, if the account login behavior quantity exceeds a preset first threshold value, setting a first weight to be a1, otherwise, setting the first weight to be 0;
the step S33 includes:
acquiring the number of accounts related to the ip connected with the central node of the device to be identified in a second preset time period, if the number of the accounts exceeds a preset second threshold value, setting a second weight to be a2, otherwise, setting the second weight to be 0;
the step S34 includes:
acquiring the number of accounts associated with the wifi mac connected to the central node of the device to be identified in a third preset time period, if the number exceeds a preset third threshold value, setting the third weight of the account to be a3, otherwise, setting the third weight to be 0;
the step S35 includes:
acquiring the account number associated with the device id connected with the central node in a fourth preset time period, if the account number exceeds a preset fourth threshold, setting a fourth weight as a4, otherwise, setting the fourth weight as 0;
the first preset time period, the second preset time period, the third preset time period and the fourth preset time period are all the same, partially the same or all different.
6. The method of claim 3,
the step S3 includes:
step S311, traversing the associated knowledge graph, and extracting preset model input parameters from the associated knowledge graph, where the model input parameters include: the method comprises the following steps that the number of related accounts of the equipment in a preset time period, the number of the equipment in a preset position range where the position of the equipment is located, the number of users of the equipment in the same ip association, and the number of the equipment related to the same equipment id connected with the equipment are determined;
step S312, training based on the extracted model input parameters to obtain an abnormal equipment identification model;
and step 313, inputting the model input parameters corresponding to the equipment to be identified into the abnormal equipment identification model to identify abnormal equipment.
7. The method of claim 6,
the step S312 further includes:
setting labels for the extracted model input parameters, wherein the labels comprise abnormal equipment and non-abnormal equipment, and carrying out classification-regression training based on the model input parameters with the labels to obtain the abnormal equipment identification model.
8. The method of claim 6,
the step S312 further includes:
and performing clustering training on the extracted model input parameters to obtain the abnormal equipment identification model.
9. An electronic device, comprising:
at least one processor;
and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the preceding claims 1-8.
10. A computer-readable storage medium having stored thereon computer-executable instructions for performing the method of any of the preceding claims 1-8.
CN202011471778.2A 2020-12-14 2020-12-14 Abnormal device identification method, electronic device, and medium Pending CN112487210A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011471778.2A CN112487210A (en) 2020-12-14 2020-12-14 Abnormal device identification method, electronic device, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011471778.2A CN112487210A (en) 2020-12-14 2020-12-14 Abnormal device identification method, electronic device, and medium

Publications (1)

Publication Number Publication Date
CN112487210A true CN112487210A (en) 2021-03-12

Family

ID=74916266

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011471778.2A Pending CN112487210A (en) 2020-12-14 2020-12-14 Abnormal device identification method, electronic device, and medium

Country Status (1)

Country Link
CN (1) CN112487210A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113159937A (en) * 2021-05-27 2021-07-23 中国工商银行股份有限公司 Method and device for identifying risks and electronic equipment
CN113469697A (en) * 2021-06-30 2021-10-01 重庆富民银行股份有限公司 Unsupervised anomaly detection method and unsupervised anomaly detection device based on knowledge graph
CN115587221A (en) * 2022-11-10 2023-01-10 北京志翔科技股份有限公司 Generation method and device of electricity consumption data map and electronic equipment
CN116093458A (en) * 2023-03-07 2023-05-09 苏州聚云新能源科技有限公司 Data processing method and system for multiple battery packs
WO2023093638A1 (en) * 2021-11-24 2023-06-01 百果园技术(新加坡)有限公司 Abnormal data identification method and apparatus, and device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107172104A (en) * 2017-07-17 2017-09-15 顺丰科技有限公司 One kind logs in method for detecting abnormality, system and equipment
CN110348215A (en) * 2019-07-16 2019-10-18 深圳众赢维融科技有限公司 Exception object recognition methods, device, electronic equipment and medium
CN110399925A (en) * 2019-07-26 2019-11-01 腾讯科技(武汉)有限公司 Risk Identification Method, device and the storage medium of account
CN111639690A (en) * 2020-05-21 2020-09-08 同济大学 Fraud analysis method, system, medium, and apparatus based on relational graph learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107172104A (en) * 2017-07-17 2017-09-15 顺丰科技有限公司 One kind logs in method for detecting abnormality, system and equipment
CN110348215A (en) * 2019-07-16 2019-10-18 深圳众赢维融科技有限公司 Exception object recognition methods, device, electronic equipment and medium
CN110399925A (en) * 2019-07-26 2019-11-01 腾讯科技(武汉)有限公司 Risk Identification Method, device and the storage medium of account
CN111639690A (en) * 2020-05-21 2020-09-08 同济大学 Fraud analysis method, system, medium, and apparatus based on relational graph learning

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113159937A (en) * 2021-05-27 2021-07-23 中国工商银行股份有限公司 Method and device for identifying risks and electronic equipment
CN113469697A (en) * 2021-06-30 2021-10-01 重庆富民银行股份有限公司 Unsupervised anomaly detection method and unsupervised anomaly detection device based on knowledge graph
CN113469697B (en) * 2021-06-30 2022-12-06 重庆富民银行股份有限公司 Unsupervised anomaly detection method and unsupervised anomaly detection device based on knowledge graph
WO2023093638A1 (en) * 2021-11-24 2023-06-01 百果园技术(新加坡)有限公司 Abnormal data identification method and apparatus, and device and storage medium
CN115587221A (en) * 2022-11-10 2023-01-10 北京志翔科技股份有限公司 Generation method and device of electricity consumption data map and electronic equipment
CN116093458A (en) * 2023-03-07 2023-05-09 苏州聚云新能源科技有限公司 Data processing method and system for multiple battery packs

Similar Documents

Publication Publication Date Title
CN112487210A (en) Abnormal device identification method, electronic device, and medium
CN109544163B (en) Risk control method, device, equipment and medium for user payment behavior
CN107995377B (en) Customer service management method, electronic device and computer readable storage medium
CN109586952B (en) Server capacity expansion method and device
US10748090B2 (en) Method and apparatus for machine-exception handling and learning rate adjustment
CN105577440B (en) A kind of network downtime localization method and analytical equipment
CN110515793B (en) System performance monitoring method, device, equipment and storage medium
CN110166344B (en) Identity identification method, device and related equipment
CN111174370A (en) Fault detection method and device, storage medium and electronic device
CN110688319B (en) Application keep-alive capability test method and related device
CN111090807A (en) Knowledge graph-based user identification method and device
CN108076012A (en) Abnormal login determination methods and device
CN111582358A (en) Training method and device for house type recognition model and house type weight judging method and device
US10936715B1 (en) Detecting fraudulent facial recognition
CN112100619B (en) Malicious file detection method, system, equipment and computer storage medium
CN110119621B (en) Attack defense method, system and defense device for abnormal system call
CN110348471B (en) Abnormal object identification method, device, medium and electronic equipment
US20210334702A1 (en) Model evaluating device, model evaluating method, and program
CN116707859A (en) Feature rule extraction method and device, and network intrusion detection method and device
CN116644289A (en) Slow disk detection method and device
CN113011893B (en) Data processing method, device, computer equipment and storage medium
CN107580329B (en) Network analysis optimization method and device
US10288547B2 (en) Facility state analysis device, analysis method for facility state, storage medium, and facility management system
CN116232694A (en) Lightweight network intrusion detection method and device, electronic equipment and storage medium
CN114282940A (en) Method and apparatus for intention recognition, storage medium, and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210312

RJ01 Rejection of invention patent application after publication