CN112685272B - Interpretable user behavior abnormity detection method - Google Patents

Interpretable user behavior abnormity detection method Download PDF

Info

Publication number
CN112685272B
CN112685272B CN202011590113.3A CN202011590113A CN112685272B CN 112685272 B CN112685272 B CN 112685272B CN 202011590113 A CN202011590113 A CN 202011590113A CN 112685272 B CN112685272 B CN 112685272B
Authority
CN
China
Prior art keywords
user
graph
node
classification model
users
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011590113.3A
Other languages
Chinese (zh)
Other versions
CN112685272A (en
Inventor
彭佳
计畅
李敏
高能
屠晨阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202011590113.3A priority Critical patent/CN112685272B/en
Publication of CN112685272A publication Critical patent/CN112685272A/en
Application granted granted Critical
Publication of CN112685272B publication Critical patent/CN112685272B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method for detecting user behavior abnormity with interpretability, which comprises the following steps: 1) Collecting the characteristic information of the users in the target network by using a characteristic extraction module; 2) The graph matrix module constructs an adjacency matrix according to the characteristic information of each user; the graph matrix module determines whether direct contact exists between users according to the user characteristic information, and determines contact between the users according to similarity between the users; 3) Training a neural network of the graph by using the adjacency matrix to obtain a classification model; 4) Training the classification model by using a graph interpretation module to set an optimization objective function to obtain a graph mask M and a feature selector F; 5) Inputting the characteristics of a user to be detected into the trained classification model to obtain a classification result, if the user is an abnormal node, obtaining the associated node of the abnormal node from the classification model by using M, and obtaining the associated characteristics most relevant to the abnormal node in the characteristics of each node of the classification model by using F.

Description

Interpretable user behavior abnormity detection method
Technical Field
The invention belongs to the field of machine learning, and particularly relates to a user behavior abnormity detection method with interpretability by using a graph convolution network.
Background
As can be seen in security incidents in recent years, internal threats have become a major cause of enterprise or organizational threats. Internal threats refer to the act of internal personnel making harm to the trusted organization using the acquired trust. These benefits include the economic benefits of the enterprise, business operations, foreign services, and credentialing agent reputations, among others. Internal threats include not only behaviors where legitimate members of an organization intentionally or unintentionally compromise the interests of the organization, but also attacks where external masquerading as internal members. With the popularization of informatization, people commonly use electronic equipment in work, and more behavior data are generated and accumulated. By mining and applying the behavior data, the user behavior data is subjected to abnormal detection, so that the detection of the internal threat can be realized, and the early warning of the internal threat is provided for enterprises or organizations.
Earlier methods of detecting user behavioral anomalies were mainly based on classification methods. Methods such as Support Vector Machines (Support Vector Machines) and Multi-layer perceptrons (Multi Layered Perceptron) are mainly used for converting the anomaly detection into a binary classification problem. In the testing phase, it is often fast to use such algorithms that are already trained. However, such an algorithm has a problem that large-scale labeling of data is required. Especially in the case that the abnormal data of the user behavior is usually very unbalanced data, the method can not achieve the ideal effect in the training due to the fact that the abnormal data is too less than the normal data.
Compared with the traditional method, the method based on deep learning which is popular recently has multiple advantages, namely that the characteristics for anomaly detection can be automatically found through a deep learning model in learning, the deep learning model represented by a Recurrent Neural Network (Recurrent Neural Network) has excellent performance on modeling sequence data, and the deep learning model can fuse heterogeneous data so as to introduce more information to enhance the final effect of anomaly detection.
Of the mainstream algorithms described above, the conventional algorithm based on classification has difficulty in acquiring proper training data in the task of detecting the user behavior abnormality, and the method based on deep learning is generally called as a "black box". Although the deep learning model achieves exciting effects in some fields, the lack of interpretability causes uncertainty in the use of deep learning in some fields. Particularly, on the task of detecting the abnormal behavior of the user, even if the deep learning model has good performance, the accuracy cannot reach 100%, and if the model is misreported and the reason causing the abnormal behavior cannot be explained, certain staff are likely to be unnecessarily injured.
Disclosure of Invention
In view of the above-mentioned state of the art, it is an object of the present invention to provide an interpretable user behavior anomaly detection method using a graph and volume network. The invention can construct a topological graph by the information of user attribute, relationship and the like, so that the nodes on the graph not only contain the attribute information of the nodes, such as IP addresses, ports and the like, but also contain some structural information, such as modes of communication between the nodes; and then, carrying out abnormity detection on user behaviors by using a Graph Convolutional network (Graph relational Networks), and then analyzing the Graph Convolutional network by using a Graph interpretation network to enhance interpretability.
In order to achieve the purpose, the invention adopts the following scheme:
an interpretable user behavior anomaly detection method comprises the following steps:
1) Collecting the characteristic information of the user in the target network by using a characteristic extraction module;
2) The graph matrix module constructs an adjacency matrix according to the characteristic information of each user; wherein the graph matrix module determines whether there is a direct connection between users according to the user characteristic information, and then uses a weight equation A (i, j) = w × cos (F) i ,F j )+(1-w)*C ij Calculating the similarity A (i, j) between the user i and the user j, and determining the relation between the users according to the similarity; f i Characteristic information for user i, F j Is the characteristic information of user j, w is a weight coefficient, C ij Representing whether there is a direct contact between user i and user j, if so C ij =1, otherwise C ij =0;
3) Utilizing the adjacency matrix training diagram neural network to obtain a classification model for anomaly detection;
4) Inputting the characteristic information of the user into the obtained classification model to obtain a classification result (namely abnormal or non-abnormal);
5) Training the classification model by using a graph interpretation module to set an optimization objective function to obtain a graph mask M and a feature selector F; wherein the optimization objective function of the graph interpretation module is
Figure BDA0002868380790000021
6) Inputting the characteristics of a user to be detected into the trained classification model to obtain a classification result, if the user is an abnormal node, obtaining the associated node of the abnormal node from the classification model by using a graph mask M, obtaining the associated characteristic most relevant to the abnormal node in the characteristics of each node of the classification model by using a characteristic selector F, and taking the obtained associated node and the associated characteristic as the interpretation information of the abnormal node.
And training according to the target function by using the GCN classification model obtained after training to obtain a graph mask M and a feature selector F. And obtaining nodes which contribute more to the classification result in the trained GCN classification model by using the graph mask M (edges which are lower than the threshold value in the graph mask are removed by adjusting the size of the threshold value, and the reserved nodes are the nodes which contribute more to the classification result). And obtaining the nodes with larger contribution in the characteristics of the nodes by using the characteristic selector F. The interpretation model is an operation performed on the trained classification model after the classification model is obtained, the detection result is not influenced, but the obtained result is interpreted, and by the nodes and the features with larger contribution values, the relationship between the abnormal node and the nodes and the features is larger, so that the obtained interpretation is realized.
The invention relates to a method for detecting user behavior abnormity with interpretability, which comprises the steps of firstly using a characteristic extraction module to collect characteristic information of each user in a network, wherein the characteristic information comprises user behavior characteristics such as login and logout characteristics, equipment characteristics, file characteristics, mail characteristics, webpage browsing characteristics and the like. Then, the adjacency matrix is constructed by utilizing the graph matrix module to embody the connection between users, and because a plurality of users are isolated on the social network in the internal threat monitoring application, the weak connection of some users is established by using the weight equation through the similarity of the user behavior characteristics when the adjacency matrix (namely the topological graph of the user relationship) is constructed. Then, the invention trains a GCN classification model for anomaly detection by using the adjacency matrix and the user attribute characteristics as input. The invention then uses a graph interpretation module to perform structural and feature interpretation on the trained classification model.
The feature extraction module is a module that contains all users and their behavior features (the final result obtained by the feature extraction module is a matrix, each row represents a user, and each column represents a feature). The module collects the behavior of each user on the target network and extracts specific behavior characteristics including device usage characteristics, login characteristics, file usage characteristics, social characteristics, browsing characteristics and the like. These features provide attribute information for the user as a node of the graph.
Further, the feature extraction module obtains a feature matrix F as a matrix of N × D, where N represents the number of users included in the network, and D represents the behavior feature number of each user.
The graph matrix module is a module for constructing an adjacency matrix, which embodies the connection between users and provides important information for constructing the social network graph. In a conventional neural network, the adjacency matrix is usually represented by 1 and 0, respectively, indicating that there is or is not a connection between nodes. The invention defines that the users with mail communication have direct contact, and the users without mail communication records have no contact. But different from social networks and knowledge graphs, in the user data of internal threats, a plurality of isolated users without mail communication records exist, and each user corresponds to one node. Because of the existence of this part of users, the invention uses a weight equation to establish the connection with other nodes for these isolated users.
Furthermore, an adjacent matrix in the graph matrix module defines an N × N matrix a, which represents the relationship between users.
Further, direct contact between user i and user j uses C ij = (0,1).
Further, the composition of the adjacency matrix is to solve the problem of isolated users, the invention uses the weight equation A (i, j) = w × cos (F) i ,F j )+(1-w)*C ij Establishing contact for users, wherein the relationship between direct contact and similarity between users is balanced by using a parameter w (01) (namely the value of a weight coefficient w is 0-1); c ij Representing whether there is a direct connection between user i and user j, if so, C ij =1, otherwise C ij =0。
Further, when A (i, j) > 0.5, the invention establishes the contact between the user i and the user j.
The graph convolution network module is used as a user behavior abnormity detection classification model. The present invention uses a Graph and Convolution Network (GCN) to train an anomaly classification model. The input is a feature extraction matrix and an adjacency matrix, and after the feature extraction matrix and the adjacency matrix pass through a graph convolution network, the classification result of each node is output, namely whether each node is abnormal or not is determined.
Further, the graph volume network module uses a two-layer graph volume network.
Further, a specific expression of the graph convolution network is Z = f (X, a) = soft max (a ReLU (AXW) 0 )W 1 ) Wherein W is 0 Representing a weight matrix from the input layer to the hidden layer, W 1 A weight matrix representing the weight from the hidden layer to the output layer; x is a matrix of node feature vectors, corresponding to the preceding feature matrix F.
Further, in order to calculate the classification result of each node, the invention uses the softmax activation function to calculate the output of each node, and the specific equation is
Figure BDA0002868380790000041
x i Is representative of softmax (AReLU (AXW) 0 )W 1 ) AReLU (AXW) in (C) 0 )W 1 The ith row in the matrix, namely the output result of the graph convolution network, has the value range of 0 to N.
Further, W in the training graph convolutional network model 0 And W 1 In matrix, the present invention uses a batch gradient descent (batch gradient device) method.
Further, a cross entropy loss function is used in the training
Figure BDA0002868380790000042
Wherein Y is lf Is true probability, Z lf Is the prediction probability, yL represents the number of operation samples (i.e., the number of users in the adjacency matrix), and F is the number of class labels.
The diagram interpretation module analyzes and interprets the trained diagram convolution network classification model. The invention analyzes the classification model from the structural and characteristic information of the graph. The module obtains partial graph structure information and characteristic information which are most helpful to the classification result through training, so that the classification model is explained to a certain extent on the contribution value.
Further, for a node, the structure and feature that are most relevant to the model prediction result Y are G respectively s And X s Then the importance of the correlation can be measured by Mutual Information (Mutual Information):
Figure BDA0002868380790000043
where H (Y) is the result of the computation of the information entropy function H () on Y, the above equation is equivalent to minimizing H (Y | G = G) because the model is interpreted on the GCN that has been trained well s ,X=X s )。
Further, due to
Figure BDA0002868380790000044
The new optimization objective is
Figure BDA0002868380790000045
Figure BDA0002868380790000046
Indicates the expected value, P Φ () Representing a probability value X S For the feature G that node S contributes most to the abnormal node Y S For the sub-graph of the optimal contribution of node S to the abnormal node Y, H () is an information entropy function.
Further, by using the Jensen inequality and the convexity assumption, an upper limit can be obtained, and the optimization objective becomes
Figure BDA0002868380790000051
Figure BDA0002868380790000052
Is a random graph variable
Figure BDA0002868380790000053
Is calculated from the expected value of (c).
Further, the random graph variables are approximated by mean field variation
Figure BDA0002868380790000054
Is decomposed
Figure BDA0002868380790000055
A herein s [j,k]Representative side (upsilon) j ,υ k ) With the expectation that Gc represents all subgraphs.
Further, in the above-mentioned case,
Figure BDA0002868380790000056
can be used as A c As an alternative, ac is a contiguous matrix, M is a Mask to be learned by the block (Graph Mask), which is a Hadamard product, i.e., an in-bit element corresponding multiplication.
Further, for the interpretation part of the graph structure of the classification model, the optimization function is
Figure BDA0002868380790000057
P here Φ Is a probability value that is a function of,
Figure BDA00028683807900000517
is an indication function, when y = c,
Figure BDA0002868380790000058
when y is not equal to c, the total weight of the alloy is less than c,
Figure BDA0002868380790000059
further, the interpretation of the feature selection part is similar to the interpretation of the graph structure, and the model interpretation is realized by selecting the part most relevant to the prediction result, and the specific formula is
Figure BDA00028683807900000510
Buckle r
Figure BDA00028683807900000511
Wherein
Figure BDA00028683807900000512
Is the most contributing sub-graph G s Is determined by the node characteristics of (1),
Figure BDA00028683807900000513
is a node feature that is not covered by a mask, v j Is node j in the graph structure, F is the feature selector, F is the {0,1} d And d is a feature number.
Further, considering the choice of structure and features, the diagram illustrates the final optimization goal of the module as
Figure BDA00028683807900000514
Wherein
Figure BDA00028683807900000515
Is the feature selector for target learning, d is the feature number, MI () mutual information function.
Further, a graph interpretation module is used for setting an optimization objective function to train the classification model, and a graph mask M and a feature selector F are obtained; wherein the optimization objective function of the graph interpretation module is
Figure BDA00028683807900000516
X S Features, G, for optimal contribution of node S to abnormal node Y S A subgraph and H () of the optimal contribution of the node S to the abnormal node Y are information entropy functions; by training the obtained graph mask M and the feature selector F, the invention can obtain the nodes which have great contribution to the classification result in structure; features that characteristically contribute significantly to the classification result. Thereby giving a degree of interpretation of the classification results.
Compared with the prior art, the invention has the following positive effects:
the method has the advantages that the abnormal behaviors of the users are detected by using the graph neural network, so that the connection and the similarity between the users can be better captured, meanwhile, the connection between isolated users is increased by using a weight equation, and the most relevant structures and characteristics are obtained by analyzing the detected results structurally and characteristically through an image interpretation model.
The method can capture deep level relation of the user from the relevance and the behavior characteristics of the user by utilizing the graph neural network, thereby discovering abnormal users, better understanding other nodes and the most relevant characteristics on the graph structure which are most relevant to the classification result through the graph interpretable module to obtain abnormal reasons, including relevant users, obvious abnormal behavior characteristics and the like, and obtaining good effect on user behavior abnormality detection.
Drawings
FIG. 1 is a schematic diagram of the overall system;
FIG. 2 is a schematic diagram of a graph convolution network module;
FIG. 3 is a diagram illustrating the results of a module;
(a) Structurally contributing to larger nodes, (b) characteristically contributing to larger eigenvalues.
Detailed Description
In order to make the objects, solutions and advantages of the present invention more apparent, the present invention will be further described in detail below by taking an experiment performed on a real data set as an example. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Taking the CMU CERT v4.2 dataset as an example, a specific implementation step of the interpretable user behavior anomaly detection scheme is described.
The CMU CERT v4.2 data set simulates three main types of attack behavior data of system destruction, information stealing and internal fraud implemented by malicious internal persons and a large amount of normal background data. The CMU CERT v4.2 dataset relates to 1000 user behavior data with multiple dimensions, such as file access (file name, type, etc. for creation, modification and deletion), mail sending and receiving, device usage (mobile storage device, printer, etc.), HTTP access, system login, etc. behaviors, and also includes information of a user's work position and work department. The CMU CERT v4.2 dataset provides comprehensive behavioral observations of the user to characterize the user behavior model.
In the embodiment, the task of the method is to detect the user behavior abnormity and discover the internal threat user. The overall system architecture of the present invention is shown in FIG. 1. The example takes 160 normal nodes and 40 abnormal nodes in the CMU CERT v4.2 dataset as training sets, and 170 normal nodes and 30 abnormal nodes as test sets. The evaluation criteria were accuracy, precision and recall.
The characteristic extraction module is described first, the behavior characteristics of each user are 30, wherein the login and logout characteristics comprise daily login and logout time, login and logout time in a rest period, login and logout device number in the rest period, the device characteristics comprise daily connected device number, rest period connected device number and connected device computer number, the file characteristics comprise daily modified file number, total file number, rest period modified file number, exe file number and file containing computer number, the mail characteristics comprise daily sending number, out-of-organization sending number, in-organization sending number, average mail size, addressee number, topic-related mail number and emotion-related mail number, and the webpage browsing characteristics comprise daily browsed webpage number, emotion-related webpage number, topic-related webpage number and topic-related webpage number. The feature extraction matrix F defines a matrix of N × D, where N represents the number of users included in the network and D represents the number of behavior features of each user.
Then, to construct the input to the graph convolution network, the present invention constructs N x N adjacency matrix a using the graph matrix module. In the network of 1000 users in this embodiment, a total of 3556 edges are constructed by using the conventional method of direct contact or non-direct contact. Using the weight equation a (i, j) = w cos (F) of the present invention i ,F j )+(1-w)*C ij The new adjacency matrix then constructs over 1,000,000 non-zero edges, building a rich association for isolated users.
The graph convolution network module then uses the matrix F and matrix A constructed above as inputs as shown in FIG. 2And outputting the classification result by using a two-layer graph convolution network. Wherein the convolutional network expression is Z = f (X, A) = soft max (A ReLU (AXW) 0 )W 1 ) To calculate the classification result for each node, the invention uses a softmax activation function
Figure BDA0002868380790000071
Using a gradient-specific descent method and a cross-entropy loss function in a training graph convolutional network
Figure BDA0002868380790000072
And then, the graph interpretation module analyzes the interpretability of the graph volume network, and the invention analyzes the graph structure and the characteristic information of the graph volume network. The present invention uses this module to get the graph structure and feature information that most contributes to the classification result as shown in fig. 3, resulting in an interpretation of the classification result in terms of the contribution value. For the explanation part of the graph structure of the classification model obtained after training, the optimization function is
Figure BDA0002868380790000073
Only the threshold needs to be set to remove some of the edges in M that are below the threshold, thus resulting in the graph structure that contributes most to the result from a structural perspective. The explanation of the feature selection part is similar to the explanation of the graph structure, and the model is explained by selecting the part most relevant to the prediction result, and the specific formula is
Figure BDA0002868380790000074
for
Figure BDA0002868380790000075
Considering the selection of structure and characteristics at the same time, the final optimization goal of the graph interpretation module is
Figure BDA0002868380790000081
Wherein
Figure BDA0002868380790000082
In the embodiment, compared with the traditional methods such as supporting a perceptron, a random forest, logistic regression and a convolution neural network, the method has the best experimental effect on accuracy, precision and recall rate. Meanwhile, contribution analysis on graph structure and attribute characteristics can be provided for the classification result, and the interpretability of the classification result is improved.
The above description is intended to be illustrative of the present invention and is not to be construed as limiting the invention, and any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (5)

1. An interpretable user behavior anomaly detection method comprises the following steps:
1) Collecting the characteristic information of the users in the target network by using a characteristic extraction module;
2) The graph matrix module constructs an adjacency matrix according to the characteristic information of each user; wherein the graph matrix module determines whether there is a direct connection between users according to the user characteristic information, and then uses a weight equation A (i, j) = w × cos (F) i ,F j )+(1-w)*C ij Calculating the similarity A (i, j) between the user i and the user j, and determining the relation between the users according to the similarity; f i Characteristic information for user i, F j Is the characteristic information of user j, w is the weight coefficient, C ij Representing whether there is a direct contact between user i and user j, if so C ij =1, otherwise C ij =0; the graph matrix module determines whether corresponding users are in direct contact or not according to whether mail communication exists between the users or not, and determines that direct contact exists between the users with mail communication records;
3) Utilizing the convolution network of the adjacency matrix training diagram to obtain a classification model for anomaly detection;
4) Training the classification model by using a graph interpretation module to set an optimization objective function to obtain a graph mask M and a feature selector F; wherein the optimization objective function of the graph interpretation module is
Figure FDA0003781792860000011
Figure FDA0003781792860000012
X S Features, G, for optimal contribution of node S to abnormal node Y S For the subgraph of the node S which contributes most to the abnormal node Y, H () is an information entropy function, and MI () is a mutual information function;
5) Inputting the characteristics of a user to be detected into the trained classification model to obtain a classification result, if the user is an abnormal node, obtaining the associated node of the abnormal node from the classification model by using a graph mask M, obtaining the associated characteristic most relevant to the abnormal node in the characteristics of each node of the classification model by using a characteristic selector F, and taking the obtained associated node and the associated characteristic as the interpretation information of the abnormal node.
2. The method of claim 1, wherein the user characteristic information comprises characteristics of device usage, login characteristics, file usage characteristics, social characteristics, and browsing characteristics.
3. The method of claim 1, wherein user i is associated with user j when a (i, j) > 0.5.
4. The method of claim 1, wherein the random map variables are approximated using mean field variation
Figure FDA0003781792860000013
Is decomposed
Figure FDA0003781792860000014
Wherein A is s [j,k]Representative edge (v) j ,v k ) Is present with an expected value, v j For nodes j, v in the classification model k For node k, (v) in the classification model j ,v k ) Edge, G, connecting nodes j, k C Is a set of subgraphs.
5. The method of claim 1,
Figure FDA0003781792860000015
wherein
Figure FDA0003781792860000016
Is G s Is determined by the node characteristics of (1),
Figure FDA0003781792860000017
are node features that are not covered by the map mask M.
CN202011590113.3A 2020-12-29 2020-12-29 Interpretable user behavior abnormity detection method Active CN112685272B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011590113.3A CN112685272B (en) 2020-12-29 2020-12-29 Interpretable user behavior abnormity detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011590113.3A CN112685272B (en) 2020-12-29 2020-12-29 Interpretable user behavior abnormity detection method

Publications (2)

Publication Number Publication Date
CN112685272A CN112685272A (en) 2021-04-20
CN112685272B true CN112685272B (en) 2022-10-14

Family

ID=75454861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011590113.3A Active CN112685272B (en) 2020-12-29 2020-12-29 Interpretable user behavior abnormity detection method

Country Status (1)

Country Link
CN (1) CN112685272B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113989574B (en) * 2021-11-04 2024-04-02 中国科学技术大学 Image interpretation method, image interpretation device, electronic device, and storage medium
CN115098563B (en) * 2022-07-14 2022-11-11 中国海洋大学 Time sequence abnormity detection method and system based on GCN and attention VAE

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108648095A (en) * 2018-05-10 2018-10-12 浙江工业大学 A kind of nodal information hidden method accumulating gradient network based on picture scroll
CN109670446A (en) * 2018-12-20 2019-04-23 泉州装备制造研究所 Anomaly detection method based on linear dynamic system and depth network
CN109889436A (en) * 2019-02-20 2019-06-14 北京航空航天大学 A kind of discovery method of spammer in social networks

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11544535B2 (en) * 2019-03-08 2023-01-03 Adobe Inc. Graph convolutional networks with motif-based attention

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108648095A (en) * 2018-05-10 2018-10-12 浙江工业大学 A kind of nodal information hidden method accumulating gradient network based on picture scroll
CN109670446A (en) * 2018-12-20 2019-04-23 泉州装备制造研究所 Anomaly detection method based on linear dynamic system and depth network
CN109889436A (en) * 2019-02-20 2019-06-14 北京航空航天大学 A kind of discovery method of spammer in social networks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
社交网络异常用户识别技术综述;仲丽君等;《计算机工程与应用》;20180831(第16期);第13-23页 *

Also Published As

Publication number Publication date
CN112685272A (en) 2021-04-20

Similar Documents

Publication Publication Date Title
Cai et al. Structural temporal graph neural networks for anomaly detection in dynamic graphs
Koc et al. A network intrusion detection system based on a Hidden Naïve Bayes multiclass classifier
US10289841B2 (en) Graph-based attack chain discovery in enterprise security systems
US10298607B2 (en) Constructing graph models of event correlation in enterprise security systems
Ibrahimi et al. Management of intrusion detection systems based-KDD99: Analysis with LDA and PCA
Adebowale et al. Comparative study of selected data mining algorithms used for intrusion detection
Ambusaidi et al. A novel feature selection approach for intrusion detection data classification
CN108540329B (en) Network security inference method based on two-layer Bayesian network model
Nguyen et al. Vasabi: Hierarchical user profiles for interactive visual user behaviour analytics
CN112685272B (en) Interpretable user behavior abnormity detection method
Ahmed et al. Network sampling designs for relational classification
Silva et al. A statistical analysis of intrinsic bias of network security datasets for training machine learning mechanisms
CN110995643A (en) Abnormal user identification method based on mail data analysis
Dubey et al. A novel approach to intrusion detection system using rough set theory and incremental SVM
Katar Combining multiple techniques for intrusion detection
Ourston et al. Coordinated internet attacks: responding to attack complexity
Sönmez et al. Anomaly detection using data mining methods in it systems: a decision support application
Riad et al. Visualize network anomaly detection by using k-means clustering algorithm
Zekri et al. Immunological approach for intrusion detection
Huang et al. Network-traffic anomaly detection with incremental majority learning
CN110737890A (en) internal threat detection system and method based on heterogeneous time sequence event embedding learning
Devaraju et al. Performance comparison of intrusion detection system using various techniques–A review
CN109063721A (en) A kind of method and device that behavioural characteristic data are extracted
Guillén et al. Detection of non-content based attacks using GA with extended KDD features
Termos et al. Intrusion Detection System for IoT Based on Complex Networks and Machine Learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant