CN114218283A - Abnormality detection method, apparatus, device, and medium - Google Patents
Abnormality detection method, apparatus, device, and medium Download PDFInfo
- Publication number
- CN114218283A CN114218283A CN202111558094.0A CN202111558094A CN114218283A CN 114218283 A CN114218283 A CN 114218283A CN 202111558094 A CN202111558094 A CN 202111558094A CN 114218283 A CN114218283 A CN 114218283A
- Authority
- CN
- China
- Prior art keywords
- user
- data
- abnormal
- preset
- matching degree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24564—Applying rules; Deductive queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The disclosure provides an anomaly detection method, an anomaly detection device, anomaly detection equipment and anomaly detection media, which can be applied to the technical field of big data and can also be applied to the technical field of finance. The abnormality detection method includes: acquiring log data of a user through a buried point, wherein the log data of the user comprises user operation data; by creating a streaming computing task, utilizing a database engine to inquire characteristic data corresponding to a target field in user operation data, wherein the target field comprises a field required for judging whether the user operation data conforms to a preset abnormal rule; under the condition that the feature data corresponding to the target field meet the preset conditions, calculating the matching degree of the feature data and a preset abnormal rule; and determining the abnormal detection result information of the user according to the matching degree.
Description
Technical Field
The present disclosure relates to the field of big data technologies, and in particular, to a method, an apparatus, a device, a medium, and a program product for anomaly detection.
Background
With the expansion of the financial business field, the business scene is complex, and the rules for anomaly detection in different business scenes are various, and the traditional anomaly detection method mainly comprises two modes: one way is to use manual analysis and detection, which not only consumes manpower and material resources, but also cannot accurately obtain detection results in time for complex and diverse service data. The other mode is that different tools are used for respectively executing acquisition, analysis and detection, when complex events are processed, the response speed is low, and certain time delay exists in detection results.
Disclosure of Invention
In view of the above, the present disclosure provides an abnormality detection method, apparatus, device, medium, and program product.
According to a first aspect of the present disclosure, there is provided an abnormality detection method including:
acquiring log data of a user through a buried point, wherein the log data of the user comprises user operation data;
by creating a streaming computing task, utilizing a database engine to inquire characteristic data corresponding to a target field in user operation data, wherein the target field comprises a field required for judging whether the user operation data conforms to a preset abnormal rule;
under the condition that the feature data corresponding to the target field meet the preset conditions, calculating the matching degree of the feature data and a preset abnormal rule; and
and determining the abnormal detection result information of the user according to the matching degree.
According to the embodiment of the disclosure, determining the abnormal detection result information of the user according to the matching degree comprises the following steps:
determining that the abnormal detection result information of the user is abnormal when the matching degree is greater than or equal to a preset threshold;
and under the condition that the matching degree is smaller than a preset threshold value, determining that the abnormal detection result information of the user is normal.
According to an embodiment of the present disclosure, the above-mentioned abnormality detection method further includes: and constructing a user portrait according to the log data of the user under the condition that the user abnormity detection result information is abnormal.
According to the embodiment of the disclosure, calculating the matching degree of the feature data and the preset abnormal rule comprises the following steps: and inputting the characteristic data into the abnormal rule matching model, and outputting result information representing the matching degree of the characteristic data and the preset abnormal rule.
According to an embodiment of the present disclosure, the above-mentioned abnormality detection method further includes:
acquiring a historical operation data set of an abnormal user;
and training a preset model by using the historical operation data set of the abnormal user to obtain an abnormal rule matching model.
According to an embodiment of the present disclosure, the above-mentioned abnormality detection method further includes:
acquiring log data of a plurality of users in a preset area through a buried point;
by creating a streaming computing task, querying feature data corresponding to a target field in user operation data of each user by using a database engine;
and constructing a risk control model of the preset area according to the characteristic data of the plurality of users, wherein the risk control model is used for evaluating the probability of abnormal users in the preset area.
A second aspect of the present disclosure provides an abnormality detection apparatus including: the device comprises a first acquisition module, a first query module, a calculation module and a first determination module. The first obtaining module is used for obtaining log data of a user through a buried point, wherein the log data of the user comprises user operation data. The first query module is used for querying one or more target fields in the user operation data by utilizing the database engine through creating a streaming computing task, wherein the target fields comprise fields required for judging whether the user operation data meet preset abnormal rules or not. And the calculating module is used for calculating the matching degree of the characteristic data and the preset abnormal rule under the condition that the characteristic data corresponding to the target field meets the preset condition. And the first determining module is used for determining the abnormal detection result information of the user according to the matching degree.
According to an embodiment of the present disclosure, the first determination module includes a first determination unit and a second determination unit. The first determining unit is used for determining that the abnormal detection result information of the user is abnormal when the matching degree is larger than or equal to a preset threshold value. And the second determining unit is used for determining that the abnormal detection result information of the user is normal under the condition that the matching degree is smaller than the preset threshold value.
According to the embodiment of the disclosure, the device further comprises a first constructing module, configured to construct the user portrait according to the log data of the user when the anomaly detection result information of the user is abnormal.
According to an embodiment of the present disclosure, a computing module includes a computing unit. And the computing unit is used for inputting the characteristic data into the abnormal rule matching model and outputting result information representing the matching degree of the characteristic data and the preset abnormal rule.
According to an embodiment of the present disclosure, the apparatus further includes a second obtaining module and a training module. And the second acquisition module is used for acquiring the historical operation data set of the abnormal user. And the training module is used for training the preset model by utilizing the historical operation data set of the abnormal user to obtain the abnormal rule matching model.
According to the embodiment of the disclosure, the device further comprises a third obtaining module, a second inquiring module and a second constructing module. The third obtaining module is used for obtaining log data of a plurality of users in a preset area through the buried point. And the second query module is used for querying the characteristic data corresponding to the target field in the user operation data of each user by utilizing the database engine through creating the streaming computing task. And the second building module is used for building a risk control model of the preset area according to the characteristic data of the plurality of users, wherein the risk control model is used for evaluating the probability of abnormal users in the preset area.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described anomaly detection method.
The fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described anomaly detection method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described anomaly detection method.
According to the embodiment of the disclosure, by adopting a technical means of creating a stream type calculation task, inquiring feature data corresponding to a target field in user operation data by using a database engine, calculating the matching degree of the feature data and a preset abnormal rule under the condition that the feature data corresponding to the target field meets a preset condition, and determining abnormal detection result information of a user according to the matching degree, compared with the related art, the data response speed can be improved due to the fact that the stream type calculation is adopted to inquire the feature data, and the matching calculation of the feature data and the preset abnormal rule is carried out under the condition that the feature data meets the preset condition, so that the invalid matching calculation data amount can be reduced, and the method is suitable for abnormal detection of complex scenes.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of an anomaly detection method, apparatus, device, medium and program product according to embodiments of the present disclosure;
FIG. 2 schematically illustrates a flow chart of an anomaly detection method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a logic block diagram of an anomaly detection method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a method of constructing a risk assessment model according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates an application example system framework diagram of an anomaly detection method according to an embodiment of the present disclosure;
fig. 6 schematically shows a block diagram of the structure of an abnormality detection apparatus according to an embodiment of the present disclosure; and
fig. 7 schematically shows a block diagram of an electronic device adapted to implement an anomaly detection method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that the anomaly detection method and apparatus of the present disclosure can be used in the field of big data technology and the financial field, and can also be used in any field other than the financial field.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, necessary security measures are taken, and the customs of the public order is not violated.
In the technical scheme of the disclosure, before the personal information of the user is acquired or collected, the authorization or the consent of the user is acquired.
The embodiment of the disclosure provides an anomaly detection method, which adopts a technical means of creating a stream type calculation task, inquiring feature data corresponding to a target field in user operation data by using a database engine, calculating the matching degree of the feature data and a preset anomaly rule under the condition that the feature data corresponding to the target field meets a preset condition, and determining anomaly detection result information of a user according to the matching degree.
Fig. 1 schematically illustrates an application scenario of anomaly detection according to an embodiment of the present disclosure.
As shown in fig. 1, the application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the anomaly detection method provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the abnormality detection apparatus provided by the embodiment of the present disclosure may be generally disposed in the server 105. The anomaly detection method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the abnormality detection apparatus provided in the embodiment of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The abnormality detection method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 5 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of an anomaly detection method according to an embodiment of the present disclosure.
As shown in fig. 2, the abnormality detection method of this embodiment includes operations S210 to S240.
In operation S210, log data of a user is acquired through a buried point, wherein the log data of the user includes user operation data.
According to the embodiment of the disclosure, log data of a user can be collected through a buried point arranged on a terminal device such as a mobile phone application, a webpage, a POS machine and the like. And desensitizing the log data of the user to obtain user operation data. The user operation data may include login operation data, transaction operation data, and the like.
In operation S220, by creating a streaming computation task, a database engine is used to query feature data corresponding to a target field in user operation data, where the target field includes a field required for determining whether the user operation data conforms to a preset exception rule.
According to the embodiment of the disclosure, a sql (structured Query language) database Query engine may be utilized to Query the feature data corresponding to the target field in the user operation data. For example: the preset abnormal rule is that the user frequently logs in different places within 24 hours, the login times exceed 10 times or the login places exceed 5, and the user is determined to be an abnormal user. The characteristic data corresponding to the target field may include login operation time data and login operation place data.
In operation S230, in the case where the feature data corresponding to the target field satisfies a preset condition, a matching degree of the feature data with a preset abnormal rule is calculated.
According to an embodiment of the present disclosure, for example: the preset condition may be that the feature data corresponding to the target field is not null, which indicates that the target field has the feature data required for determining whether the user operation data meets the preset abnormal rule. For example: in the user operation data of the user A, the inquired login operation time data of the user A are respectively as follows: 8:00 on 1 st 9 th month, 10:00 on 1 st 9 th month, 12:00 on 1 st 9 th month, and 16:00 on 2 nd 9 th month. The user a logs in 3 times and logs in 2 places within 24 hours. And calculating the matching degree of the characteristic data and the preset abnormal rule to be 0.
In operation S240, abnormality detection result information of the user is determined according to the matching degree.
According to an embodiment of the present disclosure, for example: according to the matching degree of 0, the abnormal detection result information of the user can be determined to be that the user A is a normal user.
According to the embodiment of the disclosure, by adopting a technical means of creating a stream type calculation task, inquiring feature data corresponding to a target field in user operation data by using a database engine, calculating the matching degree of the feature data and a preset abnormal rule under the condition that the feature data corresponding to the target field meets a preset condition, and determining abnormal detection result information of a user according to the matching degree, compared with the related art, the data response speed can be improved due to the fact that the stream type calculation is adopted to inquire the feature data, and the matching calculation of the feature data and the preset abnormal rule is carried out under the condition that the feature data meets the preset condition, so that the invalid matching calculation data amount can be reduced, and the method is suitable for abnormal detection of complex scenes.
According to the embodiment of the disclosure, determining the abnormal detection result information of the user according to the matching degree comprises the following steps:
determining that the abnormal detection result information of the user is abnormal when the matching degree is greater than or equal to a preset threshold;
and under the condition that the matching degree is smaller than a preset threshold value, determining that the abnormal detection result information of the user is normal.
According to an embodiment of the present disclosure, for example: the preset threshold value may be set to 1, and according to the feature data of the user a, the matching degree between the feature data of the user a obtained through stream type calculation and the preset abnormal rule is 0.8, and if the matching degree is smaller than the preset threshold value, it may be determined that the abnormal detection result information of the user a is normal for the user. According to the feature data of the user B, the matching degree of the feature data of the user B obtained through stream type calculation and the preset abnormal rule is 1.2, and if the matching degree is larger than a preset threshold value, the abnormal detection result information of the user B can be determined to be abnormal.
According to the embodiment of the disclosure, the abnormal detection result of the user is determined by comparing the matching degree with the preset threshold, and the response speed of the abnormal detection and the output speed of the detection result are improved.
According to an embodiment of the present disclosure, the above-mentioned abnormality detection method further includes: and constructing a user portrait according to the log data of the user under the condition that the user abnormity detection result information is abnormal.
According to an embodiment of the present disclosure, for example: if the anomaly detection result information of the user A is user anomaly, the user portrait can be constructed according to the collected user operation data of the user A. So that users who may have abnormality can be screened according to the user figures.
According to the embodiment of the disclosure, the user portrait is constructed according to the log data of the abnormal users, users possibly with the abnormality can be screened according to the user portrait, the abnormality detection is performed in a targeted manner, and the abnormality detection speed is increased.
According to the embodiment of the disclosure, calculating the matching degree of the feature data and the preset abnormal rule comprises the following steps: and inputting the characteristic data into the abnormal rule matching model, and outputting result information representing the matching degree of the characteristic data and the preset abnormal rule.
According to an embodiment of the present disclosure, a cep (complex Event processing) complex Event processing module may be employed as an exception rule matching model. For example: the preset abnormal rule can be that the number of transactions per day of a single bank card exceeds the single-day limit number. The characteristic data can be transaction operation time data, user identification data and transaction limited quantity data, the transaction operation time data, the user identification data and the transaction limited quantity data are input into the abnormal rule matching model, and result information representing the matching degree of the characteristic data and the preset abnormal rule can be output.
According to an embodiment of the present disclosure, for example: the limited number of single bank card is 3 times per day, and the operation data of the user A is as follows: user A has 1 100 yuan of transactions at 10:00 am on 5 am on 10 month, 1 yuan of transactions at 5000 yuan at 14:15 pm on 5 pm on 10 month, 1 yuan of transactions at 2000:00 pm on 5 pm on 10 month, and 1 yuan of transactions at 400 yuan at 23:00 pm on 5 pm on 10 month. The characteristic data that can be searched from the above operation data are as follows: transaction operation time data: 10:00 am on 5 am 10, 14:15 pm on 5 pm 10, 21:00 pm on 5 pm 10, and 23:00 pm on 5 pm 10; the user identification data can be bank card identification data of the user A subjected to desensitization processing; the transaction limit amount data is 3.
According to the embodiment of the disclosure, the feature data is input into the abnormal rule matching model, and the result information of the matching degree which can be output is 1, which indicates that the feature data conforms to the preset abnormal rule.
According to the embodiment of the disclosure, the matching degree of the characteristic data and the preset abnormal rule is calculated through the abnormal rule matching model, and the accuracy of the calculation result can be improved.
According to an embodiment of the present disclosure, the above-mentioned abnormality detection method further includes: acquiring a historical operation data set of an abnormal user; and training a preset model by using the historical operation data set of the abnormal user to obtain an abnormal rule matching model.
According to an embodiment of the present disclosure, for example: the user a is an abnormal user, and the historical operation data set of the user may be obtained, and may include a login operation data set, a transaction operation data set, and the like of the user a. The preset model can be trained by using the login operation data set and the transaction operation data set of the user A aiming at different preset abnormal rules, so that an abnormal rule matching model is obtained.
According to the embodiment of the disclosure, the preset model is trained through the historical operation data set of the abnormal user to obtain the abnormal rule matching model, the abnormal rule matching model is used for calculating the matching degree of the feature data inquired from the operation data of the user and the preset abnormal rule, and the accuracy of the calculation result can be improved.
FIG. 3 schematically illustrates a logic block diagram of an anomaly detection method according to an embodiment of the present disclosure.
As shown in fig. 3, this embodiment includes operations S310 to S370.
In operation S310, log data of a user is acquired through a buried point, wherein the log data of the user includes user operation data.
In operation S320, the SQL database query engine is used to query the feature data corresponding to the target field in the user operation data by creating a streaming computing task.
In operation S330, it is determined whether the feature data corresponding to the target field meets a preset condition, where the preset condition may be that the feature data corresponding to the target field is not empty, which indicates that the user operation data includes feature data required for determining whether the user operation data meets a preset abnormal rule. If the preset condition is satisfied, performing operation S340; if the preset condition is not satisfied, performing operation S370;
in operation S340, a matching degree of the feature data with a preset abnormal rule is calculated.
In operation S350, abnormality detection result information of the user is determined according to the matching degree. If it is determined that the user abnormality detection result information is user abnormality, operation S360 is performed. If it is determined that the user' S abnormality detection result information is a user abnormality, operation S370 is performed.
In operation S360, a user profile is constructed from log data of an abnormal user.
In operation S370, the feature data and the abnormality detection result information of the user are stored in a database for construction and query of a risk assessment model.
FIG. 4 schematically shows a flowchart of a method of constructing a risk assessment model according to an embodiment of the present disclosure.
As shown in fig. 4, this embodiment includes: operations S410 to S430.
In operation S410, log data of a plurality of users within a preset area is acquired through a buried point.
According to the embodiment of the disclosure, log data of 100 users in a first area can be collected through a buried point arranged on a terminal device such as a mobile phone application, a webpage, a POS machine and the like. And desensitizing the log data of each user to obtain user operation data. The user operation data may include login operation data, transaction operation data, and the like.
In operation S420, by creating a streaming calculation task, the database engine is used to query feature data corresponding to the target field in the user operation data of each user.
According to the embodiment of the disclosure, the database engine may be used to query feature data corresponding to the target field in the user operation data of each user, such as login operation frequency data, login operation time data, user identification data, transaction operation frequency data, transaction operation time data, transaction operation amount data, and the like.
In operation S430, a risk control model of a preset area is constructed according to feature data of a plurality of users, where the risk control model is used to evaluate the probability of abnormal users in the preset area.
According to an embodiment of the present disclosure, for example: according to the characteristic data of 100 users in the area A, a risk control model of the area A can be constructed. The method is used for evaluating the probability of abnormal users in the preset area.
Fig. 5 schematically illustrates an application example system framework diagram of an anomaly detection method according to an embodiment of the present disclosure.
As shown in FIG. 5, the application exemplary system 500 of this embodiment includes a data collection subsystem 510, a streaming task platform 520, and a presentation subsystem 530.
According to the embodiment of the present disclosure, the data collection subsystem 510 mainly sets the log data of the embedded point mobile phone user on the terminal device such as the mobile phone application, the web page, and the POS machine.
According to an embodiment of the present disclosure, the streaming task platform 520 may include an SQL database query engine module 521, a streaming task management module 522, a CEP exception rule processing module 523, a visualization interface operation module 524, a data analysis and query module 525, and a metadata management module 526. The anomaly detection method of the disclosed embodiments may be performed on streaming task platform 520.
According to an embodiment of the present disclosure, the SQL database query engine module 521 may be configured to create a source table, create a destination table, query for insertion data, and the like. The source table is used for sending collected user log data to Kafka standard data after being cleaned, querying feature data of a target field through Flink Sql according to a preset exception rule, and writing the queried feature data into the target table.
The streaming task management module 522 is used to create, start, stop, and modify streaming computing tasks according to an embodiment of the present disclosure. The streaming computing task in the disclosed embodiments runs on a Hadoop yarn (Yet other Resource New organizer) cluster Resource manager.
According to an embodiment of the present disclosure, the CEP exception rule processing module 523 may be configured to calculate a matching degree between the feature data and a preset exception rule.
According to an embodiment of the present disclosure, the visual interface operation module 524 may be used for viewing, starting, and stopping the distributed real-time computing task status.
According to an embodiment of the present disclosure, the data analysis and query module 525 may be configured to interface the feature data queried by the SQL database query engine into the Star Rocks database, so as to query the data and construct a risk control model using the feature data.
According to an embodiment of the present disclosure, the metadata management module 526 may be used to manage metadata in the streaming task platform 520.
According to an embodiment of the present disclosure, presentation subsystem 530 includes a visualization module 531 that may be used to present the feature data of the anomalous user and the user representation that was constructed using the log data of the anomalous user.
According to the embodiment of the present disclosure, the exemplary system 500 based on the streaming task platform implements anomaly detection and analysis on the body constitution data of the user through the SQL database query engine module 521 and the CEP anomaly rule processing module 523, and has the technical effects of low latency, low code and capability of processing complex business scenarios. By storing the SQL database query engine module 521 in the data analysis and query module 525, the unification of data analysis and query tools is realized, the query speed is improved, and the limitation of wide-table query in the related technology is broken.
Based on the anomaly detection method, the disclosure also provides an anomaly detection device. The apparatus will be described in detail below with reference to fig. 6.
Fig. 6 schematically shows a block diagram of the structure of an abnormality detection apparatus according to an embodiment of the present disclosure.
As shown in fig. 6, the abnormality detection apparatus 600 of this embodiment includes a first acquisition module 610, a first query module 620, a calculation module 630, and a first determination module 640.
The first obtaining module 610 is configured to obtain log data of a user through a buried point, where the log data of the user includes user operation data. In an embodiment, the first obtaining module 610 may be configured to perform the operation S210 described above, which is not described herein again.
The first query module 620 is configured to query, by using the database engine, one or more target fields in the user operation data by creating a streaming computation task, where the target fields include fields required for determining whether the user operation data conforms to a preset exception rule. In an embodiment, the first query module 620 may be configured to perform the operation S220 described above, which is not described herein again.
The calculating module 630 is configured to calculate a matching degree between the feature data and a preset abnormal rule when the feature data corresponding to the target field meets a preset condition. In an embodiment, the first query module 630 may be configured to perform the operation S230 described above, which is not described herein again.
The first determining module 640 is configured to determine the anomaly detection result information of the user according to the matching degree. In an embodiment, the first query module 640 may be configured to perform the operation S240 described above, which is not described herein again.
According to an embodiment of the present disclosure, the first determining module 640 includes a first determining unit and a second determining unit. The first determining unit is used for determining that the abnormal detection result information of the user is abnormal when the matching degree is larger than or equal to a preset threshold value. And the second determining unit is used for determining that the abnormal detection result information of the user is normal under the condition that the matching degree is smaller than the preset threshold value.
According to an embodiment of the present disclosure, the apparatus 600 further includes a first constructing module, configured to construct the user representation according to log data of the user when the anomaly detection result information of the user is an anomaly of the user.
According to an embodiment of the present disclosure, the calculation module 630 comprises a calculation unit. And the computing unit is used for inputting the characteristic data into the abnormal rule matching model and outputting result information representing the matching degree of the characteristic data and the preset abnormal rule.
According to an embodiment of the present disclosure, the apparatus 600 further includes a second obtaining module and a training module. And the second acquisition module is used for acquiring the historical operation data set of the abnormal user. And the training module is used for training the preset model by utilizing the historical operation data set of the abnormal user to obtain the abnormal rule matching model.
According to an embodiment of the present disclosure, the apparatus 600 further includes a third obtaining module, a second querying module, and a second constructing module. The third obtaining module is used for obtaining log data of a plurality of users in a preset area through the buried point. And the second query module is used for querying the characteristic data corresponding to the target field in the user operation data of each user by utilizing the database engine through creating the streaming computing task. And the second building module is used for building a risk control model of the preset area according to the characteristic data of the plurality of users, wherein the risk control model is used for evaluating the probability of abnormal users in the preset area.
According to an embodiment of the present disclosure, any plurality of the first obtaining module 610, the first querying module 620, the calculating module 630, and the first determining module 640 may be combined and implemented in one module, or any one of the modules may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the first obtaining module 610, the first querying module 620, the calculating module 630 and the first determining module 640 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware and firmware, or implemented by a suitable combination of any of them. Alternatively, at least one of the first obtaining module 610, the first querying module 620, the calculating module 630 and the first determining module 640 may be at least partially implemented as a computer program module, which when executed, may perform a corresponding function.
Fig. 7 schematically shows a block diagram of an electronic device adapted to implement an anomaly detection method according to an embodiment of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. The processor 701 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. It is noted that the programs may also be stored in one or more memories other than the ROM 702 and RAM 703. The processor 701 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 702 and/or the RAM 703 and/or one or more memories other than the ROM 702 and the RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the abnormality detection method provided by the embodiment of the present disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 701. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by the processor 701, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. An anomaly detection method comprising:
acquiring log data of a user through a buried point, wherein the log data of the user comprises user operation data;
by creating a streaming computing task, utilizing a database engine to inquire feature data corresponding to a target field in the user operation data, wherein the target field comprises a field required for judging whether the user operation data conforms to a preset abnormal rule;
under the condition that the feature data corresponding to the target field meet a preset condition, calculating the matching degree of the feature data and the preset abnormal rule; and
and determining the abnormal detection result information of the user according to the matching degree.
2. The method of claim 1, wherein the determining the user's anomaly detection result information according to the matching degree comprises:
determining that the user abnormity detection result information is the user abnormity under the condition that the matching degree is greater than or equal to a preset threshold value;
and determining that the abnormal detection result information of the user is normal under the condition that the matching degree is smaller than the preset threshold value.
3. The method of claim 2, further comprising:
and constructing a user portrait according to the log data of the user under the condition that the user abnormity detection result information is the user abnormity.
4. The method according to claim 1, wherein the calculating the matching degree of the feature data and the preset abnormal rule comprises:
and inputting the characteristic data into an abnormal rule matching model, and outputting result information representing the matching degree of the characteristic data and the preset abnormal rule.
5. The method of claim 4, further comprising:
acquiring a historical operation data set of an abnormal user;
and training a preset model by using the historical operation data set of the abnormal user to obtain the abnormal rule matching model.
6. The method of claim 1, further comprising:
acquiring log data of a plurality of users in a preset area through a buried point;
querying feature data corresponding to the target field in the user operation data of each user by utilizing a database engine through creating the streaming computing task;
and constructing a risk control model of the preset area according to the characteristic data of a plurality of users, wherein the risk control model is used for evaluating the probability of abnormal users in the preset area.
7. An abnormality detection device comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring log data of a user through a buried point, and the log data of the user comprises user operation data;
the first query module is used for querying one or more target fields in the user operation data by utilizing a database engine through creating a streaming computing task, wherein the target fields comprise fields required for judging whether the user operation data meet preset abnormal rules or not;
the calculation module is used for calculating the matching degree of the feature data and the preset abnormal rule under the condition that the feature data corresponding to the target field meets a preset condition; and
and the first determining module is used for determining the abnormal detection result information of the user according to the matching degree.
8. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 6.
10. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111558094.0A CN114218283A (en) | 2021-12-17 | 2021-12-17 | Abnormality detection method, apparatus, device, and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111558094.0A CN114218283A (en) | 2021-12-17 | 2021-12-17 | Abnormality detection method, apparatus, device, and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114218283A true CN114218283A (en) | 2022-03-22 |
Family
ID=80704158
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111558094.0A Pending CN114218283A (en) | 2021-12-17 | 2021-12-17 | Abnormality detection method, apparatus, device, and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114218283A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115374443A (en) * | 2022-10-24 | 2022-11-22 | 北京智芯微电子科技有限公司 | Method and device for detecting file tampering, electronic equipment and readable storage medium |
-
2021
- 2021-12-17 CN CN202111558094.0A patent/CN114218283A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115374443A (en) * | 2022-10-24 | 2022-11-22 | 北京智芯微电子科技有限公司 | Method and device for detecting file tampering, electronic equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113507419B (en) | Training method of traffic distribution model, traffic distribution method and device | |
| CN114238058A (en) | Monitoring method, apparatus, device, medium, and program product | |
| CN115587575A (en) | Data table creation method, target data query method, device and equipment | |
| CN115061874A (en) | Log information verification method, device, equipment and medium | |
| CN114201372A (en) | Method, apparatus, device, medium and product for exception warning | |
| CN114218283A (en) | Abnormality detection method, apparatus, device, and medium | |
| CN113132400A (en) | Business processing method, device, computer system and storage medium | |
| CN116155628B (en) | Network security detection method, training device, electronic equipment and medium | |
| CN114693358A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN114443663A (en) | Data table processing method, device, equipment and medium | |
| CN114780807A (en) | Service detection method, device, computer system and readable storage medium | |
| CN114490130A (en) | Message subscription method and device, electronic equipment and storage medium | |
| CN114219601A (en) | Information processing method, device, equipment and storage medium | |
| CN113961441A (en) | Alarm event processing method, auditing method, device, equipment, medium and product | |
| CN115203178A (en) | Data quality inspection method and device, electronic equipment and storage medium | |
| CN114301713A (en) | Risk access detection model training method, risk access detection method and risk access detection device | |
| CN113391988A (en) | Method and device for losing user retention, electronic equipment and storage medium | |
| CN115312208B (en) | Method, device, equipment and medium for displaying treatment data | |
| CN114844810B (en) | Heartbeat data processing method, device, equipment and medium | |
| CN114328096A (en) | Index monitoring method, device, equipment and medium | |
| CN114861054A (en) | Information acquisition method and device, electronic equipment and storage medium | |
| CN114661794A (en) | Service data processing method, device, equipment and medium | |
| CN114693421A (en) | Risk assessment method, apparatus, electronic device and medium | |
| CN114328151A (en) | Operation and maintenance event relation mining method, device, equipment and medium | |
| CN117726458A (en) | Information processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |