CN116861976A

CN116861976A - Training method, device, equipment and storage medium of anomaly detection model

Info

Publication number: CN116861976A
Application number: CN202310652219.9A
Authority: CN
Inventors: 魏政
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2023-06-02
Filing date: 2023-06-02
Publication date: 2023-10-10

Abstract

The application discloses a training method, a device, equipment and a storage medium of an anomaly detection model, which are used for determining a training sample group comprising historical behavior sequences corresponding to a plurality of sample accounts respectively, determining labels of the training sample group according to first relativity among anomaly processing strategies executed on the sample accounts corresponding to the training sample group historically, further obtaining anomaly detection results corresponding to the sample accounts in the training sample group respectively through the anomaly detection model to be trained, and training the anomaly detection model according to similarity among the anomaly detection results corresponding to the sample accounts respectively and the labels of the training sample group. Therefore, the first correlation degree among the anomaly processing strategies executed by the sample accounts corresponding to the training sample group is used for guiding the anomaly detection model to train. The anomaly detection model obtained through training can accurately identify the anomaly account, and the accuracy of anomaly detection is guaranteed.

Description

Training method, device, equipment and storage medium of anomaly detection model

Technical Field

The present application relates to the field of computer technologies, and in particular, to a training method, apparatus, device, and storage medium for an anomaly detection model.

Background

With the development of computer technology and the attention of people to self privacy, in the process of executing a service by a user, performing anomaly detection on an account used by the user for executing the service, and executing the service according to a detection result is one of the more common service execution modes at present.

Generally, in the process of detecting an abnormality of an account of a user, it is generally required to determine a historical behavior sequence corresponding to the account, and input the historical behavior sequence into an abnormality detection model to obtain an abnormality detection result output by the abnormality detection model. The anomaly detection result is used for representing whether the account is abnormal or not.

Based on the above, the application provides a training method of an abnormality detection model.

Disclosure of Invention

The application provides a training method, device, equipment and storage medium of an anomaly detection model, which are used for partially solving the problems existing in the prior art.

The application adopts the following technical scheme:

the application provides a training method of an abnormality detection model, which comprises the following steps:

acquiring historical behavior sequences corresponding to a plurality of sample accounts respectively, and respectively combining the historical behavior sequences to determine each training sample group;

Determining, for each training sample group, a label of the training sample group according to a first correlation between exception handling policies historically performed on sample accounts corresponding to the training sample group, where the label is used to characterize a similarity between sample accounts corresponding to the training sample group;

inputting the training sample group into an anomaly detection model to be trained, and obtaining anomaly detection results which are output by the anomaly detection model and correspond to each sample account corresponding to the training sample group;

and training the anomaly detection model according to the similarity between the anomaly detection results of the sample accounts corresponding to the training sample group and the labels of the training sample group.

The application provides a training device of an abnormality detection model, which comprises:

the acquisition module is used for acquiring historical behavior sequences corresponding to the sample accounts respectively, and combining the historical behavior sequences respectively to determine each training sample group;

the first determining module is used for determining labels of each training sample group according to first correlation among anomaly processing strategies executed on each sample account corresponding to the training sample group in history, wherein the labels are used for representing the similarity among the sample accounts corresponding to the training sample group;

The second determining module is used for inputting the training sample group into an anomaly detection model to be trained to obtain anomaly detection results which are output by the anomaly detection model and respectively correspond to all sample accounts corresponding to the training sample group;

and the training module is used for training the abnormal detection model according to the similarity between the abnormal detection results of the sample accounts corresponding to the training sample group and the labeling of the training sample group.

The present application provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the training method of the anomaly detection model described above.

The application provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the training method of the abnormality detection model when executing the program.

The at least one technical scheme adopted by the application can achieve the following beneficial effects:

determining a training sample group comprising historical behavior sequences corresponding to a plurality of sample accounts respectively, determining labels of the training sample group according to first relativity among anomaly processing strategies which are executed on each sample account corresponding to the training sample group historically, further obtaining anomaly detection results corresponding to each sample account in the training sample group respectively through an anomaly detection model to be trained, and training the anomaly detection model according to similarity among the anomaly detection results corresponding to each sample account respectively and the labels of the training sample group.

Therefore, the first correlation degree among the anomaly processing strategies executed by the sample accounts corresponding to the training sample group is used for guiding the anomaly detection model to train. The anomaly detection model obtained through training can accurately identify the anomaly account, and the accuracy of anomaly detection is guaranteed.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:

FIG. 1 is a flow chart of a training method of an anomaly detection model in the present application;

FIG. 2 is a flow chart of a training method of an anomaly detection model according to the present application;

FIG. 3 is a schematic diagram of a training device for an anomaly detection model according to the present application;

fig. 4 is a schematic diagram of an electronic device corresponding to fig. 1 provided in the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

In addition, it should be noted that, in the present application, all actions of acquiring signals, information or data are performed under the condition of conforming to the corresponding data protection rule policy of the location and obtaining the authorization given by the owner of the corresponding device.

With the development of computer technology and the attention of people to self privacy, it has been one of the more common service execution modes to perform services according to detection results by detecting abnormality of an account used by a user during the service execution process of the user. In the process of detecting the abnormality of the account, it is generally required to determine a historical behavior sequence corresponding to the account, and input the historical behavior sequence into an abnormality detection model trained in advance to obtain an abnormality detection result output by the abnormality detection model, so as to execute the service according to the abnormality detection result.

At present, when an anomaly detection model is trained, a training sample can be determined and the model can be trained only based on the anomaly type corresponding to the account. Taking the sample account as the ash account as an example, if the sample account is taken as the training sample, the training sample is marked as the ash account or the abnormal account. This results in the trained anomaly detection model being able to distinguish only the anomaly type corresponding to the account. In general, no matter the account is a gray account or a black account, the corresponding historical behavior sequences are various, and similar situations of the gray account, the black account and the normal account corresponding to the several similar historical behavior sequences often occur, so that the accuracy of the anomaly detection model obtained through training is lower.

In this scenario, how to train to obtain a more accurate anomaly detection model has become one of the problems to be solved at present.

Based on the method, the training method of the anomaly detection model is provided, the anomaly type corresponding to the sample account is not directly used as the label of the training sample, and the anomaly processing strategy corresponding to the sample account is adopted to guide the training of the anomaly detection model. The training method has the advantages that the training obtained anomaly detection model can learn the characteristics corresponding to the sample account and the characteristics corresponding to the anomaly processing strategy corresponding to the sample account, and further the accuracy of the training obtained anomaly detection model is guaranteed.

The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.

Fig. 1 is a flow chart of a training method of an anomaly detection model provided by the application.

S100: and acquiring historical behavior sequences corresponding to the sample accounts respectively, and respectively combining the historical behavior sequences to determine each training sample group.

The embodiment of the application provides a training method of an abnormality detection model, and the execution process of the training method of the abnormality detection model can be executed by electronic equipment such as a server for executing an abnormality detection service or a server for carrying out model training. For convenience of description, the training method of the anomaly detection model provided by the application is described in detail below with only the server as the execution subject.

In the embodiment of the present application, the training process of the anomaly detection model can be divided into three stages: a sample determination phase, a sample processing phase, and a training phase. As mentioned above, the application can use the corresponding abnormality processing strategy of the sample account to guide the training of the abnormality detection model. However, because the exception handling policy contains abundant information, the corresponding handling types are thousands of, and are difficult to be directly divided into simple types, and multiple exception handling policies can correspond to similar semantics. It can be seen that it is not appropriate to train the anomaly detection model directly with the anomaly handling strategy as an annotation for the training sample.

Based on the method, a training sample group comprising a historical behavior sequence of a plurality of sample accounts is determined, and the training sample group and the labels thereof are determined in a mode that the similarity between the abnormal processing strategies of each sample account in the training sample group is used as the labels of the training sample group in a historical manner, so that the abnormal detection model can be trained according to the training sample group and the labels thereof.

The server may then determine a training sample set comprising a plurality of historical behavior sequences for each of the sample users during a sample determination phase.

Specifically, the server may determine, from the pre-stored historical behavior sequences corresponding to the accounts, a combination of the historical behavior sequences corresponding to the specified number of sample accounts, and determine a training sample set. The sample accounts and the historical behavior sequences are in one-to-one correspondence, that is, for each sample account, the sample account has a corresponding historical behavior sequence.

The sample account may be an account that is used by the user when historically executing the service. The historical behavior sequence corresponding to the sample account can be the operation of the user, which is monitored after the user initiates the specified service, and the specified service can be the last executed service or the specified type of service such as payment service. The monitored user operation may include: aiming at operations such as clicking, long pressing and the like of the control, a user slides a track of the screen, and the user clicks the position of the screen and the like. Of course, the historical behavior sequence may also be a vector or feature determined from operations performed by the user. How the historical behavior sequence is determined specifically and the specific form of the historical behavior sequence can be set as required, and the application is not limited thereto.

S102: for each training sample group, determining labels of the training sample group according to first correlation among anomaly processing strategies which are historically executed on the sample accounts corresponding to the training sample group, wherein the labels are used for representing similarity among the sample accounts corresponding to the training sample group.

In one or more embodiments of the present application, as described above, the training method for the anomaly detection model in the present application uses a training sample set to determine a historical behavior sequence including a plurality of sample accounts, and uses a similarity between anomaly handling policies of each sample account in the training sample set historically as a label of the training sample set to determine a training sample set and a label thereof for training the anomaly detection model. Based on this, the server may determine annotations for the training sample set.

Specifically, the server may determine, for each training sample group, an exception handling policy historically performed on each sample account corresponding to the training sample group as each specified policy.

Then, for each sample account, the server may determine a first correlation between the exception handling policy corresponding to the sample account and the exception handling policies of other sample accounts corresponding to the training sample group to which the sample account belongs. The first correlation degree may be determined by determining a similarity between a first policy feature obtained after feature extraction of an exception handling policy corresponding to the sample account and a first policy feature obtained after feature extraction of exception handling policies of other sample accounts corresponding to a training sample group to which the sample account belongs, or may be directly determined according to common words and sentence patterns between the exception handling policy corresponding to the sample account and exception handling policies of other sample accounts corresponding to the training sample group to which the sample account belongs, and how the first correlation degree is determined may be set as required.

Finally, after determining the first correlation, the server may directly use the first correlation as a label of the training sample set.

Of course, since the historical behavior sequences of the sample accounts included in the training sample set may be plural, the determined first correlation degree may be plural, so that the server may directly use each first correlation degree as the label of the training sample set, and may also determine the average, median, and other indexes of each first correlation degree as the label of the training sample set.

How to determine the label of the training sample set and the specific index type corresponding to the label of the training sample set according to the first correlation degree can be set according to the needs, and the application is not limited to this.

S104: and inputting the training sample group into an anomaly detection model to be trained, and obtaining anomaly detection results which are output by the anomaly detection model and correspond to each sample account corresponding to the training sample group.

In one or more embodiments of the present application, after determining the training sample, the training method of the anomaly detection model may process the training sample, and then train the anomaly detection model based on the processing result of the training sample.

Specifically, the server may input, for each sample account corresponding to the training sample set, a historical behavior sequence corresponding to the sample account as an input to an anomaly detection model to be trained.

Thus, the server can obtain the abnormality detection results corresponding to the sample accounts corresponding to the training sample group output by the abnormality detection model. The anomaly detection result may be an anomaly type corresponding to each sample account, or may be an anomaly processing policy corresponding to each sample account.

S106: and training the anomaly detection model according to the similarity between the anomaly detection results of the sample accounts corresponding to the training sample group and the labels of the training sample group.

In one or more embodiments of the present application, the server may train the anomaly detection model after processing training samples.

Specifically, the server may determine, for each training sample group, an anomaly detection result of each sample account corresponding to the training sample group.

Then, the server can determine the similarity between the abnormal detection results of the sample accounts corresponding to the training sample set. The server may also determine according to an abnormal feature obtained by extracting features from the abnormal detection results of each sample account, or may directly determine according to whether the abnormal detection results of each sample account belong to the same abnormal type, contain the same keyword, or the like, similar to the first correlation between the abnormal processing policies executed by each sample account. How to determine the similarity between the abnormal detection results of each sample account can be set according to the needs is not limited by the application.

Finally, the server may determine a loss based on the determined similarity and the difference between the annotations for the training set of samples, and train the anomaly detection model with the loss minimized as an optimization objective.

Thus, the trained abnormality detection model can accurately detect the abnormality of the account based on the historical behavior sequence of the account.

According to the training method of the anomaly detection model shown in fig. 1, a training sample group comprising historical behavior sequences respectively corresponding to a plurality of sample accounts is determined, labels of the training sample group are determined according to first correlation among anomaly processing strategies historically executed on the sample accounts corresponding to the training sample group, anomaly detection results respectively corresponding to the sample accounts in the training sample group are obtained through the anomaly detection model to be trained, and the anomaly detection model is trained according to similarity among the anomaly detection results respectively corresponding to the sample accounts and the labels of the training sample group. Therefore, the first correlation degree among the anomaly processing strategies executed by the sample accounts corresponding to the training sample group is used for guiding the anomaly detection model to train. The anomaly detection model obtained through training can accurately identify the anomaly account, and the accuracy of anomaly detection is guaranteed.

Further, in general, compared with the similarity between the features of the first policy obtained by extracting the features according to the exception handling policy executed by the sample account, the similarity between the exception handling policies determined directly based on the keywords included in the exception handling policy is more accurate. Therefore, in step S102, the server may also determine the similarity directly based on the keywords included in the exception handling policy.

Specifically, the server may determine, for each sample account corresponding to the training sample set, an exception handling policy historically performed on the sample account as the specified policy.

Then, the server can segment the specified strategy and determine the word segmentation result corresponding to the specified strategy. And determining the keywords of the specified strategy from the word segmentation result. The keyword can be determined according to at least one attribute of the word part, word frequency and the like of each word in the word segmentation result.

Finally, the server can determine the labels of the training sample set according to the similarity between the keywords of each specified strategy.

Taking the keyword of the specified policy corresponding to the account a as "fine" and the keyword of the specified policy corresponding to the account B as "cancellation account", the similarity between the keywords of the specified policies corresponding to the account a and the account B may be the similarity between the fine and the cancellation account. The similarity can be that the fine and the cancellation account are respectively subjected to feature extraction, and the similarity between the abnormal feature corresponding to the fine and the abnormal feature corresponding to the cancellation account is determined. And the similarity determined when judging whether the fine and the cancellation account are the hyponyms or the synonyms or not according to the preset dictionary.

Further, the server may also determine the labels of the training sample set by determining the cross-over ratio.

Specifically, for each specified policy, the server may create a specified set corresponding to the specified policy, and add the keyword of the specified policy to the specified set corresponding to the specified policy.

Then, the server may determine, according to the intersection ratio of the specified set corresponding to the specified policy and the specified set corresponding to the other specified policies, a similarity between the keywords of the specified policy and the keywords of the other specified policies.

Finally, the server can determine the labels of the training sample set according to the similarities.

Taking keywords of the specified policy corresponding to the account A as fine and 5000 yuan, and keywords of the specified policy corresponding to the account B as fine and 4500 yuan as examples. The server may add the keywords of the a account to the designated set corresponding to the a account and the keywords of the B account to the designated set corresponding to the B account. The server may then determine the intersection ratio of the specified set of A accounts and the specified set of B accounts as annotations for the training sample set containing the historical behavior sequence of A accounts and the historical behavior sequence of B accounts. The intersection ratio of the specified sets can be determined based on whether the two specified sets contain synonyms or paraphraseology and the ratio of the number of the contained synonyms or paraphraseology in the number of all words in the specified sets.

Further, in the present application, the server may determine not only the anomaly type of the account, but also the anomaly handling policy of the account as a detection result.

Specifically, the server may input, for each sample account corresponding to the training sample set, a historical behavior sequence of the sample account as an input, into a feature extraction layer of the anomaly detection model, to obtain a sample feature corresponding to the sample account output by the feature extraction layer.

And secondly, the server can input the sample characteristics into a matching layer to obtain first strategy characteristics estimated by the matching layer according to the sample characteristics. The matching layer is used for estimating strategy characteristics corresponding to the executed abnormal processing strategy of the account corresponding to the behavior sequence according to the behavior characteristics corresponding to the behavior sequence.

Then, the server can input the sample characteristic into a detection layer of the abnormal detection model to obtain an initial detection result output by the detection layer. The initial detection result may only include the exception type corresponding to the sample account, and may also include at least part of the exception handling policy corresponding to the sample account.

Finally, the server may determine a detection result of the sample account according to the initial detection result and the first policy feature. The detection result comprises the abnormal type of the sample account and the estimated abnormal processing strategy to be executed by the sample account. That is, the server may predict the exception handling policy that should be executed by the sample account according to the first policy feature, combine the exception handling policy with the initial detection result of the sample account, and use the combined result as the exception handling policy of the sample account.

In addition, in the present application, the server may determine not only the anomaly type of the account, but also the anomaly handling policy of the account as a detection result. Therefore, when determining the loss of the anomaly detection model, the server may further determine, for each sample account, the loss according to a gap between the anomaly detection result of the sample account and the anomaly processing policy corresponding to the sample account, and a gap between the similarity of the anomaly detection result of each sample account corresponding to the training sample group and the annotation of the training sample group. However, because the exception handling policy of each sample account is difficult to be directly used as a label of a training sample, the server can train the model by determining the similarity between the behavior characteristics corresponding to the historical behavior sequence of the sample account and the policy characteristics corresponding to the exception handling policy corresponding to the sample account.

Specifically, for each sample account corresponding to the training sample set, the server may input the exception handling policy historically executed on the sample account to the feature extraction layer of the exception detection model, to obtain the second policy feature output by the feature extraction layer.

Secondly, the server can determine a first gap according to the similarity between abnormal detection results of each sample account corresponding to the training sample set and the labels of the training sample set;

the server may then determine a second gap based on the gaps between the first policy feature and the second policy feature for each respective sample account.

Finally, the server may determine a loss based on the first gap and the second gap, and train the anomaly detection model with the loss minimized as an optimization objective.

Furthermore, when the matching layer determines the first policy feature according to the sample feature, a mode of convoluting the sample feature and extracting the feature may be adopted, and a mode of setting a transformation matrix with adjustable parameters may also be adopted. Taking a mode of setting a conversion matrix with adjustable parameters as an example, the server can input the sample characteristics into a matching layer, and determine the first strategy characteristics corresponding to the sample characteristics through the conversion matrix preset in the matching layer. The server may adjust parameters of the transformation matrix in a matching layer of the anomaly detection model to train the anomaly detection model when training the anomaly detection model.

Further, the trained anomaly detection model can be used to detect anomalies in a target account.

Specifically, the server may receive an abnormality detection request, where the abnormality detection request may be sent by a server executing a service, or may be sent by a client held by a user when it is detected that the service needs to be executed.

The server can determine a target account corresponding to the abnormality detection request according to the abnormality detection request.

Then, the server can determine a target behavior sequence of the target account according to the account identifier of the target account, and input the target behavior sequence into a feature extraction layer of the trained anomaly detection model to obtain target behavior features output by the feature extraction layer.

Then, the server can input the target behavior characteristics into the matching layer and the detection layer respectively to obtain target strategy characteristics output by the matching layer and initial detection results output by the detection layer. The initial detection result corresponding to the target account may be an anomaly type corresponding to the target account, or may be an anomaly type corresponding to the target account and an anomaly handling policy corresponding to at least a portion of the target account, similar to the initial detection result of the sample account.

Finally, the server can determine a target detection result of the target account according to the initial detection result and the target policy feature. Similarly, the server may predict an exception handling policy to be executed by the target account according to the determined target policy feature, combine the exception handling policy with an initial detection result of the target account, and use the combined result as the exception handling policy of the target account.

Based on the same idea, the application provides a flow diagram of a training method of an anomaly detection model, as shown in fig. 2.

Fig. 2 is a flow chart of a training method of an anomaly detection model provided by the application. The anomaly detection model comprises a feature extraction layer, a matching layer and a detection layer. Taking the example that the abnormality detection model includes the historical behavior sequences corresponding to the two sample accounts, the server can respectively input the historical behavior sequences of the sample account 1 and the historical behavior sequences of the sample account 2 into the feature extraction layer to obtain the sample features 1 and the sample features 2 respectively output by the feature extraction layer.

Then, the server may input the sample feature 1 and the sample feature 2 as input respectively to the matching layer to obtain a first policy feature 1 and a first policy feature 2 output by the matching layer, and input the obtained first policy feature 1 and first policy feature 2 to the detection layer to obtain an initial detection result 1 and an initial detection result 2 output by the detection layer.

Then, the server may determine the abnormal detection result 1 of the sample account 1 according to the first policy feature 1 and the initial detection result 1, and determine the abnormal detection result 2 of the sample account 2 according to the first policy feature 2 and the initial detection result 2.

Meanwhile, the server can respectively input the exception handling policy executed by the sample account 1 and the exception handling policy executed by the sample account 2 into a feature extraction layer which is trained in advance to obtain a second policy feature 1 and a second policy feature 2.

Finally, the server may determine a first similarity according to the similarity between the anomaly detection result 1 and the anomaly detection result 2, and determine a first gap according to the first similarity and the gap between the labels of the training sample set. And determining a second gap 1 according to the first policy feature 1 and the second policy feature 1, and determining a second gap 2 according to the first policy feature 2 and the second policy feature 2. The server may then determine the loss based on the determined first gap and each second gap, and train the anomaly detection model with the loss minimized as an optimization objective. Wherein the annotation of the training sample set is determined according to the similarity between the exception handling policy performed on the sample account 1 and the exception handling policy performed on the sample account 2.

Fig. 3 is a schematic diagram of a training device for an anomaly detection model according to the present application, in which:

the obtaining module 200 is configured to obtain historical behavior sequences corresponding to the plurality of sample accounts, and combine the historical behavior sequences to determine each training sample group.

A first determining module 202, configured to determine, for each training sample group, a label of the training sample group according to a first correlation between exception handling policies historically performed on sample accounts corresponding to the training sample group, where the label is used to characterize a similarity between sample accounts corresponding to the training sample group.

And the second determining module 204 is configured to input the training sample set into an anomaly detection model to be trained, and obtain anomaly detection results corresponding to each sample account corresponding to the training sample set output by the anomaly detection model.

And the training module 206 is configured to train the anomaly detection model according to the similarity between the anomaly detection results of the sample accounts corresponding to the training sample set and the labels of the training sample set.

Optionally, the first determining module 202 is configured to determine, as each specified policy, an exception handling policy that is historically executed on each sample account corresponding to the training sample set, respectively perform word segmentation on each specified policy, determine, from a word segmentation result, keywords corresponding to each specified policy, and determine, according to similarity between keywords of each specified policy, labels of the training sample set.

Optionally, the first determining module 202 is configured to add, for each specified policy, a keyword of the specified policy to a specified set corresponding to the specified policy, determine, according to a merging ratio of the specified set corresponding to the specified policy and specified sets corresponding to other specified policies, a similarity between the keyword of the specified policy and keywords of other specified policies, and determine, according to each similarity, a label of the training sample set.

Optionally, the second determining module 204 is configured to input, for each sample account corresponding to the training sample set, a historical behavior sequence of the sample account into a feature extraction layer of the anomaly detection model to obtain a sample feature output by the feature extraction layer, input the sample feature into a matching layer of the anomaly detection model to obtain a first policy feature estimated by the matching layer according to the sample feature, input the sample feature into a detection layer of the anomaly detection model to obtain an initial detection result output by the detection layer, and determine an anomaly detection result of the sample account according to the initial detection result and the first policy feature.

Optionally, the second determining module 204 is configured to input, for each sample account corresponding to the training sample set, an anomaly processing policy historically executed on the sample account into a feature extraction layer of the anomaly detection model, obtain a second policy feature output by the feature extraction layer, determine a similarity between anomaly detection results of each sample account corresponding to the training sample set as a first similarity, determine a gap between the first similarity and a label of the training sample set as a first gap, determine a second gap according to a gap between the first policy feature and the second policy feature respectively corresponding to each sample account, determine a loss according to the first gap and the second gap, and train the anomaly detection model with the loss minimized as an optimization objective.

Optionally, the second determining module 204 is configured to input the sample feature into the matching layer, determine a first policy feature corresponding to the sample feature through a conversion matrix preset in the matching layer, and the training module 206 is configured to adjust at least a parameter of the conversion matrix in the matching layer in the anomaly detection model, so as to train the anomaly detection model.

Optionally, the second determining module 204 is configured to determine, in response to an anomaly detection request, a target account carried in the anomaly detection request, determine a target behavior sequence corresponding to the target account, input the target behavior sequence to a feature extraction layer of the anomaly detection model after training is completed, obtain a target behavior feature output by the feature extraction layer, input the target behavior feature to the matching layer, obtain a target policy feature output by the matching layer, input the target behavior feature to the detection layer, obtain an initial detection result output by the detection layer, and determine a target detection result of the target account according to the initial detection result and the target policy feature.

The present application also provides a computer-readable storage medium storing a computer program operable to execute the training method of the abnormality detection model shown in fig. 1 described above.

The application also provides a schematic block diagram of the electronic device shown in fig. 4. At the hardware level, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile storage, as described in fig. 4, although other hardware required by other services may be included. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to implement the training method of the anomaly detection model shown in fig. 1. Of course, other implementations, such as logic devices or combinations of hardware and software, are not excluded from the present application, that is, the execution subject of the following processing flows is not limited to each logic unit, but may be hardware or logic devices.

In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments of the present application are described in a progressive manner, and the same and similar parts of the embodiments are all referred to each other, and each embodiment is mainly described in the differences from the other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims

1. A method of training an anomaly detection model, the method comprising:

2. The method of claim 1, wherein determining the labels of the training sample set according to a first correlation between anomaly handling policies historically performed on respective sample accounts corresponding to the training sample set comprises:

determining exception handling strategies which are executed on each sample account corresponding to the training sample group in history respectively as each appointed strategy;

the specified strategies are segmented respectively, and keywords corresponding to the specified strategies are determined from the segmentation results;

and determining the labels of the training sample group according to the similarity among the keywords of each specified strategy.

3. The method of claim 2, wherein determining the labels of the training sample set according to the similarity between the keywords of each specified strategy specifically comprises:

For each specified strategy, adding the keywords of the specified strategy into a specified set corresponding to the specified strategy;

and determining the similarity between the keywords of the specified strategy and the keywords of other specified strategies according to the intersection ratio of the specified set corresponding to the specified strategy and the specified set corresponding to other specified strategies, and determining the label of the training sample group according to each similarity.

4. The method of claim 1, wherein the training sample set is input into an anomaly detection model to be trained to obtain anomaly detection results corresponding to each sample account corresponding to the training sample set output by the anomaly detection model, specifically comprising:

inputting a historical behavior sequence of each sample account corresponding to the training sample group into a feature extraction layer of the anomaly detection model to obtain sample features output by the feature extraction layer;

inputting the sample characteristics into a matching layer of the anomaly detection model to obtain first strategy characteristics estimated by the matching layer according to the sample characteristics;

inputting the sample characteristics into a detection layer of the abnormal detection model to obtain an initial detection result output by the detection layer;

And determining an abnormal detection result of the sample account according to the initial detection result and the first strategy characteristic.

5. The method of claim 4, training the anomaly detection model according to the similarity between anomaly detection results of each sample account corresponding to the training sample set and the labeling of the training sample set, specifically comprising:

inputting an abnormality processing strategy which is executed on the sample account in history into a feature extraction layer of the abnormality detection model aiming at each sample account corresponding to the training sample group, and obtaining a second strategy feature output by the feature extraction layer;

determining the similarity between abnormal detection results of all sample accounts corresponding to the training sample set as a first similarity, and determining the difference between the first similarity and the labels of the training sample set as a first difference;

determining a second gap according to the gap between the first strategy feature and the second strategy feature respectively corresponding to each sample account;

and determining loss according to the first gap and the second gap, taking the loss minimization as an optimization target, and training the anomaly detection model.

6. The method of claim 4, wherein the inputting the sample feature into the matching layer of the anomaly detection model to obtain a first policy feature estimated by the matching layer according to the sample feature, specifically comprises:

inputting the sample characteristics into the matching layer, and determining first strategy characteristics corresponding to the sample characteristics through a conversion matrix preset in the matching layer;

training the anomaly detection model specifically comprises the following steps:

and adjusting at least parameters of the conversion matrix in a matching layer in the anomaly detection model to train the anomaly detection model.

7. The method of claim 4, the method further comprising:

responding to an abnormality detection request, and determining a target account carried in the abnormality detection request;

determining a target behavior sequence corresponding to the target account, and inputting the target behavior sequence into a feature extraction layer of the anomaly detection model after training is completed to obtain target behavior features output by the feature extraction layer;

inputting the target behavior characteristics into the matching layer to obtain target strategy characteristics output by the matching layer;

inputting the target behavior characteristics into the detection layer to obtain an initial detection result output by the detection layer;

And determining a target detection result of the target account according to the initial detection result and the target policy characteristic.

8. A training apparatus for an anomaly detection model, the apparatus comprising:

9. A computer readable storage medium storing a computer program which, when executed by a processor, implements the method of any of the preceding claims 1-7.

10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any of the preceding claims 1-7 when the program is executed.